From 2b8de74ff4c334c25e89988c4a401b24b5bcf03d Mon Sep 17 00:00:00 2001 From: Romain Francoise Date: Tue, 21 Oct 2014 19:28:38 +0200 Subject: Import upstream release 5.2.1 --- configure | 1038 ++++++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 826 insertions(+), 212 deletions(-) (limited to 'configure') diff --git a/configure b/configure index a2004a8da..ee7d4cb05 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for strongSwan 5.2.0. +# Generated by GNU Autoconf 2.69 for strongSwan 5.2.1. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='5.2.0' -PACKAGE_STRING='strongSwan 5.2.0' +PACKAGE_VERSION='5.2.1' +PACKAGE_STRING='strongSwan 5.2.1' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -633,6 +633,12 @@ am__EXEEXT_TRUE LTLIBOBJS LIBOBJS strongswan_options +USE_RUBY_GEMS_FALSE +USE_RUBY_GEMS_TRUE +USE_LEGACY_SYSTEMD_FALSE +USE_LEGACY_SYSTEMD_TRUE +USE_SYSTEMD_FALSE +USE_SYSTEMD_TRUE USE_SVC_FALSE USE_SVC_TRUE USE_SWANCTL_FALSE @@ -653,8 +659,6 @@ MONOLITHIC_FALSE MONOLITHIC_TRUE USE_TROUSERS_FALSE USE_TROUSERS_TRUE -USE_PTS_FALSE -USE_PTS_TRUE USE_IMCV_FALSE USE_IMCV_TRUE USE_RADIUS_FALSE @@ -843,6 +847,8 @@ USE_ERROR_NOTIFY_FALSE USE_ERROR_NOTIFY_TRUE USE_LOOKIP_FALSE USE_LOOKIP_TRUE +USE_EXT_AUTH_FALSE +USE_EXT_AUTH_TRUE USE_WHITELIST_FALSE USE_WHITELIST_TRUE USE_KERNEL_IPH_FALSE @@ -999,6 +1005,8 @@ attest_plugins pool_plugins starter_plugins charon_plugins +RUBYGEMDIR +GEM COVERAGE_LDFLAGS COVERAGE_CFLAGS GENHTML @@ -1025,6 +1033,12 @@ RUBYINCLUDE RUBY gtk_LIBS gtk_CFLAGS +json_LIBS +json_CFLAGS +systemd_journal_LIBS +systemd_journal_CFLAGS +systemd_daemon_LIBS +systemd_daemon_CFLAGS xml_LIBS xml_CFLAGS soup_LIBS @@ -1109,8 +1123,6 @@ charon_udp_port ipsecgroup ipsecuser systemdsystemunitdir -HAVE_SYSTEMD_FALSE -HAVE_SYSTEMD_TRUE fips_mode ipsec_script routing_table_prio @@ -1225,6 +1237,7 @@ with_capabilities with_mpz_powm_sec with_dev_headers with_printf_hooks +with_rubygemdir with_systemdsystemunitdir with_user with_group @@ -1295,6 +1308,7 @@ enable_eap_peap enable_eap_tnc enable_eap_dynamic enable_eap_radius +enable_ext_auth enable_ipseckey enable_keychain enable_pkcs11 @@ -1372,6 +1386,7 @@ enable_pki enable_scepclient enable_scripts enable_svc +enable_systemd enable_swanctl enable_tkm enable_bfd_backtraces @@ -1382,6 +1397,7 @@ enable_integrity_test enable_load_warning enable_mediation enable_unwind_backtraces +enable_ruby_gems enable_coverage enable_leak_detective enable_lock_profiler @@ -1417,6 +1433,12 @@ soup_CFLAGS soup_LIBS xml_CFLAGS xml_LIBS +systemd_daemon_CFLAGS +systemd_daemon_LIBS +systemd_journal_CFLAGS +systemd_journal_LIBS +json_CFLAGS +json_LIBS gtk_CFLAGS gtk_LIBS maemo_CFLAGS @@ -1965,7 +1987,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 5.2.0 to adapt to many kinds of systems. +\`configure' configures strongSwan 5.2.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -2035,7 +2057,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 5.2.0:";; + short | recursive ) echo "Configuration of strongSwan 5.2.1:";; esac cat <<\_ACEOF @@ -2125,6 +2147,8 @@ Optional Features: --enable-eap-tnc enable EAP TNC trusted network connect module. --enable-eap-dynamic enable dynamic EAP proxy module. --enable-eap-radius enable RADIUS proxy authentication module. + --enable-ext-auth enable plugin calling an external authorization + script. --enable-ipseckey enable IPSECKEY authentication plugin. --enable-keychain enables OS X Keychain Services credential set. --enable-pkcs11 enables the PKCS11 token support plugin. @@ -2224,6 +2248,7 @@ Optional Features: --disable-scripts disable additional utilities (found in directory scripts). --enable-svc enable charon Windows service. + --enable-systemd enable systemd specific IKE daemon charon-systemd. --enable-swanctl enable swanctl configuration and control tool. --enable-tkm enable Trusted Key Manager support. --enable-bfd-backtraces use binutils libbfd to resolve backtraces for memory @@ -2241,6 +2266,7 @@ Optional Features: --enable-unwind-backtraces use libunwind to create backtraces for memory leaks and segfaults. + --enable-ruby-gems enable installation of provided ruby gems. --enable-coverage enable lcov coverage report generation. --enable-leak-detective enable malloc hooks to find memory leaks. --enable-lock-profiler enable lock/mutex profiling code. @@ -2315,6 +2341,8 @@ Optional Packages: --with-printf-hooks=arg force the use of a specific printf hook implementation (auto, builtin, glibc, vstr). (default: auto). + --with-rubygemdir=arg path to install ruby gems to (default: "gem + environment gemdir"). --with-systemdsystemunitdir=arg directory for systemd service files (default: $systemdsystemunitdir_default). @@ -2362,6 +2390,16 @@ Some influential environment variables: soup_LIBS linker flags for soup, overriding pkg-config xml_CFLAGS C compiler flags for xml, overriding pkg-config xml_LIBS linker flags for xml, overriding pkg-config + systemd_daemon_CFLAGS + C compiler flags for systemd_daemon, overriding pkg-config + systemd_daemon_LIBS + linker flags for systemd_daemon, overriding pkg-config + systemd_journal_CFLAGS + C compiler flags for systemd_journal, overriding pkg-config + systemd_journal_LIBS + linker flags for systemd_journal, overriding pkg-config + json_CFLAGS C compiler flags for json, overriding pkg-config + json_LIBS linker flags for json, overriding pkg-config gtk_CFLAGS C compiler flags for gtk, overriding pkg-config gtk_LIBS linker flags for gtk, overriding pkg-config maemo_CFLAGS @@ -2440,7 +2478,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 5.2.0 +strongSwan configure 5.2.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2962,7 +3000,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 5.2.0, which was +It was created by strongSwan $as_me 5.2.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3825,7 +3863,7 @@ fi # Define the identity of the package. PACKAGE='strongswan' - VERSION='5.2.0' + VERSION='5.2.1' cat >>confdefs.h <<_ACEOF @@ -4547,6 +4585,16 @@ fi +# Check whether --with-rubygemdir was given. +if test "${with_rubygemdir+set}" = set; then : + withval=$with_rubygemdir; rubygemdir="$withval" +else + rubygemdir="gem environment gemdir" + +fi + + + if test -n "$PKG_CONFIG"; then systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd) fi @@ -4560,14 +4608,6 @@ else fi - if test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno; then - HAVE_SYSTEMD_TRUE= - HAVE_SYSTEMD_FALSE='#' -else - HAVE_SYSTEMD_TRUE='#' - HAVE_SYSTEMD_FALSE= -fi - @@ -5710,6 +5750,22 @@ fi disabled_by_default=${disabled_by_default}" eap_radius" +# Check whether --enable-ext-auth was given. +if test "${enable_ext_auth+set}" = set; then : + enableval=$enable_ext_auth; ext_auth_given=true + if test x$enableval = xyes; then + ext_auth=true + else + ext_auth=false + fi +else + ext_auth=false + ext_auth_given=false + +fi + + disabled_by_default=${disabled_by_default}" ext_auth" + # Check whether --enable-ipseckey was given. if test "${enable_ipseckey+set}" = set; then : enableval=$enable_ipseckey; ipseckey_given=true @@ -6948,6 +7004,22 @@ fi disabled_by_default=${disabled_by_default}" svc" +# Check whether --enable-systemd was given. +if test "${enable_systemd+set}" = set; then : + enableval=$enable_systemd; systemd_given=true + if test x$enableval = xyes; then + systemd=true + else + systemd=false + fi +else + systemd=false + systemd_given=false + +fi + + disabled_by_default=${disabled_by_default}" systemd" + # Check whether --enable-swanctl was given. if test "${enable_swanctl+set}" = set; then : enableval=$enable_swanctl; swanctl_given=true @@ -7109,6 +7181,22 @@ fi disabled_by_default=${disabled_by_default}" unwind_backtraces" +# Check whether --enable-ruby-gems was given. +if test "${enable_ruby_gems+set}" = set; then : + enableval=$enable_ruby_gems; ruby_gems_given=true + if test x$enableval = xyes; then + ruby_gems=true + else + ruby_gems=false + fi +else + ruby_gems=false + ruby_gems_given=false + +fi + + disabled_by_default=${disabled_by_default}" ruby_gems" + # compile options # Check whether --enable-coverage was given. if test "${enable_coverage+set}" = set; then : @@ -16952,10 +17040,6 @@ if test x$imc_test = xtrue -o x$imv_test = xtrue -o x$imc_scanner = xtrue -o x$i imcv=true; fi -if test x$imc_attestation = xtrue -o x$imv_attestation = xtrue -o x$imc_swid = xtrue -o x$imv_swid = xtrue; then - pts=true; -fi - if test x$fips_prf = xtrue; then if test x$openssl = xfalse; then sha1=true; @@ -17977,7 +18061,7 @@ else fi -for ac_header in sys/sockio.h glob.h net/if_tun.h linux/fib_rules.h +for ac_header in sys/sockio.h glob.h net/if_tun.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" @@ -18003,16 +18087,17 @@ fi done -for ac_header in netinet/ip6.h +for ac_header in netinet/ip6.h linux/fib_rules.h do : - ac_fn_c_check_header_compile "$LINENO" "netinet/ip6.h" "ac_cv_header_netinet_ip6_h" " + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" " #include #include " -if test "x$ac_cv_header_netinet_ip6_h" = xyes; then : +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF -#define HAVE_NETINET_IP6_H 1 +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi @@ -18117,6 +18202,34 @@ $as_echo "no" >&6; } fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for RTM_IFANNOUNCE" >&5 +$as_echo_n "checking for RTM_IFANNOUNCE... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + #include + #include +int +main () +{ +return RTM_IFANNOUNCE; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; }; + +$as_echo "#define HAVE_RTM_IFANNOUNCE /**/" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for IPSEC_MODE_BEET" >&5 $as_echo_n "checking for IPSEC_MODE_BEET... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext @@ -19047,119 +19160,125 @@ fi fi -if test x$tss = xtrousers; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -ltspi" >&5 -$as_echo_n "checking for main in -ltspi... " >&6; } -if ${ac_cv_lib_tspi_main+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ltspi $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ +if test x$systemd = xtrue; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for systemd system unit directory" >&5 +$as_echo_n "checking for systemd system unit directory... " >&6; } + if test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $systemdsystemunitdir" >&5 +$as_echo "$systemdsystemunitdir" >&6; } + else + as_fn_error $? "not found (try --with-systemdsystemunitdir)" "$LINENO" 5 + fi -int -main () -{ -return main (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_tspi_main=yes +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for systemd_daemon" >&5 +$as_echo_n "checking for systemd_daemon... " >&6; } + +if test -n "$systemd_daemon_CFLAGS"; then + pkg_cv_systemd_daemon_CFLAGS="$systemd_daemon_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-daemon\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsystemd-daemon") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_systemd_daemon_CFLAGS=`$PKG_CONFIG --cflags "libsystemd-daemon" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes else - ac_cv_lib_tspi_main=no + pkg_failed=yes fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS + else + pkg_failed=untried fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tspi_main" >&5 -$as_echo "$ac_cv_lib_tspi_main" >&6; } -if test "x$ac_cv_lib_tspi_main" = xyes; then : - LIBS="$LIBS" +if test -n "$systemd_daemon_LIBS"; then + pkg_cv_systemd_daemon_LIBS="$systemd_daemon_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-daemon\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsystemd-daemon") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_systemd_daemon_LIBS=`$PKG_CONFIG --libs "libsystemd-daemon" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes else - as_fn_error $? "TrouSerS library libtspi not found" "$LINENO" 5 + pkg_failed=yes fi - - ac_fn_c_check_header_mongrel "$LINENO" "trousers/tss.h" "ac_cv_header_trousers_tss_h" "$ac_includes_default" -if test "x$ac_cv_header_trousers_tss_h" = xyes; then : - -else - as_fn_error $? "TrouSerS header trousers/tss.h not found!" "$LINENO" 5 + else + pkg_failed=untried fi -$as_echo "#define TSS_TROUSERS /**/" >>confdefs.h +if test $pkg_failed = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no fi + if test $_pkg_short_errors_supported = yes; then + systemd_daemon_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libsystemd-daemon" 2>&1` + else + systemd_daemon_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libsystemd-daemon" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$systemd_daemon_PKG_ERRORS" >&5 -if test x$imv_swid = xtrue; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -ljson" >&5 -$as_echo_n "checking for main in -ljson... " >&6; } -if ${ac_cv_lib_json_main+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ljson $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ + as_fn_error $? "Package requirements (libsystemd-daemon) were not met: +$systemd_daemon_PKG_ERRORS -int -main () -{ -return main (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_json_main=yes -else - ac_cv_lib_json_main=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_json_main" >&5 -$as_echo "$ac_cv_lib_json_main" >&6; } -if test "x$ac_cv_lib_json_main" = xyes; then : - LIBS="$LIBS" -else - as_fn_error $? "JSON library libjson not found" "$LINENO" 5 -fi +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +Alternatively, you may set the environment variables systemd_daemon_CFLAGS +and systemd_daemon_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details." "$LINENO" 5 +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. - ac_fn_c_check_header_mongrel "$LINENO" "json/json.h" "ac_cv_header_json_json_h" "$ac_includes_default" -if test "x$ac_cv_header_json_json_h" = xyes; then : +Alternatively, you may set the environment variables systemd_daemon_CFLAGS +and systemd_daemon_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. +To get pkg-config, see . +See \`config.log' for more details" "$LINENO" 5; } else - as_fn_error $? "JSON header json/json.h not found!" "$LINENO" 5 + systemd_daemon_CFLAGS=$pkg_cv_systemd_daemon_CFLAGS + systemd_daemon_LIBS=$pkg_cv_systemd_daemon_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + fi -fi -if test x$dumm = xtrue; then pkg_failed=no -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for gtk" >&5 -$as_echo_n "checking for gtk... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for systemd_journal" >&5 +$as_echo_n "checking for systemd_journal... " >&6; } -if test -n "$gtk_CFLAGS"; then - pkg_cv_gtk_CFLAGS="$gtk_CFLAGS" +if test -n "$systemd_journal_CFLAGS"; then + pkg_cv_systemd_journal_CFLAGS="$systemd_journal_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\""; } >&5 - ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5 + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-journal\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsystemd-journal") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then - pkg_cv_gtk_CFLAGS=`$PKG_CONFIG --cflags "gtk+-2.0 vte" 2>/dev/null` + pkg_cv_systemd_journal_CFLAGS=`$PKG_CONFIG --cflags "libsystemd-journal" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes @@ -19167,16 +19286,16 @@ fi else pkg_failed=untried fi -if test -n "$gtk_LIBS"; then - pkg_cv_gtk_LIBS="$gtk_LIBS" +if test -n "$systemd_journal_LIBS"; then + pkg_cv_systemd_journal_LIBS="$systemd_journal_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\""; } >&5 - ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5 + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-journal\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsystemd-journal") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then - pkg_cv_gtk_LIBS=`$PKG_CONFIG --libs "gtk+-2.0 vte" 2>/dev/null` + pkg_cv_systemd_journal_LIBS=`$PKG_CONFIG --libs "libsystemd-journal" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes @@ -19197,22 +19316,22 @@ else _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then - gtk_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "gtk+-2.0 vte" 2>&1` + systemd_journal_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libsystemd-journal" 2>&1` else - gtk_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "gtk+-2.0 vte" 2>&1` + systemd_journal_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libsystemd-journal" 2>&1` fi # Put the nasty error message in config.log where it belongs - echo "$gtk_PKG_ERRORS" >&5 + echo "$systemd_journal_PKG_ERRORS" >&5 - as_fn_error $? "Package requirements (gtk+-2.0 vte) were not met: + as_fn_error $? "Package requirements (libsystemd-journal) were not met: -$gtk_PKG_ERRORS +$systemd_journal_PKG_ERRORS Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. -Alternatively, you may set the environment variables gtk_CFLAGS -and gtk_LIBS to avoid the need to call pkg-config. +Alternatively, you may set the environment variables systemd_journal_CFLAGS +and systemd_journal_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details." "$LINENO" 5 elif test $pkg_failed = untried; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 @@ -19223,56 +19342,458 @@ as_fn_error $? "The pkg-config script could not be found or is too old. Make su is in your PATH or set the PKG_CONFIG environment variable to the full path to pkg-config. -Alternatively, you may set the environment variables gtk_CFLAGS -and gtk_LIBS to avoid the need to call pkg-config. +Alternatively, you may set the environment variables systemd_journal_CFLAGS +and systemd_journal_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details. To get pkg-config, see . See \`config.log' for more details" "$LINENO" 5; } else - gtk_CFLAGS=$pkg_cv_gtk_CFLAGS - gtk_LIBS=$pkg_cv_gtk_LIBS + systemd_journal_CFLAGS=$pkg_cv_systemd_journal_CFLAGS + systemd_journal_LIBS=$pkg_cv_systemd_journal_LIBS { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } fi - for ac_prog in ruby -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_RUBY+:} false; then : +fi + +if test x$tss = xtrousers; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -ltspi" >&5 +$as_echo_n "checking for main in -ltspi... " >&6; } +if ${ac_cv_lib_tspi_main+:} false; then : $as_echo_n "(cached) " >&6 else - if test -n "$RUBY"; then - ac_cv_prog_RUBY="$RUBY" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_RUBY="$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS + ac_check_lib_save_LIBS=$LIBS +LIBS="-ltspi $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ +return main (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_tspi_main=yes +else + ac_cv_lib_tspi_main=no fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS fi -RUBY=$ac_cv_prog_RUBY -if test -n "$RUBY"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RUBY" >&5 -$as_echo "$RUBY" >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tspi_main" >&5 +$as_echo "$ac_cv_lib_tspi_main" >&6; } +if test "x$ac_cv_lib_tspi_main" = xyes; then : + LIBS="$LIBS" else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + as_fn_error $? "TrouSerS library libtspi not found" "$LINENO" 5 +fi + + ac_fn_c_check_header_mongrel "$LINENO" "trousers/tss.h" "ac_cv_header_trousers_tss_h" "$ac_includes_default" +if test "x$ac_cv_header_trousers_tss_h" = xyes; then : + +else + as_fn_error $? "TrouSerS header trousers/tss.h not found!" "$LINENO" 5 +fi + + + +$as_echo "#define TSS_TROUSERS /**/" >>confdefs.h + +fi + +if test x$imv_swid = xtrue; then + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for json" >&5 +$as_echo_n "checking for json... " >&6; } + +if test -n "$json_CFLAGS"; then + pkg_cv_json_CFLAGS="$json_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"json-c\""; } >&5 + ($PKG_CONFIG --exists --print-errors "json-c") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_json_CFLAGS=`$PKG_CONFIG --cflags "json-c" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$json_LIBS"; then + pkg_cv_json_LIBS="$json_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"json-c\""; } >&5 + ($PKG_CONFIG --exists --print-errors "json-c") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_json_LIBS=`$PKG_CONFIG --libs "json-c" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + json_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "json-c" 2>&1` + else + json_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "json-c" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$json_PKG_ERRORS" >&5 + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for json" >&5 +$as_echo_n "checking for json... " >&6; } + +if test -n "$json_CFLAGS"; then + pkg_cv_json_CFLAGS="$json_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"json\""; } >&5 + ($PKG_CONFIG --exists --print-errors "json") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_json_CFLAGS=`$PKG_CONFIG --cflags "json" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$json_LIBS"; then + pkg_cv_json_LIBS="$json_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"json\""; } >&5 + ($PKG_CONFIG --exists --print-errors "json") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_json_LIBS=`$PKG_CONFIG --libs "json" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + json_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "json" 2>&1` + else + json_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "json" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$json_PKG_ERRORS" >&5 + + as_fn_error $? "Package requirements (json) were not met: + +$json_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +Alternatively, you may set the environment variables json_CFLAGS +and json_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details." "$LINENO" 5 +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +Alternatively, you may set the environment variables json_CFLAGS +and json_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. + +To get pkg-config, see . +See \`config.log' for more details" "$LINENO" 5; } +else + json_CFLAGS=$pkg_cv_json_CFLAGS + json_LIBS=$pkg_cv_json_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +fi +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for json" >&5 +$as_echo_n "checking for json... " >&6; } + +if test -n "$json_CFLAGS"; then + pkg_cv_json_CFLAGS="$json_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"json\""; } >&5 + ($PKG_CONFIG --exists --print-errors "json") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_json_CFLAGS=`$PKG_CONFIG --cflags "json" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$json_LIBS"; then + pkg_cv_json_LIBS="$json_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"json\""; } >&5 + ($PKG_CONFIG --exists --print-errors "json") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_json_LIBS=`$PKG_CONFIG --libs "json" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + json_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "json" 2>&1` + else + json_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "json" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$json_PKG_ERRORS" >&5 + + as_fn_error $? "Package requirements (json) were not met: + +$json_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +Alternatively, you may set the environment variables json_CFLAGS +and json_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details." "$LINENO" 5 +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +Alternatively, you may set the environment variables json_CFLAGS +and json_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. + +To get pkg-config, see . +See \`config.log' for more details" "$LINENO" 5; } +else + json_CFLAGS=$pkg_cv_json_CFLAGS + json_LIBS=$pkg_cv_json_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +fi +else + json_CFLAGS=$pkg_cv_json_CFLAGS + json_LIBS=$pkg_cv_json_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +fi + + +fi + +if test x$dumm = xtrue; then + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for gtk" >&5 +$as_echo_n "checking for gtk... " >&6; } + +if test -n "$gtk_CFLAGS"; then + pkg_cv_gtk_CFLAGS="$gtk_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\""; } >&5 + ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_gtk_CFLAGS=`$PKG_CONFIG --cflags "gtk+-2.0 vte" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$gtk_LIBS"; then + pkg_cv_gtk_LIBS="$gtk_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\""; } >&5 + ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_gtk_LIBS=`$PKG_CONFIG --libs "gtk+-2.0 vte" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + gtk_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "gtk+-2.0 vte" 2>&1` + else + gtk_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "gtk+-2.0 vte" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$gtk_PKG_ERRORS" >&5 + + as_fn_error $? "Package requirements (gtk+-2.0 vte) were not met: + +$gtk_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +Alternatively, you may set the environment variables gtk_CFLAGS +and gtk_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details." "$LINENO" 5 +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +Alternatively, you may set the environment variables gtk_CFLAGS +and gtk_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. + +To get pkg-config, see . +See \`config.log' for more details" "$LINENO" 5; } +else + gtk_CFLAGS=$pkg_cv_gtk_CFLAGS + gtk_LIBS=$pkg_cv_gtk_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +fi + + + for ac_prog in ruby +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_RUBY+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$RUBY"; then + ac_cv_prog_RUBY="$RUBY" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_RUBY="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +RUBY=$ac_cv_prog_RUBY +if test -n "$RUBY"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RUBY" >&5 +$as_echo "$RUBY" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -20753,6 +21274,58 @@ $as_echo "$as_me: coverage enabled, adding \"-g -O0\" to CFLAGS" >&6;} CFLAGS="${CFLAGS} -g -O0" fi +if test x$ruby_gems = xtrue; then + # Extract the first word of "gem", so it can be a program name with args. +set dummy gem; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_GEM+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $GEM in + [\\/]* | ?:[\\/]*) + ac_cv_path_GEM="$GEM" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin" +for as_dir in $as_dummy +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_GEM="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +GEM=$ac_cv_path_GEM +if test -n "$GEM"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GEM" >&5 +$as_echo "$GEM" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test x$GEM = x; then + as_fn_error $? "RubyGems package manager not found" "$LINENO" 5 + fi + if test "x$rubygemdir" = "xgem environment gemdir"; then + rubygemdir=$($GEM environment gemdir) + fi + RUBYGEMDIR="$rubygemdir" + +fi + # =============================================== # collect plugin list for strongSwan components # =============================================== @@ -20792,35 +21365,6 @@ if test x$test_vectors = xtrue; then fi -if test x$curl = xtrue; then - s_plugins=${s_plugins}" curl" - charon_plugins=${charon_plugins}" curl" - scepclient_plugins=${scepclient_plugins}" curl" - pki_plugins=${pki_plugins}" curl" - scripts_plugins=${scripts_plugins}" curl" - nm_plugins=${nm_plugins}" curl" - cmd_plugins=${cmd_plugins}" curl" - - fi - -if test x$winhttp = xtrue; then - s_plugins=${s_plugins}" winhttp" - charon_plugins=${charon_plugins}" winhttp" - pki_plugins=${pki_plugins}" winhttp" - scripts_plugins=${scripts_plugins}" winhttp" - - fi - -if test x$soup = xtrue; then - s_plugins=${s_plugins}" soup" - charon_plugins=${charon_plugins}" soup" - pki_plugins=${pki_plugins}" soup" - scripts_plugins=${scripts_plugins}" soup" - nm_plugins=${nm_plugins}" soup" - cmd_plugins=${cmd_plugins}" soup" - - fi - if test x$unbound = xtrue; then s_plugins=${s_plugins}" unbound" charon_plugins=${charon_plugins}" unbound" @@ -21292,6 +21836,35 @@ if test x$ntru = xtrue; then fi +if test x$curl = xtrue; then + s_plugins=${s_plugins}" curl" + charon_plugins=${charon_plugins}" curl" + scepclient_plugins=${scepclient_plugins}" curl" + pki_plugins=${pki_plugins}" curl" + scripts_plugins=${scripts_plugins}" curl" + nm_plugins=${nm_plugins}" curl" + cmd_plugins=${cmd_plugins}" curl" + + fi + +if test x$winhttp = xtrue; then + s_plugins=${s_plugins}" winhttp" + charon_plugins=${charon_plugins}" winhttp" + pki_plugins=${pki_plugins}" winhttp" + scripts_plugins=${scripts_plugins}" winhttp" + + fi + +if test x$soup = xtrue; then + s_plugins=${s_plugins}" soup" + charon_plugins=${charon_plugins}" soup" + pki_plugins=${pki_plugins}" soup" + scripts_plugins=${scripts_plugins}" soup" + nm_plugins=${nm_plugins}" soup" + cmd_plugins=${cmd_plugins}" soup" + + fi + if test x$attr = xtrue; then h_plugins=${h_plugins}" attr" charon_plugins=${charon_plugins}" attr" @@ -21664,6 +22237,12 @@ if test x$whitelist = xtrue; then fi +if test x$ext_auth = xtrue; then + c_plugins=${c_plugins}" ext-auth" + charon_plugins=${charon_plugins}" ext-auth" + + fi + if test x$lookip = xtrue; then c_plugins=${c_plugins}" lookip" charon_plugins=${charon_plugins}" lookip" @@ -22330,6 +22909,14 @@ else USE_WHITELIST_FALSE= fi + if test x$ext_auth = xtrue; then + USE_EXT_AUTH_TRUE= + USE_EXT_AUTH_FALSE='#' +else + USE_EXT_AUTH_TRUE='#' + USE_EXT_AUTH_FALSE= +fi + if test x$lookip = xtrue; then USE_LOOKIP_TRUE= USE_LOOKIP_FALSE='#' @@ -22960,7 +23547,7 @@ else USE_CONFTEST_FALSE= fi - if test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue; then + if test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue -o x$systemd = xtrue; then USE_LIBSTRONGSWAN_TRUE= USE_LIBSTRONGSWAN_FALSE='#' else @@ -22968,7 +23555,7 @@ else USE_LIBSTRONGSWAN_FALSE= fi - if test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue; then + if test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue -o x$systemd = xtrue; then USE_LIBHYDRA_TRUE= USE_LIBHYDRA_FALSE='#' else @@ -22976,7 +23563,7 @@ else USE_LIBHYDRA_FALSE= fi - if test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue; then + if test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue -o x$systemd = xtrue; then USE_LIBCHARON_TRUE= USE_LIBCHARON_FALSE='#' else @@ -23088,14 +23675,6 @@ else USE_IMCV_FALSE= fi - if test x$pts = xtrue; then - USE_PTS_TRUE= - USE_PTS_FALSE='#' -else - USE_PTS_TRUE='#' - USE_PTS_FALSE= -fi - if test x$tss = xtrousers -o x$aikgen = xtrue; then USE_TROUSERS_TRUE= USE_TROUSERS_FALSE='#' @@ -23176,6 +23755,30 @@ else USE_SVC_FALSE= fi + if test x$systemd = xtrue; then + USE_SYSTEMD_TRUE= + USE_SYSTEMD_FALSE='#' +else + USE_SYSTEMD_TRUE='#' + USE_SYSTEMD_FALSE= +fi + + if test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno; then + USE_LEGACY_SYSTEMD_TRUE= + USE_LEGACY_SYSTEMD_FALSE='#' +else + USE_LEGACY_SYSTEMD_TRUE='#' + USE_LEGACY_SYSTEMD_FALSE= +fi + + if test x$ruby_gems = xtrue; then + USE_RUBY_GEMS_TRUE= + USE_RUBY_GEMS_FALSE='#' +else + USE_RUBY_GEMS_TRUE='#' + USE_RUBY_GEMS_FALSE= +fi + # ======================== # set global definitions @@ -23259,7 +23862,7 @@ fi # build Makefiles # ================= -ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libpts/plugins/imc_swid/Makefile src/libpts/plugins/imv_swid/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile" +ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile" # ================= @@ -23394,10 +23997,6 @@ else am__EXEEXT_FALSE= fi -if test -z "${HAVE_SYSTEMD_TRUE}" && test -z "${HAVE_SYSTEMD_FALSE}"; then - as_fn_error $? "conditional \"HAVE_SYSTEMD\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 -fi if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then as_fn_error $? "conditional \"AMDEP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -23699,6 +24298,10 @@ if test -z "${USE_WHITELIST_TRUE}" && test -z "${USE_WHITELIST_FALSE}"; then as_fn_error $? "conditional \"USE_WHITELIST\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_EXT_AUTH_TRUE}" && test -z "${USE_EXT_AUTH_FALSE}"; then + as_fn_error $? "conditional \"USE_EXT_AUTH\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_LOOKIP_TRUE}" && test -z "${USE_LOOKIP_FALSE}"; then as_fn_error $? "conditional \"USE_LOOKIP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -24075,10 +24678,6 @@ if test -z "${USE_IMCV_TRUE}" && test -z "${USE_IMCV_FALSE}"; then as_fn_error $? "conditional \"USE_IMCV\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi -if test -z "${USE_PTS_TRUE}" && test -z "${USE_PTS_FALSE}"; then - as_fn_error $? "conditional \"USE_PTS\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 -fi if test -z "${USE_TROUSERS_TRUE}" && test -z "${USE_TROUSERS_FALSE}"; then as_fn_error $? "conditional \"USE_TROUSERS\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -24119,6 +24718,18 @@ if test -z "${USE_SVC_TRUE}" && test -z "${USE_SVC_FALSE}"; then as_fn_error $? "conditional \"USE_SVC\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_SYSTEMD_TRUE}" && test -z "${USE_SYSTEMD_FALSE}"; then + as_fn_error $? "conditional \"USE_SYSTEMD\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${USE_LEGACY_SYSTEMD_TRUE}" && test -z "${USE_LEGACY_SYSTEMD_FALSE}"; then + as_fn_error $? "conditional \"USE_LEGACY_SYSTEMD\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${USE_RUBY_GEMS_TRUE}" && test -z "${USE_RUBY_GEMS_FALSE}"; then + as_fn_error $? "conditional \"USE_RUBY_GEMS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi : "${CONFIG_STATUS=./config.status}" ac_write_fail=0 @@ -24516,7 +25127,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 5.2.0, which was +This file was extended by strongSwan $as_me 5.2.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -24582,7 +25193,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -strongSwan config.status 5.2.0 +strongSwan config.status 5.2.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -24996,6 +25607,7 @@ do "man/Makefile") CONFIG_FILES="$CONFIG_FILES man/Makefile" ;; "init/Makefile") CONFIG_FILES="$CONFIG_FILES init/Makefile" ;; "init/systemd/Makefile") CONFIG_FILES="$CONFIG_FILES init/systemd/Makefile" ;; + "init/systemd-swanctl/Makefile") CONFIG_FILES="$CONFIG_FILES init/systemd-swanctl/Makefile" ;; "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;; "src/include/Makefile") CONFIG_FILES="$CONFIG_FILES src/include/Makefile" ;; "src/libstrongswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/Makefile" ;; @@ -25069,11 +25681,6 @@ do "src/libtnccs/plugins/tnccs_20/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtnccs/plugins/tnccs_20/Makefile" ;; "src/libtnccs/plugins/tnccs_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtnccs/plugins/tnccs_dynamic/Makefile" ;; "src/libpttls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpttls/Makefile" ;; - "src/libpts/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpts/Makefile" ;; - "src/libpts/plugins/imc_attestation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpts/plugins/imc_attestation/Makefile" ;; - "src/libpts/plugins/imv_attestation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpts/plugins/imv_attestation/Makefile" ;; - "src/libpts/plugins/imc_swid/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpts/plugins/imc_swid/Makefile" ;; - "src/libpts/plugins/imv_swid/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpts/plugins/imv_swid/Makefile" ;; "src/libimcv/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/Makefile" ;; "src/libimcv/plugins/imc_test/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imc_test/Makefile" ;; "src/libimcv/plugins/imv_test/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_test/Makefile" ;; @@ -25081,11 +25688,16 @@ do "src/libimcv/plugins/imv_scanner/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_scanner/Makefile" ;; "src/libimcv/plugins/imc_os/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imc_os/Makefile" ;; "src/libimcv/plugins/imv_os/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_os/Makefile" ;; + "src/libimcv/plugins/imc_attestation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imc_attestation/Makefile" ;; + "src/libimcv/plugins/imv_attestation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_attestation/Makefile" ;; + "src/libimcv/plugins/imc_swid/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imc_swid/Makefile" ;; + "src/libimcv/plugins/imv_swid/Makefile") CONFIG_FILES="$CONFIG_FILES src/libimcv/plugins/imv_swid/Makefile" ;; "src/charon/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/Makefile" ;; "src/charon-nm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-nm/Makefile" ;; "src/charon-tkm/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-tkm/Makefile" ;; "src/charon-cmd/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-cmd/Makefile" ;; "src/charon-svc/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-svc/Makefile" ;; + "src/charon-systemd/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon-systemd/Makefile" ;; "src/libcharon/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/Makefile" ;; "src/libcharon/plugins/eap_aka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_aka/Makefile" ;; "src/libcharon/plugins/eap_aka_3gpp2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_aka_3gpp2/Makefile" ;; @@ -25129,6 +25741,7 @@ do "src/libcharon/plugins/kernel_wfp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_wfp/Makefile" ;; "src/libcharon/plugins/kernel_iph/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_iph/Makefile" ;; "src/libcharon/plugins/whitelist/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/whitelist/Makefile" ;; + "src/libcharon/plugins/ext_auth/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/ext_auth/Makefile" ;; "src/libcharon/plugins/lookip/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/lookip/Makefile" ;; "src/libcharon/plugins/error_notify/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/error_notify/Makefile" ;; "src/libcharon/plugins/certexpire/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/certexpire/Makefile" ;; @@ -25143,6 +25756,7 @@ do "src/libcharon/plugins/maemo/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/maemo/Makefile" ;; "src/libcharon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/stroke/Makefile" ;; "src/libcharon/plugins/vici/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/Makefile" ;; + "src/libcharon/plugins/vici/ruby/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/ruby/Makefile" ;; "src/libcharon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/updown/Makefile" ;; "src/libcharon/plugins/dhcp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/dhcp/Makefile" ;; "src/libcharon/plugins/unit_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/unit_tester/Makefile" ;; -- cgit v1.2.3 From 83b8aebb19fe6e49e13a05d4e8f5ab9a06177642 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Sat, 11 Apr 2015 22:03:59 +0200 Subject: Imported Upstream version 5.3.0 --- Android.common.mk | 2 +- Doxyfile.in | 2 +- Makefile.am | 2 +- Makefile.in | 7 +- NEWS | 83 + conf/Makefile.am | 3 + conf/Makefile.in | 8 + conf/options/charon.conf | 13 + conf/options/charon.opt | 32 + conf/plugins/bliss.conf | 11 + conf/plugins/bliss.opt | 2 + conf/plugins/forecast.conf | 17 + conf/plugins/forecast.opt | 29 + conf/plugins/imc-attestation.opt | 18 + conf/plugins/imv-attestation.opt | 18 - conf/plugins/kernel-netlink.conf | 21 + conf/plugins/kernel-netlink.opt | 32 + conf/plugins/kernel-pfkey.conf | 11 + conf/plugins/kernel-pfkey.opt | 7 + conf/plugins/tnccs-20.conf | 13 + conf/plugins/tnccs-20.opt | 9 + conf/strongswan.conf.5.main | 125 +- configure | 584 +++++- configure.ac | 77 +- init/Makefile.in | 5 + init/systemd-swanctl/Makefile.in | 5 + init/systemd/Makefile.in | 5 + man/Makefile.in | 5 + man/ipsec.conf.5.in | 145 +- scripts/Makefile.in | 5 + scripts/dh_speed.c | 10 +- src/Makefile.am | 2 +- src/Makefile.in | 13 +- src/_copyright/Makefile.in | 5 + src/_updown/Makefile.am | 1 - src/_updown/Makefile.in | 76 +- src/_updown/_updown.8 | 16 - src/_updown/_updown.in | 201 +- src/_updown_espmark/Makefile.am | 2 - src/_updown_espmark/Makefile.in | 652 ------ src/_updown_espmark/_updown_espmark | 438 ---- src/_updown_espmark/_updown_espmark.8 | 15 - src/aikgen/Makefile.in | 5 + src/charon-cmd/Makefile.in | 5 + src/charon-nm/Makefile.in | 5 + src/charon-nm/nm/nm_backend.c | 6 +- src/charon-nm/nm/nm_handler.c | 5 +- src/charon-svc/Makefile.in | 5 + src/charon-systemd/Makefile.in | 5 + src/charon-systemd/charon-systemd.c | 28 +- src/charon-tkm/Makefile.in | 5 + src/charon-tkm/src/charon-tkm.c | 4 + src/charon-tkm/src/ees/ees_callbacks.c | 22 +- src/charon-tkm/src/tkm/tkm.c | 4 +- src/charon-tkm/src/tkm/tkm.h | 8 +- src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 15 +- src/charon-tkm/src/tkm/tkm_encoder.c~ | 106 + src/charon-tkm/src/tkm/tkm_id_manager.c | 2 +- src/charon-tkm/src/tkm/tkm_kernel_ipsec.c | 39 +- src/charon-tkm/src/tkm/tkm_kernel_sad.c | 66 +- src/charon-tkm/src/tkm/tkm_kernel_sad.h | 19 +- src/charon-tkm/src/tkm/tkm_keymat.c | 29 + src/charon-tkm/src/tkm/tkm_listener.c | 20 +- src/charon-tkm/tests/diffie_hellman_tests.c | 2 +- src/charon-tkm/tests/kernel_sad_tests.c | 40 +- src/charon-tkm/tests/keymat_tests.c | 4 +- src/charon-tkm/tests/tests.c | 4 +- src/charon/Makefile.in | 5 + src/checksum/Makefile.in | 5 + src/conftest/Makefile.in | 5 + src/conftest/actions.c | 16 +- src/dumm/Makefile.in | 5 + src/dumm/ext/dumm.c | 4 +- src/include/Makefile.in | 5 + src/ipsec/Makefile.in | 5 + src/ipsec/_ipsec.8 | 17 +- src/ipsec/_ipsec.8.in | 15 +- src/libcharon/Android.mk | 8 +- src/libcharon/Makefile.am | 54 +- src/libcharon/Makefile.in | 406 ++-- src/libcharon/attributes/attribute_handler.h | 76 + src/libcharon/attributes/attribute_manager.c | 347 ++++ src/libcharon/attributes/attribute_manager.h | 154 ++ src/libcharon/attributes/attribute_provider.h | 71 + src/libcharon/attributes/attributes.c | 114 + src/libcharon/attributes/attributes.h | 91 + src/libcharon/attributes/mem_pool.c | 735 +++++++ src/libcharon/attributes/mem_pool.h | 154 ++ src/libcharon/bus/bus.c | 28 + src/libcharon/bus/bus.h | 9 + src/libcharon/bus/listeners/listener.h | 11 + src/libcharon/config/ike_cfg.c | 17 +- src/libcharon/config/proposal.c | 2 + src/libcharon/control/controller.c | 44 +- src/libcharon/control/controller.h | 4 +- src/libcharon/daemon.c | 7 +- src/libcharon/daemon.h | 15 + src/libcharon/encoding/message.c | 16 +- src/libcharon/encoding/parser.c | 21 +- src/libcharon/encoding/parser.h | 12 +- src/libcharon/encoding/payloads/delete_payload.c | 15 + src/libcharon/encoding/payloads/delete_payload.h | 10 + .../encoding/payloads/encrypted_payload.c | 1 + src/libcharon/encoding/payloads/id_payload.c | 7 +- src/libcharon/encoding/payloads/ke_payload.c | 10 +- src/libcharon/encoding/payloads/ke_payload.h | 2 +- src/libcharon/encoding/payloads/notify_payload.c | 22 +- src/libcharon/encoding/payloads/notify_payload.h | 2 + src/libcharon/encoding/payloads/payload.c | 62 +- src/libcharon/encoding/payloads/payload.h | 3 +- .../encoding/payloads/proposal_substructure.c | 276 ++- src/libcharon/kernel/kernel_handler.c | 25 +- src/libcharon/plugins/addrblock/Makefile.in | 5 + src/libcharon/plugins/android_dns/Makefile.in | 5 + .../plugins/android_dns/android_dns_handler.c | 7 +- .../plugins/android_dns/android_dns_plugin.c | 9 +- src/libcharon/plugins/android_log/Makefile.in | 5 + src/libcharon/plugins/attr/Makefile.am | 19 + src/libcharon/plugins/attr/Makefile.in | 777 +++++++ src/libcharon/plugins/attr/attr_plugin.c | 109 + src/libcharon/plugins/attr/attr_plugin.h | 42 + src/libcharon/plugins/attr/attr_provider.c | 329 +++ src/libcharon/plugins/attr/attr_provider.h | 54 + src/libcharon/plugins/attr_sql/Makefile.am | 19 + src/libcharon/plugins/attr_sql/Makefile.in | 780 +++++++ src/libcharon/plugins/attr_sql/attr_sql_plugin.c | 129 ++ src/libcharon/plugins/attr_sql/attr_sql_plugin.h | 42 + src/libcharon/plugins/attr_sql/attr_sql_provider.c | 478 +++++ src/libcharon/plugins/attr_sql/attr_sql_provider.h | 50 + src/libcharon/plugins/certexpire/Makefile.in | 5 + src/libcharon/plugins/connmark/Makefile.am | 20 + src/libcharon/plugins/connmark/Makefile.in | 782 +++++++ src/libcharon/plugins/connmark/connmark_listener.c | 538 +++++ src/libcharon/plugins/connmark/connmark_listener.h | 49 + src/libcharon/plugins/connmark/connmark_plugin.c | 105 + src/libcharon/plugins/connmark/connmark_plugin.h | 42 + src/libcharon/plugins/coupling/Makefile.in | 5 + src/libcharon/plugins/dhcp/Makefile.in | 5 + src/libcharon/plugins/dhcp/dhcp_plugin.c | 9 +- src/libcharon/plugins/dhcp/dhcp_provider.c | 12 +- src/libcharon/plugins/dnscert/Makefile.in | 5 + src/libcharon/plugins/duplicheck/Makefile.in | 5 + src/libcharon/plugins/eap_aka/Makefile.in | 5 + src/libcharon/plugins/eap_aka_3gpp2/Makefile.in | 5 + src/libcharon/plugins/eap_dynamic/Makefile.in | 5 + src/libcharon/plugins/eap_gtc/Makefile.in | 5 + src/libcharon/plugins/eap_identity/Makefile.in | 5 + src/libcharon/plugins/eap_md5/Makefile.in | 5 + src/libcharon/plugins/eap_mschapv2/Makefile.in | 5 + src/libcharon/plugins/eap_peap/Makefile.in | 5 + src/libcharon/plugins/eap_radius/Makefile.in | 5 + .../plugins/eap_radius/eap_radius_accounting.c | 2 +- .../plugins/eap_radius/eap_radius_plugin.c | 23 +- .../plugins/eap_radius/eap_radius_provider.c | 24 +- src/libcharon/plugins/eap_sim/Makefile.in | 5 + src/libcharon/plugins/eap_sim_file/Makefile.in | 5 + src/libcharon/plugins/eap_sim_pcsc/Makefile.in | 5 + .../plugins/eap_simaka_pseudonym/Makefile.in | 5 + .../plugins/eap_simaka_reauth/Makefile.in | 5 + src/libcharon/plugins/eap_simaka_sql/Makefile.in | 5 + src/libcharon/plugins/eap_tls/Makefile.in | 5 + src/libcharon/plugins/eap_tls/eap_tls.c | 7 + src/libcharon/plugins/eap_tnc/Makefile.in | 5 + src/libcharon/plugins/eap_tnc/eap_tnc.c | 27 +- src/libcharon/plugins/eap_ttls/Makefile.in | 5 + src/libcharon/plugins/eap_ttls/eap_ttls.c | 7 + src/libcharon/plugins/error_notify/Makefile.in | 5 + src/libcharon/plugins/ext_auth/Makefile.in | 5 + src/libcharon/plugins/farp/Makefile.in | 5 + src/libcharon/plugins/forecast/Makefile.am | 21 + src/libcharon/plugins/forecast/Makefile.in | 784 +++++++ .../plugins/forecast/forecast_forwarder.c | 496 +++++ .../plugins/forecast/forecast_forwarder.h | 47 + src/libcharon/plugins/forecast/forecast_listener.c | 680 ++++++ src/libcharon/plugins/forecast/forecast_listener.h | 68 + src/libcharon/plugins/forecast/forecast_plugin.c | 118 ++ src/libcharon/plugins/forecast/forecast_plugin.h | 42 + src/libcharon/plugins/ha/Makefile.in | 5 + src/libcharon/plugins/ha/ha_attribute.c | 4 +- src/libcharon/plugins/ha/ha_cache.c | 29 +- src/libcharon/plugins/ha/ha_child.c | 4 +- src/libcharon/plugins/ha/ha_dispatcher.c | 15 +- src/libcharon/plugins/ha/ha_ike.c | 10 +- src/libcharon/plugins/ha/ha_plugin.c | 10 +- src/libcharon/plugins/ipseckey/Makefile.in | 5 + src/libcharon/plugins/kernel_iph/Makefile.in | 5 + src/libcharon/plugins/kernel_libipsec/Makefile.in | 5 + .../kernel_libipsec/kernel_libipsec_ipsec.c | 20 +- .../kernel_libipsec/kernel_libipsec_router.c | 110 +- src/libcharon/plugins/kernel_wfp/Makefile.in | 5 + .../plugins/kernel_wfp/kernel_wfp_compat.c | 36 + .../plugins/kernel_wfp/kernel_wfp_compat.h | 10 + .../plugins/kernel_wfp/kernel_wfp_ipsec.c | 258 ++- src/libcharon/plugins/led/Makefile.in | 5 + src/libcharon/plugins/load_tester/Makefile.in | 5 + .../plugins/load_tester/load_tester_config.c | 24 +- .../load_tester/load_tester_diffie_hellman.c | 51 +- .../plugins/load_tester/load_tester_ipsec.c | 8 +- src/libcharon/plugins/lookip/Makefile.in | 5 + src/libcharon/plugins/maemo/Makefile.in | 5 + src/libcharon/plugins/medcli/Makefile.in | 5 + src/libcharon/plugins/medsrv/Makefile.in | 5 + src/libcharon/plugins/osx_attr/Makefile.in | 5 + src/libcharon/plugins/osx_attr/osx_attr_handler.c | 6 +- src/libcharon/plugins/osx_attr/osx_attr_plugin.c | 9 +- src/libcharon/plugins/radattr/Makefile.in | 5 + src/libcharon/plugins/resolve/Makefile.am | 20 + src/libcharon/plugins/resolve/Makefile.in | 781 +++++++ src/libcharon/plugins/resolve/resolve_handler.c | 380 ++++ src/libcharon/plugins/resolve/resolve_handler.h | 49 + src/libcharon/plugins/resolve/resolve_plugin.c | 101 + src/libcharon/plugins/resolve/resolve_plugin.h | 42 + src/libcharon/plugins/smp/Makefile.in | 5 + src/libcharon/plugins/socket_default/Makefile.in | 5 + .../plugins/socket_default/socket_default_socket.c | 76 +- src/libcharon/plugins/socket_dynamic/Makefile.in | 5 + src/libcharon/plugins/socket_win/Makefile.in | 5 + src/libcharon/plugins/sql/Makefile.in | 5 + src/libcharon/plugins/stroke/Makefile.in | 5 + src/libcharon/plugins/stroke/stroke_attribute.c | 27 +- src/libcharon/plugins/stroke/stroke_ca.c | 81 +- src/libcharon/plugins/stroke/stroke_config.c | 74 +- src/libcharon/plugins/stroke/stroke_control.c | 8 +- src/libcharon/plugins/stroke/stroke_cred.c | 315 +-- src/libcharon/plugins/stroke/stroke_cred.h | 7 +- src/libcharon/plugins/stroke/stroke_handler.c | 3 +- src/libcharon/plugins/stroke/stroke_list.c | 16 +- src/libcharon/plugins/stroke/stroke_plugin.c | 1 + src/libcharon/plugins/stroke/stroke_socket.c | 13 +- src/libcharon/plugins/systime_fix/Makefile.in | 5 + src/libcharon/plugins/tnc_ifmap/Makefile.in | 5 + src/libcharon/plugins/tnc_pdp/Makefile.in | 5 + src/libcharon/plugins/tnc_pdp/tnc_pdp.c | 25 +- src/libcharon/plugins/uci/Makefile.in | 5 + src/libcharon/plugins/unit_tester/Makefile.am | 26 - src/libcharon/plugins/unit_tester/Makefile.in | 819 -------- src/libcharon/plugins/unit_tester/tests.h | 30 - .../plugins/unit_tester/tests/test_agent.c | 67 - .../plugins/unit_tester/tests/test_auth_info.c | 140 -- .../plugins/unit_tester/tests/test_cert.c | 108 - .../plugins/unit_tester/tests/test_curl.c | 44 - .../plugins/unit_tester/tests/test_med_db.c | 54 - .../plugins/unit_tester/tests/test_mysql.c | 89 - .../plugins/unit_tester/tests/test_pool.c | 100 - .../plugins/unit_tester/tests/test_sqlite.c | 93 - src/libcharon/plugins/unit_tester/unit_tester.c | 152 -- src/libcharon/plugins/unit_tester/unit_tester.h | 44 - src/libcharon/plugins/unity/Makefile.in | 5 + src/libcharon/plugins/unity/unity_handler.c | 29 +- src/libcharon/plugins/unity/unity_handler.h | 5 +- src/libcharon/plugins/unity/unity_narrow.c | 90 +- src/libcharon/plugins/unity/unity_plugin.c | 17 +- src/libcharon/plugins/unity/unity_provider.c | 6 +- src/libcharon/plugins/updown/Makefile.in | 5 + src/libcharon/plugins/updown/updown_handler.c | 57 +- src/libcharon/plugins/updown/updown_listener.c | 1 + src/libcharon/plugins/updown/updown_plugin.c | 9 +- src/libcharon/plugins/vici/Makefile.am | 4 + src/libcharon/plugins/vici/Makefile.in | 10 +- src/libcharon/plugins/vici/README.md | 97 +- src/libcharon/plugins/vici/libvici.c | 8 +- src/libcharon/plugins/vici/python/LICENSE | 19 + src/libcharon/plugins/vici/python/MANIFEST.in | 1 + src/libcharon/plugins/vici/python/Makefile.am | 33 + src/libcharon/plugins/vici/python/Makefile.in | 686 ++++++ src/libcharon/plugins/vici/python/setup.py.in | 34 + src/libcharon/plugins/vici/python/vici/__init__.py | 1 + src/libcharon/plugins/vici/python/vici/compat.py | 14 + .../plugins/vici/python/vici/exception.py | 10 + src/libcharon/plugins/vici/python/vici/protocol.py | 196 ++ src/libcharon/plugins/vici/python/vici/session.py | 327 +++ .../plugins/vici/python/vici/test/__init__.py | 0 .../plugins/vici/python/vici/test/test_protocol.py | 144 ++ src/libcharon/plugins/vici/ruby/Makefile.am | 6 +- src/libcharon/plugins/vici/ruby/Makefile.in | 11 +- src/libcharon/plugins/vici/ruby/lib/vici.rb | 30 +- src/libcharon/plugins/vici/ruby/vici.gemspec.in | 2 +- src/libcharon/plugins/vici/vici_attribute.c | 67 +- src/libcharon/plugins/vici/vici_builder.c | 79 +- src/libcharon/plugins/vici/vici_builder.h | 8 + src/libcharon/plugins/vici/vici_config.c | 51 +- src/libcharon/plugins/vici/vici_control.c | 4 +- src/libcharon/plugins/vici/vici_plugin.c | 9 +- src/libcharon/plugins/vici/vici_query.c | 17 +- src/libcharon/plugins/whitelist/Makefile.in | 5 + src/libcharon/plugins/xauth_eap/Makefile.in | 5 + src/libcharon/plugins/xauth_generic/Makefile.in | 5 + src/libcharon/plugins/xauth_noauth/Makefile.in | 5 + src/libcharon/plugins/xauth_pam/Makefile.in | 5 + src/libcharon/processing/jobs/adopt_children_job.c | 58 +- .../processing/jobs/delete_child_sa_job.c | 26 +- .../processing/jobs/delete_child_sa_job.h | 9 +- src/libcharon/processing/jobs/dpd_timeout_job.c | 6 + src/libcharon/processing/jobs/inactivity_job.c | 16 +- src/libcharon/processing/jobs/inactivity_job.h | 4 +- src/libcharon/processing/jobs/initiate_tasks_job.c | 96 + src/libcharon/processing/jobs/initiate_tasks_job.h | 49 + src/libcharon/processing/jobs/migrate_job.c | 62 +- src/libcharon/processing/jobs/migrate_job.h | 2 +- src/libcharon/processing/jobs/rekey_child_sa_job.c | 27 +- src/libcharon/processing/jobs/rekey_child_sa_job.h | 10 +- src/libcharon/processing/jobs/rekey_ike_sa_job.c | 3 +- src/libcharon/processing/jobs/update_sa_job.c | 33 +- src/libcharon/processing/jobs/update_sa_job.h | 8 +- src/libcharon/sa/authenticator.c | 9 +- src/libcharon/sa/authenticator.h | 10 + src/libcharon/sa/child_sa.c | 147 +- src/libcharon/sa/child_sa.h | 25 +- src/libcharon/sa/child_sa_manager.c | 333 +++ src/libcharon/sa/child_sa_manager.h | 89 + src/libcharon/sa/eap/eap_method.h | 12 + src/libcharon/sa/ike_sa.c | 82 +- src/libcharon/sa/ike_sa.h | 10 +- src/libcharon/sa/ike_sa_manager.c | 95 +- src/libcharon/sa/ike_sa_manager.h | 10 +- .../sa/ikev1/authenticators/psk_v1_authenticator.c | 10 +- .../ikev1/authenticators/pubkey_v1_authenticator.c | 11 +- src/libcharon/sa/ikev1/keymat_v1.c | 9 +- src/libcharon/sa/ikev1/phase1.c | 14 +- src/libcharon/sa/ikev1/task_manager_v1.c | 5 +- src/libcharon/sa/ikev1/tasks/isakmp_delete.c | 39 + src/libcharon/sa/ikev1/tasks/main_mode.c | 39 + src/libcharon/sa/ikev1/tasks/mode_config.c | 137 +- src/libcharon/sa/ikev1/tasks/quick_delete.c | 6 +- src/libcharon/sa/ikev1/tasks/quick_mode.c | 76 +- src/libcharon/sa/ikev1/tasks/quick_mode.h | 8 + .../sa/ikev2/authenticators/eap_authenticator.c | 7 + .../sa/ikev2/authenticators/pubkey_authenticator.c | 314 ++- src/libcharon/sa/ikev2/keymat_v2.c | 35 +- src/libcharon/sa/ikev2/keymat_v2.h | 18 +- src/libcharon/sa/ikev2/task_manager_v2.c | 113 +- src/libcharon/sa/ikev2/tasks/child_create.c | 84 +- src/libcharon/sa/ikev2/tasks/child_create.h | 8 + src/libcharon/sa/ikev2/tasks/child_delete.c | 4 +- src/libcharon/sa/ikev2/tasks/child_rekey.c | 10 +- src/libcharon/sa/ikev2/tasks/ike_cert_pre.c | 4 +- src/libcharon/sa/ikev2/tasks/ike_config.c | 19 +- src/libcharon/sa/ikev2/tasks/ike_init.c | 206 +- src/libcharon/sa/ikev2/tasks/ike_mobike.c | 27 +- src/libcharon/sa/ikev2/tasks/ike_reauth.h | 2 + src/libcharon/sa/ikev2/tasks/ike_reauth_complete.c | 102 + src/libcharon/sa/ikev2/tasks/ike_reauth_complete.h | 56 + src/libcharon/sa/ikev2/tasks/ike_rekey.c | 36 + src/libcharon/sa/task.c | 1 + src/libcharon/sa/task.h | 6 +- src/libcharon/sa/trap_manager.c | 11 +- src/libcharon/tests/Makefile.am | 21 + src/libcharon/tests/Makefile.in | 874 ++++++++ src/libcharon/tests/libcharon_tests.c | 56 + src/libcharon/tests/libcharon_tests.h | 16 + src/libcharon/tests/suites/test_mem_pool.c | 230 +++ src/libfast/Makefile.in | 5 + src/libhydra/Android.mk | 7 - src/libhydra/Makefile.am | 24 +- src/libhydra/Makefile.in | 73 +- src/libhydra/attributes/attribute_handler.h | 72 - src/libhydra/attributes/attribute_manager.c | 348 ---- src/libhydra/attributes/attribute_manager.h | 153 -- src/libhydra/attributes/attribute_provider.h | 71 - src/libhydra/attributes/attributes.c | 114 - src/libhydra/attributes/attributes.h | 91 - src/libhydra/attributes/mem_pool.c | 649 ------ src/libhydra/attributes/mem_pool.h | 146 -- src/libhydra/hydra.c | 4 - src/libhydra/hydra.h | 9 - src/libhydra/kernel/kernel_interface.c | 276 ++- src/libhydra/kernel/kernel_interface.h | 76 +- src/libhydra/kernel/kernel_ipsec.h | 28 +- src/libhydra/kernel/kernel_listener.h | 13 +- src/libhydra/plugins/attr/Makefile.am | 18 - src/libhydra/plugins/attr/Makefile.in | 771 ------- src/libhydra/plugins/attr/attr_plugin.c | 109 - src/libhydra/plugins/attr/attr_plugin.h | 42 - src/libhydra/plugins/attr/attr_provider.c | 329 --- src/libhydra/plugins/attr/attr_provider.h | 54 - src/libhydra/plugins/attr_sql/Makefile.am | 18 - src/libhydra/plugins/attr_sql/Makefile.in | 774 ------- src/libhydra/plugins/attr_sql/attr_sql_plugin.c | 129 -- src/libhydra/plugins/attr_sql/attr_sql_plugin.h | 42 - src/libhydra/plugins/attr_sql/sql_attribute.c | 475 ----- src/libhydra/plugins/attr_sql/sql_attribute.h | 50 - src/libhydra/plugins/kernel_netlink/Makefile.am | 21 + src/libhydra/plugins/kernel_netlink/Makefile.in | 267 ++- .../plugins/kernel_netlink/kernel_netlink_ipsec.c | 299 ++- .../plugins/kernel_netlink/kernel_netlink_net.c | 46 +- .../plugins/kernel_netlink/kernel_netlink_shared.c | 477 ++++- .../plugins/kernel_netlink/kernel_netlink_shared.h | 4 +- .../plugins/kernel_netlink/suites/test_socket.c | 302 +++ src/libhydra/plugins/kernel_netlink/tests.c | 51 + src/libhydra/plugins/kernel_netlink/tests.h | 16 + src/libhydra/plugins/kernel_pfkey/Makefile.in | 5 + .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 112 +- src/libhydra/plugins/kernel_pfroute/Makefile.in | 5 + .../plugins/kernel_pfroute/kernel_pfroute_net.c | 9 + src/libhydra/plugins/resolve/Makefile.am | 19 - src/libhydra/plugins/resolve/Makefile.in | 775 ------- src/libhydra/plugins/resolve/resolve_handler.c | 377 ---- src/libhydra/plugins/resolve/resolve_handler.h | 49 - src/libhydra/plugins/resolve/resolve_plugin.c | 102 - src/libhydra/plugins/resolve/resolve_plugin.h | 42 - src/libhydra/tests/Makefile.am | 18 + src/libhydra/tests/Makefile.in | 839 ++++++++ src/libhydra/tests/hydra_tests.c | 53 + src/libhydra/tests/hydra_tests.h | 14 + src/libimcv/Makefile.am | 3 +- src/libimcv/Makefile.in | 11 +- src/libimcv/imv/data.sql | 155 ++ src/libimcv/imv/imv_agent.c | 76 +- src/libimcv/imv/imv_database.c | 111 +- src/libimcv/imv/imv_policy_manager.c | 76 +- src/libimcv/imv/imv_session.c | 33 +- src/libimcv/imv/imv_session.h | 14 +- src/libimcv/imv/imv_session_manager.c | 40 +- src/libimcv/imv/imv_session_manager.h | 7 +- src/libimcv/imv/tables-mysql.sql | 8 + src/libimcv/imv/tables.sql | 8 + src/libimcv/plugins/imc_attestation/Makefile.in | 5 + .../imc_attestation/imc_attestation_process.c | 12 +- src/libimcv/plugins/imc_os/Makefile.in | 5 + src/libimcv/plugins/imc_scanner/Makefile.in | 5 + src/libimcv/plugins/imc_swid/Makefile.in | 5 + src/libimcv/plugins/imc_test/Makefile.in | 5 + src/libimcv/plugins/imv_attestation/Makefile.in | 5 + src/libimcv/plugins/imv_attestation/attest_db.c | 18 +- .../plugins/imv_attestation/build-database.sh | 2 +- .../imv_attestation/imv_attestation_build.c | 6 +- .../imv_attestation/imv_attestation_process.c | 8 +- src/libimcv/plugins/imv_os/Makefile.in | 5 + src/libimcv/plugins/imv_scanner/Makefile.in | 5 + src/libimcv/plugins/imv_swid/Makefile.in | 5 + src/libimcv/plugins/imv_test/Makefile.in | 5 + src/libimcv/pts/components/ita/ita_comp_tboot.c | 9 +- src/libimcv/pts/pts.c | 18 +- src/libimcv/pts/pts.h | 6 +- src/libimcv/seg/seg_env.c | 3 +- src/libimcv/seg/seg_env.h | 2 +- src/libimcv/suites/test_imcv_seg.c | 12 +- src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c | 3 +- src/libipsec/Makefile.in | 5 + src/libipsec/ip_packet.c | 2 +- src/libipsec/ipsec_event_listener.h | 6 +- src/libipsec/ipsec_event_relay.c | 34 +- src/libipsec/ipsec_event_relay.h | 6 +- src/libipsec/ipsec_sa.c | 11 +- src/libipsec/ipsec_sa.h | 6 +- src/libipsec/ipsec_sa_mgr.c | 14 +- src/libipsec/ipsec_sa_mgr.h | 9 +- src/libpttls/Makefile.in | 5 + src/libradius/Makefile.in | 5 + src/libradius/radius_socket.c | 87 +- src/libsimaka/Makefile.in | 5 + src/libstrongswan/Android.mk | 2 + src/libstrongswan/Makefile.am | 29 +- src/libstrongswan/Makefile.in | 190 +- src/libstrongswan/asn1/oid.c | 518 ++--- src/libstrongswan/asn1/oid.h | 199 +- src/libstrongswan/asn1/oid.txt | 22 + src/libstrongswan/credentials/auth_cfg.c | 60 +- src/libstrongswan/credentials/auth_cfg.h | 4 +- src/libstrongswan/credentials/cred_encoding.h | 4 + src/libstrongswan/credentials/credential_manager.c | 3 + src/libstrongswan/credentials/keys/public_key.c | 168 +- src/libstrongswan/credentials/keys/public_key.h | 41 +- src/libstrongswan/credentials/sets/cert_cache.c | 17 +- src/libstrongswan/credentials/sets/mem_cred.c | 19 + src/libstrongswan/credentials/sets/mem_cred.h | 12 + src/libstrongswan/crypto/crypters/crypter.c | 7 + src/libstrongswan/crypto/crypto_tester.c | 27 +- src/libstrongswan/crypto/diffie_hellman.c | 87 +- src/libstrongswan/crypto/diffie_hellman.h | 30 +- .../crypto/hashers/hash_algorithm_set.c | 113 + .../crypto/hashers/hash_algorithm_set.h | 76 + src/libstrongswan/crypto/hashers/hasher.c | 102 +- src/libstrongswan/crypto/hashers/hasher.h | 40 +- src/libstrongswan/crypto/mgf1/mgf1.c | 180 ++ src/libstrongswan/crypto/mgf1/mgf1.h | 77 + src/libstrongswan/crypto/mgf1/mgf1_bitspender.c | 208 ++ src/libstrongswan/crypto/mgf1/mgf1_bitspender.h | 67 + src/libstrongswan/crypto/pkcs5.c | 32 +- src/libstrongswan/ipsec/ipsec_types.c | 10 +- src/libstrongswan/ipsec/ipsec_types.h | 4 +- src/libstrongswan/library.h | 3 + src/libstrongswan/networking/host.c | 38 +- src/libstrongswan/networking/host.h | 21 +- src/libstrongswan/networking/host_resolver.c | 17 +- src/libstrongswan/networking/tun_device.c | 25 +- src/libstrongswan/networking/tun_device.h | 4 +- src/libstrongswan/plugins/acert/Makefile.in | 5 + src/libstrongswan/plugins/aes/Makefile.in | 5 + src/libstrongswan/plugins/af_alg/Makefile.in | 5 + src/libstrongswan/plugins/af_alg/af_alg_prf.c | 1 + src/libstrongswan/plugins/af_alg/af_alg_signer.c | 1 + src/libstrongswan/plugins/agent/Makefile.in | 5 + src/libstrongswan/plugins/bliss/Makefile.am | 54 + src/libstrongswan/plugins/bliss/Makefile.in | 862 ++++++++ src/libstrongswan/plugins/bliss/bliss_bitpacker.c | 207 ++ src/libstrongswan/plugins/bliss/bliss_bitpacker.h | 85 + src/libstrongswan/plugins/bliss/bliss_fft.c | 199 ++ src/libstrongswan/plugins/bliss/bliss_fft.h | 71 + src/libstrongswan/plugins/bliss/bliss_fft_params.c | 215 ++ src/libstrongswan/plugins/bliss/bliss_fft_params.h | 75 + src/libstrongswan/plugins/bliss/bliss_huffman.c | 433 ++++ .../plugins/bliss/bliss_huffman_code.c | 42 + .../plugins/bliss/bliss_huffman_code.h | 80 + .../plugins/bliss/bliss_huffman_code_1.c | 160 ++ .../plugins/bliss/bliss_huffman_code_3.c | 261 +++ .../plugins/bliss/bliss_huffman_code_4.c | 435 ++++ .../plugins/bliss/bliss_huffman_coder.c | 138 ++ .../plugins/bliss/bliss_huffman_coder.h | 77 + src/libstrongswan/plugins/bliss/bliss_param_set.c | 339 +++ src/libstrongswan/plugins/bliss/bliss_param_set.h | 201 ++ src/libstrongswan/plugins/bliss/bliss_plugin.c | 101 + src/libstrongswan/plugins/bliss/bliss_plugin.h | 42 + .../plugins/bliss/bliss_private_key.c | 1316 ++++++++++++ .../plugins/bliss/bliss_private_key.h | 62 + src/libstrongswan/plugins/bliss/bliss_public_key.c | 515 +++++ src/libstrongswan/plugins/bliss/bliss_public_key.h | 101 + src/libstrongswan/plugins/bliss/bliss_sampler.c | 250 +++ src/libstrongswan/plugins/bliss/bliss_sampler.h | 94 + src/libstrongswan/plugins/bliss/bliss_signature.c | 233 +++ src/libstrongswan/plugins/bliss/bliss_signature.h | 75 + src/libstrongswan/plugins/bliss/bliss_utils.c | 167 ++ src/libstrongswan/plugins/bliss/bliss_utils.h | 70 + src/libstrongswan/plugins/bliss/tests/Makefile.am | 27 + src/libstrongswan/plugins/bliss/tests/Makefile.in | 985 +++++++++ .../plugins/bliss/tests/bliss_tests.c | 60 + .../plugins/bliss/tests/bliss_tests.h | 23 + .../bliss/tests/suites/test_bliss_bitpacker.c | 112 + .../plugins/bliss/tests/suites/test_bliss_fft.c | 110 + .../bliss/tests/suites/test_bliss_huffman.c | 122 ++ .../plugins/bliss/tests/suites/test_bliss_keys.c | 249 +++ .../bliss/tests/suites/test_bliss_sampler.c | 97 + .../plugins/bliss/tests/suites/test_bliss_sign.c | 211 ++ .../bliss/tests/suites/test_bliss_signature.c | 141 ++ src/libstrongswan/plugins/blowfish/Makefile.in | 5 + src/libstrongswan/plugins/ccm/Makefile.in | 5 + src/libstrongswan/plugins/cmac/Makefile.in | 5 + src/libstrongswan/plugins/cmac/cmac.c | 3 + src/libstrongswan/plugins/constraints/Makefile.in | 5 + .../plugins/constraints/constraints_validator.c | 217 +- src/libstrongswan/plugins/ctr/Makefile.in | 5 + src/libstrongswan/plugins/curl/Makefile.in | 5 + src/libstrongswan/plugins/des/Makefile.in | 5 + src/libstrongswan/plugins/dnskey/Makefile.in | 5 + src/libstrongswan/plugins/files/Makefile.am | 16 + src/libstrongswan/plugins/files/Makefile.in | 775 +++++++ src/libstrongswan/plugins/files/files_fetcher.c | 117 ++ src/libstrongswan/plugins/files/files_fetcher.h | 42 + src/libstrongswan/plugins/files/files_plugin.c | 76 + src/libstrongswan/plugins/files/files_plugin.h | 42 + src/libstrongswan/plugins/fips_prf/Makefile.in | 5 + src/libstrongswan/plugins/fips_prf/fips_prf.c | 7 +- src/libstrongswan/plugins/gcm/Makefile.in | 5 + src/libstrongswan/plugins/gcrypt/Makefile.in | 5 + src/libstrongswan/plugins/gcrypt/gcrypt_dh.c | 21 +- src/libstrongswan/plugins/gmp/Makefile.in | 5 + src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c | 23 +- src/libstrongswan/plugins/hmac/Makefile.in | 5 + src/libstrongswan/plugins/hmac/hmac.c | 3 +- src/libstrongswan/plugins/keychain/Makefile.in | 5 + src/libstrongswan/plugins/ldap/Makefile.in | 5 + src/libstrongswan/plugins/md4/Makefile.in | 5 + src/libstrongswan/plugins/md5/Makefile.in | 5 + src/libstrongswan/plugins/mysql/Makefile.in | 5 + src/libstrongswan/plugins/nonce/Makefile.in | 5 + src/libstrongswan/plugins/ntru/Makefile.am | 1 - src/libstrongswan/plugins/ntru/Makefile.in | 12 +- src/libstrongswan/plugins/ntru/ntru_ke.c | 38 +- src/libstrongswan/plugins/ntru/ntru_mgf1.c | 182 -- src/libstrongswan/plugins/ntru/ntru_mgf1.h | 77 - src/libstrongswan/plugins/ntru/ntru_poly.c | 62 +- src/libstrongswan/plugins/ntru/ntru_trits.c | 39 +- src/libstrongswan/plugins/openssl/Makefile.in | 5 + .../plugins/openssl/openssl_crypter.c | 2 +- .../plugins/openssl/openssl_diffie_hellman.c | 21 +- .../plugins/openssl/openssl_ec_diffie_hellman.c | 23 +- src/libstrongswan/plugins/padlock/Makefile.in | 5 + src/libstrongswan/plugins/pem/Makefile.in | 5 + src/libstrongswan/plugins/pem/pem_builder.c | 25 +- src/libstrongswan/plugins/pem/pem_encoder.c | 11 + src/libstrongswan/plugins/pem/pem_plugin.c | 5 + src/libstrongswan/plugins/pgp/Makefile.in | 5 + src/libstrongswan/plugins/pkcs1/Makefile.in | 5 + src/libstrongswan/plugins/pkcs1/pkcs1_builder.c | 9 +- src/libstrongswan/plugins/pkcs11/Makefile.in | 5 + src/libstrongswan/plugins/pkcs11/pkcs11_dh.c | 30 +- src/libstrongswan/plugins/pkcs11/pkcs11_library.c | 44 +- .../plugins/pkcs11/pkcs11_private_key.c | 21 +- .../plugins/pkcs11/pkcs11_public_key.c | 50 +- src/libstrongswan/plugins/pkcs12/Makefile.in | 5 + src/libstrongswan/plugins/pkcs7/Makefile.in | 5 + src/libstrongswan/plugins/pkcs8/Makefile.in | 5 + src/libstrongswan/plugins/plugin_loader.c | 16 +- src/libstrongswan/plugins/pubkey/Makefile.in | 5 + src/libstrongswan/plugins/random/Makefile.in | 5 + src/libstrongswan/plugins/rc2/Makefile.in | 5 + src/libstrongswan/plugins/rdrand/Makefile.in | 5 + src/libstrongswan/plugins/revocation/Makefile.in | 5 + src/libstrongswan/plugins/sha1/Makefile.in | 5 + src/libstrongswan/plugins/sha2/Makefile.in | 5 + src/libstrongswan/plugins/soup/Makefile.in | 5 + src/libstrongswan/plugins/sqlite/Makefile.in | 5 + src/libstrongswan/plugins/sshkey/Makefile.in | 5 + src/libstrongswan/plugins/test_vectors/Makefile.in | 5 + src/libstrongswan/plugins/unbound/Makefile.in | 5 + src/libstrongswan/plugins/winhttp/Makefile.in | 5 + src/libstrongswan/plugins/x509/Makefile.in | 5 + src/libstrongswan/plugins/x509/x509_ac.c | 4 +- src/libstrongswan/plugins/x509/x509_cert.c | 2 +- src/libstrongswan/plugins/x509/x509_crl.c | 25 +- src/libstrongswan/plugins/x509/x509_ocsp_request.c | 6 +- .../plugins/x509/x509_ocsp_response.c | 4 +- src/libstrongswan/plugins/x509/x509_pkcs10.c | 2 +- src/libstrongswan/plugins/xcbc/Makefile.in | 5 + src/libstrongswan/plugins/xcbc/xcbc.c | 4 + src/libstrongswan/processing/processor.h | 2 + src/libstrongswan/processing/scheduler.c | 19 +- src/libstrongswan/processing/scheduler.h | 7 +- src/libstrongswan/processing/watcher.c | 113 +- src/libstrongswan/selectors/traffic_selector.c | 121 +- src/libstrongswan/selectors/traffic_selector.h | 19 + src/libstrongswan/settings/settings_lexer.c | 190 +- src/libstrongswan/settings/settings_lexer.l | 5 +- src/libstrongswan/tests/Makefile.am | 4 + src/libstrongswan/tests/Makefile.in | 81 + src/libstrongswan/tests/suites/test_certnames.c | 398 ++++ src/libstrongswan/tests/suites/test_certpolicy.c | 637 ++++++ src/libstrongswan/tests/suites/test_chunk.c | 13 +- src/libstrongswan/tests/suites/test_enum.c | 166 +- src/libstrongswan/tests/suites/test_hasher.c | 3 + src/libstrongswan/tests/suites/test_host.c | 137 ++ .../tests/suites/test_identification.c | 114 +- src/libstrongswan/tests/suites/test_mgf1.c | 268 +++ src/libstrongswan/tests/suites/test_ntru.c | 222 +- src/libstrongswan/tests/suites/test_settings.c | 4 +- src/libstrongswan/tests/suites/test_threading.c | 236 +++ .../tests/suites/test_traffic_selector.c | 284 +++ src/libstrongswan/tests/suites/test_utils.c | 45 +- src/libstrongswan/tests/tests.h | 5 + src/libstrongswan/threading/semaphore.h | 6 +- src/libstrongswan/threading/thread.h | 63 +- src/libstrongswan/threading/windows/rwlock.c | 2 - src/libstrongswan/utils/chunk.c | 2 +- src/libstrongswan/utils/compat/apple.h | 119 ++ src/libstrongswan/utils/compat/windows.c | 684 ++++++ src/libstrongswan/utils/compat/windows.h | 627 ++++++ src/libstrongswan/utils/enum.c | 93 +- src/libstrongswan/utils/enum.h | 35 +- src/libstrongswan/utils/identification.c | 87 + src/libstrongswan/utils/identification.h | 9 + src/libstrongswan/utils/utils.h | 6 +- src/libstrongswan/utils/windows.c | 641 ------ src/libstrongswan/utils/windows.h | 584 ------ src/libtls/Makefile.in | 5 + src/libtls/tests/Makefile.in | 5 + src/libtls/tls.c | 9 +- src/libtls/tls.h | 7 + src/libtls/tls_eap.c | 7 + src/libtls/tls_eap.h | 7 + src/libtls/tls_fragmentation.c | 35 +- src/libtls/tls_fragmentation.h | 4 +- src/libtls/tls_handshake.h | 7 + src/libtls/tls_peer.c | 40 +- src/libtls/tls_protection.c | 11 +- src/libtls/tls_server.c | 23 +- src/libtls/tls_socket.c | 15 +- src/libtnccs/Android.mk | 2 +- src/libtnccs/Makefile.in | 5 + src/libtnccs/plugins/tnc_imc/Makefile.in | 5 + src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.c | 1 + src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.h | 2 +- src/libtnccs/plugins/tnc_imv/Makefile.in | 5 + src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h | 2 +- src/libtnccs/plugins/tnc_tnccs/Makefile.in | 5 + src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c | 48 +- src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_plugin.h | 2 +- src/libtnccs/plugins/tnccs_11/Makefile.in | 5 + src/libtnccs/plugins/tnccs_11/tnccs_11.c | 57 +- src/libtnccs/plugins/tnccs_11/tnccs_11.h | 15 +- src/libtnccs/plugins/tnccs_11/tnccs_11_plugin.h | 2 +- src/libtnccs/plugins/tnccs_20/Makefile.am | 4 + src/libtnccs/plugins/tnccs_20/Makefile.in | 39 +- src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c | 85 +- src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.h | 30 +- .../messages/ita/pb_mutual_capability_msg.c | 174 ++ .../messages/ita/pb_mutual_capability_msg.h | 75 + .../tnccs_20/messages/ita/pb_noskip_test_msg.c | 92 + .../tnccs_20/messages/ita/pb_noskip_test_msg.h | 44 + .../plugins/tnccs_20/messages/pb_tnc_msg.c | 22 +- .../plugins/tnccs_20/messages/pb_tnc_msg.h | 20 + src/libtnccs/plugins/tnccs_20/tnccs_20.c | 945 ++------- src/libtnccs/plugins/tnccs_20/tnccs_20.h | 15 +- src/libtnccs/plugins/tnccs_20/tnccs_20_client.c | 820 ++++++++ src/libtnccs/plugins/tnccs_20/tnccs_20_client.h | 65 + src/libtnccs/plugins/tnccs_20/tnccs_20_handler.h | 105 + src/libtnccs/plugins/tnccs_20/tnccs_20_plugin.h | 2 +- src/libtnccs/plugins/tnccs_20/tnccs_20_server.c | 693 +++++++ src/libtnccs/plugins/tnccs_20/tnccs_20_server.h | 71 + src/libtnccs/plugins/tnccs_dynamic/Makefile.in | 5 + src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c | 61 +- src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h | 15 +- .../plugins/tnccs_dynamic/tnccs_dynamic_plugin.h | 2 +- src/libtnccs/tnc/imc/imc.h | 2 +- src/libtnccs/tnc/imv/imv.h | 2 +- src/libtnccs/tnc/tnc.h | 7 +- src/libtnccs/tnc/tnccs/tnccs.h | 30 +- src/libtnccs/tnc/tnccs/tnccs_manager.h | 15 +- src/libtncif/Makefile.in | 5 + src/libtncif/tncif_names.c | 14 +- src/libtncif/tncif_names.h | 4 +- src/manager/Makefile.in | 5 + src/medsrv/Makefile.in | 5 + src/pki/Makefile.am | 1 + src/pki/Makefile.in | 11 +- src/pki/command.h | 2 +- src/pki/commands/acert.c | 11 +- src/pki/commands/gen.c | 14 +- src/pki/commands/issue.c | 12 +- src/pki/commands/keyid.c | 7 +- src/pki/commands/pkcs12.c | 247 +++ src/pki/commands/print.c | 34 +- src/pki/commands/pub.c | 10 +- src/pki/commands/req.c | 17 +- src/pki/commands/self.c | 20 +- src/pki/commands/signcrl.c | 8 +- src/pki/man/Makefile.in | 21 +- src/pki/man/pki---acert.1.in | 4 +- src/pki/man/pki---issue.1.in | 20 +- src/pki/man/pki---pkcs12.1.in | 62 + src/pki/man/pki---req.1.in | 4 +- src/pki/man/pki---self.1.in | 20 +- src/pki/man/pki---signcrl.1.in | 4 +- src/pki/pki.c | 46 +- src/pki/pki.h | 8 + src/pool/Makefile.am | 4 +- src/pool/Makefile.in | 12 +- src/pt-tls-client/Makefile.in | 5 + src/pt-tls-client/pt-tls-client.c | 43 +- src/scepclient/Makefile.in | 5 + src/starter/Makefile.in | 5 + src/starter/cmp.c | 2 +- src/starter/parser/lexer.c | 230 ++- src/starter/parser/lexer.l | 5 +- src/starter/starterstroke.c | 14 +- src/starter/tests/Makefile.in | 5 + src/stroke/Makefile.in | 5 + src/stroke/stroke_msg.h | 2 +- src/swanctl/Makefile.am | 1 + src/swanctl/Makefile.in | 6 + src/swanctl/commands/list_conns.c | 5 +- src/swanctl/commands/list_sas.c | 6 +- src/swanctl/commands/load_conns.c | 47 +- src/swanctl/commands/load_creds.c | 290 ++- src/swanctl/swanctl.conf | 14 +- src/swanctl/swanctl.conf.5.main | 80 +- src/swanctl/swanctl.h | 5 + src/swanctl/swanctl.opt | 52 +- testing/Makefile.in | 5 + testing/config/kernel/config-3.18 | 2165 +++++++++++++++++++ testing/config/kernel/config-3.19 | 2181 ++++++++++++++++++++ .../etc/openssl/bliss/strongswan_blissCert.der | Bin 0 -> 2094 bytes .../etc/openssl/bliss/strongswan_blissKey.der | Bin 0 -> 1310 bytes .../0b5362afd8838bafb66c854732b490d5d8318261 | Bin 1190 -> 0 bytes .../35ef6b73537e090d3b09359bfee642eafa6192eb | Bin 0 -> 1212 bytes .../533394399c61128c957881790d70511537798da1 | Bin 1212 -> 0 bytes .../6645da3911d7f86e5410b698e2a441f1e2e4491a | Bin 0 -> 1188 bytes .../6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da | Bin 1188 -> 0 bytes .../b8a73c3433f4e341cc7c4ae42989f0a23a956488 | Bin 1210 -> 0 bytes .../e2d52f0f42f61f786f1c570a4acc8fa8d72a329f | Bin 0 -> 1210 bytes .../f22389d26d00a7ddb5ff61f3b2e66022b18b2e3d | Bin 0 -> 1190 bytes .../hosts/winnetou/etc/openssl/duck/duckCert.pem | 36 +- .../hosts/winnetou/etc/openssl/duck/duckKey.pem | 50 +- testing/hosts/winnetou/etc/openssl/duck/index.txt | 2 +- .../winnetou/etc/openssl/duck/newcerts/01.pem | 36 +- testing/hosts/winnetou/etc/openssl/generate-crl | 4 +- testing/hosts/winnetou/etc/openssl/index.txt | 3 +- testing/hosts/winnetou/etc/openssl/index.txt.old | 3 +- testing/hosts/winnetou/etc/openssl/newcerts/32.pem | 25 + testing/hosts/winnetou/etc/openssl/ocspCert.pem | 30 +- testing/hosts/winnetou/etc/openssl/ocspKey.pem | 50 +- .../hosts/winnetou/etc/openssl/research/index.txt | 3 +- .../winnetou/etc/openssl/research/index.txt.old | 3 +- .../winnetou/etc/openssl/research/newcerts/0A.pem | 23 + testing/hosts/winnetou/etc/openssl/research/serial | 2 +- .../hosts/winnetou/etc/openssl/research/serial.old | 2 +- testing/hosts/winnetou/etc/openssl/rfc3779/.rand | Bin 1024 -> 1024 bytes .../hosts/winnetou/etc/openssl/rfc3779/index.txt | 12 +- .../winnetou/etc/openssl/rfc3779/index.txt.old | 10 +- .../winnetou/etc/openssl/rfc3779/newcerts/05.pem | 28 + .../winnetou/etc/openssl/rfc3779/newcerts/06.pem | 28 + .../winnetou/etc/openssl/rfc3779/newcerts/07.pem | 27 + .../winnetou/etc/openssl/rfc3779/newcerts/08.pem | 27 + .../hosts/winnetou/etc/openssl/rfc3779/openssl.cnf | 15 +- testing/hosts/winnetou/etc/openssl/rfc3779/serial | 2 +- .../hosts/winnetou/etc/openssl/rfc3779/serial.old | 2 +- testing/hosts/winnetou/etc/openssl/serial | 2 +- testing/hosts/winnetou/etc/openssl/serial.old | 2 +- testing/scripts/build-baseimage | 2 +- testing/scripts/recipes/013_strongswan.mk | 5 +- testing/tests/ha/both-active/description.txt | 4 +- testing/tests/ikev1/double-nat-net/evaltest.dat | 4 +- testing/tests/ikev1/double-nat/evaltest.dat | 4 +- testing/tests/ikev1/nat-rw/evaltest.dat | 8 +- .../ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown | 93 +- .../tests/ikev1/net2net-fragmentation/evaltest.dat | 4 +- .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 27 + .../hosts/sun/etc/ipsec.d/private/sunKey.pem | 27 + testing/tests/ikev2/double-nat-net/evaltest.dat | 4 +- testing/tests/ikev2/double-nat/evaltest.dat | 4 +- testing/tests/ikev2/forecast/description.txt | 8 + testing/tests/ikev2/forecast/evaltest.dat | 20 + .../ikev2/forecast/hosts/carol/etc/ipsec.conf | 21 + .../ikev2/forecast/hosts/carol/etc/strongswan.conf | 5 + .../tests/ikev2/forecast/hosts/dave/etc/ipsec.conf | 21 + .../ikev2/forecast/hosts/dave/etc/strongswan.conf | 5 + .../tests/ikev2/forecast/hosts/moon/etc/ipsec.conf | 22 + .../ikev2/forecast/hosts/moon/etc/strongswan.conf | 16 + testing/tests/ikev2/forecast/posttest.dat | 6 + testing/tests/ikev2/forecast/pretest.dat | 7 + testing/tests/ikev2/forecast/test.conf | 21 + .../host2host-transport-connmark/description.txt | 8 + .../host2host-transport-connmark/evaltest.dat | 7 + .../hosts/alice/etc/ipsec.conf | 17 + .../hosts/sun/etc/ipsec.conf | 18 + .../hosts/sun/etc/strongswan.conf | 5 + .../hosts/venus/etc/ipsec.conf | 17 + .../host2host-transport-connmark/posttest.dat | 5 + .../ikev2/host2host-transport-connmark/pretest.dat | 11 + .../ikev2/host2host-transport-connmark/test.conf | 21 + .../ikev2/host2host-transport-nat/description.txt | 3 +- .../ikev2/host2host-transport-nat/evaltest.dat | 13 +- .../ikev2/host2host-transport-nat/pretest.dat | 1 + .../ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat | 8 +- .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 36 +- .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 50 +- .../hosts/moon/etc/ipsec.d/cacerts/duckCert.pem | 36 +- testing/tests/ikev2/nat-rw-mark/evaltest.dat | 4 +- .../ikev2/nat-rw-mark/hosts/sun/etc/mark_updown | 300 +-- testing/tests/ikev2/nat-rw-psk/evaltest.dat | 6 +- testing/tests/ikev2/nat-rw/evaltest.dat | 8 +- .../ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown | 94 +- .../tests/ikev2/net2net-cert-sha2/description.txt | 7 + testing/tests/ikev2/net2net-cert-sha2/evaltest.dat | 9 + .../net2net-cert-sha2/hosts/moon/etc/ipsec.conf | 23 + .../hosts/moon/etc/strongswan.conf | 5 + .../net2net-cert-sha2/hosts/sun/etc/ipsec.conf | 23 + .../hosts/sun/etc/strongswan.conf | 5 + testing/tests/ikev2/net2net-cert-sha2/posttest.dat | 5 + testing/tests/ikev2/net2net-cert-sha2/pretest.dat | 6 + testing/tests/ikev2/net2net-cert-sha2/test.conf | 21 + .../net2net-cert/hosts/moon/etc/strongswan.conf | 1 + .../net2net-cert/hosts/sun/etc/strongswan.conf | 1 + .../tests/ikev2/net2net-fragmentation/evaltest.dat | 4 +- .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 36 +- .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 50 +- .../hosts/sun/etc/ipsec.d/certs/sunCert.pem | 36 +- .../hosts/sun/etc/ipsec.d/private/sunKey.pem | 50 +- .../net2net-same-nets/hosts/sun/etc/mark_updown | 48 +- .../ikev2/reauth-mbb-virtual-ip/description.txt | 8 + .../tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat | 7 + .../hosts/carol/etc/ipsec.conf | 22 + .../hosts/carol/etc/strongswan.conf | 7 + .../hosts/moon/etc/ipsec.conf | 20 + .../hosts/moon/etc/strongswan.conf | 5 + .../tests/ikev2/reauth-mbb-virtual-ip/posttest.dat | 4 + .../tests/ikev2/reauth-mbb-virtual-ip/pretest.dat | 6 + .../tests/ikev2/reauth-mbb-virtual-ip/test.conf | 21 + testing/tests/ikev2/reauth-mbb/description.txt | 7 + testing/tests/ikev2/reauth-mbb/evaltest.dat | 7 + .../ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf | 21 + .../reauth-mbb/hosts/carol/etc/strongswan.conf | 7 + .../ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf | 19 + .../reauth-mbb/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/reauth-mbb/posttest.dat | 4 + testing/tests/ikev2/reauth-mbb/pretest.dat | 6 + testing/tests/ikev2/reauth-mbb/test.conf | 21 + testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat | 2 +- testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat | 2 +- .../rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf | 1 - testing/tests/ikev2/rw-eap-dynamic/evaltest.dat | 4 +- .../ikev2/rw-eap-framed-ip-radius/evaltest.dat | 4 +- .../ikev2/rw-eap-md5-class-radius/evaltest.dat | 4 +- .../tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat | 2 +- .../tests/ikev2/rw-eap-md5-id-radius/evaltest.dat | 2 +- .../hosts/carol/etc/ipsec.conf | 1 - testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat | 2 +- .../rw-eap-md5-radius/hosts/carol/etc/ipsec.conf | 1 - testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat | 2 +- .../rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf | 1 - .../ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat | 2 +- .../tests/ikev2/rw-eap-peap-radius/evaltest.dat | 4 +- .../tests/ikev2/rw-eap-sim-id-radius/evaltest.dat | 2 +- testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat | 2 +- testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat | 2 +- .../rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf | 1 - testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat | 2 +- .../tests/ikev2/rw-eap-ttls-radius/evaltest.dat | 4 +- .../ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown | 296 +-- testing/tests/ikev2/rw-ntru-bliss/description.txt | 15 + testing/tests/ikev2/rw-ntru-bliss/evaltest.dat | 26 + .../ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf | 25 + .../etc/ipsec.d/cacerts/strongswan_blissCert.der | Bin 0 -> 2094 bytes .../hosts/carol/etc/ipsec.d/certs/carolCert.der | Bin 0 -> 2172 bytes .../hosts/carol/etc/ipsec.d/private/carolKey.der | Bin 0 -> 1182 bytes .../rw-ntru-bliss/hosts/carol/etc/ipsec.secrets | 3 + .../rw-ntru-bliss/hosts/carol/etc/strongswan.conf | 7 + .../ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf | 25 + .../etc/ipsec.d/cacerts/strongswan_blissCert.der | Bin 0 -> 2094 bytes .../hosts/dave/etc/ipsec.d/certs/daveCert.der | Bin 0 -> 2173 bytes .../hosts/dave/etc/ipsec.d/private/daveKey.der | Bin 0 -> 1310 bytes .../rw-ntru-bliss/hosts/dave/etc/ipsec.secrets | 3 + .../rw-ntru-bliss/hosts/dave/etc/strongswan.conf | 7 + .../ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf | 25 + .../etc/ipsec.d/cacerts/strongswan_blissCert.der | Bin 0 -> 2094 bytes .../hosts/moon/etc/ipsec.d/certs/moonCert.der | Bin 0 -> 2190 bytes .../hosts/moon/etc/ipsec.d/private/moonKey.der | Bin 0 -> 1310 bytes .../rw-ntru-bliss/hosts/moon/etc/ipsec.secrets | 3 + .../rw-ntru-bliss/hosts/moon/etc/strongswan.conf | 7 + testing/tests/ikev2/rw-ntru-bliss/posttest.dat | 9 + testing/tests/ikev2/rw-ntru-bliss/pretest.dat | 13 + testing/tests/ikev2/rw-ntru-bliss/test.conf | 21 + testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat | 4 +- testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat | 2 +- .../tests/ikev2/rw-radius-accounting/evaltest.dat | 2 +- .../hosts/carol/etc/ipsec.conf | 1 - testing/tests/ikev2/rw-sig-auth/description.txt | 10 + testing/tests/ikev2/rw-sig-auth/evaltest.dat | 20 + .../ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf | 29 + .../rw-sig-auth/hosts/carol/etc/strongswan.conf | 5 + .../ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf | 29 + .../rw-sig-auth/hosts/dave/etc/strongswan.conf | 5 + .../ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf | 30 + .../ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets | 3 + .../rw-sig-auth/hosts/moon/etc/strongswan.conf | 5 + testing/tests/ikev2/rw-sig-auth/posttest.dat | 6 + testing/tests/ikev2/rw-sig-auth/pretest.dat | 12 + testing/tests/ikev2/rw-sig-auth/test.conf | 26 + testing/tests/ikev2/rw-whitelist/evaltest.dat | 4 +- .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 36 +- .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 50 +- .../hosts/sun/etc/ipsec.d/certs/sunCert.pem | 36 +- .../hosts/sun/etc/ipsec.d/private/sunKey.pem | 50 +- .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 34 +- .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 50 +- .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 34 +- .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 50 +- .../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 36 +- .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 50 +- .../libipsec/host2host-cert/hosts/moon/etc/updown | 303 +-- .../libipsec/host2host-cert/hosts/sun/etc/updown | 303 +-- .../libipsec/net2net-3des/hosts/moon/etc/updown | 303 +-- .../libipsec/net2net-3des/hosts/sun/etc/updown | 303 +-- .../libipsec/net2net-cert/hosts/moon/etc/updown | 303 +-- .../libipsec/net2net-cert/hosts/sun/etc/updown | 303 +-- testing/tests/libipsec/rw-suite-b/evaltest.dat | 6 +- .../libipsec/rw-suite-b/hosts/carol/etc/updown | 311 +-- .../libipsec/rw-suite-b/hosts/dave/etc/updown | 311 +-- .../libipsec/rw-suite-b/hosts/moon/etc/updown | 311 +-- .../hosts/moon/etc/ipsec.d/private/moonKey.pem | 27 + .../hosts/sun/etc/ipsec.d/private/sunKey.pem | 27 + .../tests/openssl-ikev2/ecdsa-certs/evaltest.dat | 4 +- .../ecdsa-certs/hosts/dave/etc/strongswan.conf | 1 + .../tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat | 8 +- .../openssl-ikev2/rw-suite-b-128/evaltest.dat | 2 +- .../openssl-ikev2/rw-suite-b-192/evaltest.dat | 2 +- testing/tests/sql/rw-eap-aka-rsa/evaltest.dat | 2 +- testing/tests/sql/rw-psk-rsa-split/evaltest.dat | 2 +- .../swanctl/net2net-cert-ipv6/description.txt | 6 - .../tests/swanctl/net2net-cert-ipv6/evaltest.dat | 5 - .../hosts/moon/etc/strongswan.conf | 15 - .../hosts/moon/etc/swanctl/swanctl.conf | 35 - .../hosts/sun/etc/strongswan.conf | 15 - .../hosts/sun/etc/swanctl/swanctl.conf | 35 - .../tests/swanctl/net2net-cert-ipv6/posttest.dat | 11 - .../tests/swanctl/net2net-cert-ipv6/pretest.dat | 16 - testing/tests/swanctl/net2net-cert-ipv6/test.conf | 21 - testing/tests/tkm/host2host-initiator/evaltest.dat | 4 + testing/tests/tkm/host2host-xfrmproxy/evaltest.dat | 1 + testing/tests/tkm/multiple-clients/evaltest.dat | 3 +- testing/tests/tkm/net2net-xfrmproxy/evaltest.dat | 1 + testing/tests/tkm/xfrmproxy-expire/description.txt | 6 + testing/tests/tkm/xfrmproxy-expire/evaltest.dat | 22 + .../hosts/moon/etc/strongswan.conf | 8 + .../hosts/moon/etc/tkm/moonKey.der | Bin 0 -> 1191 bytes .../hosts/moon/etc/tkm/strongswanCert.der | Bin 0 -> 956 bytes .../xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf | 21 + .../tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf | 21 + .../xfrmproxy-expire/hosts/sun/etc/strongswan.conf | 5 + testing/tests/tkm/xfrmproxy-expire/posttest.dat | 5 + testing/tests/tkm/xfrmproxy-expire/pretest.dat | 12 + testing/tests/tkm/xfrmproxy-expire/test.conf | 21 + .../tests/tnc/tnccs-11-radius-block/evaltest.dat | 4 +- testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat | 4 +- testing/tests/tnc/tnccs-11-radius/evaltest.dat | 4 +- .../tests/tnc/tnccs-20-fail-init/description.txt | 10 + testing/tests/tnc/tnccs-20-fail-init/evaltest.dat | 10 + .../tnccs-20-fail-init/hosts/carol/etc/ipsec.conf | 23 + .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 23 + .../tnccs-20-fail-init/hosts/carol/etc/tnc_config | 3 + .../tnccs-20-fail-init/hosts/dave/etc/ipsec.conf | 23 + .../hosts/dave/etc/ipsec.secrets | 3 + .../hosts/dave/etc/strongswan.conf | 26 + .../tnccs-20-fail-init/hosts/dave/etc/tnc_config | 3 + .../tnccs-20-fail-init/hosts/moon/etc/ipsec.conf | 34 + .../hosts/moon/etc/ipsec.secrets | 6 + .../hosts/moon/etc/strongswan.conf | 23 + .../tnccs-20-fail-init/hosts/moon/etc/tnc_config | 3 + testing/tests/tnc/tnccs-20-fail-init/posttest.dat | 6 + testing/tests/tnc/tnccs-20-fail-init/pretest.dat | 12 + testing/tests/tnc/tnccs-20-fail-init/test.conf | 26 + .../tests/tnc/tnccs-20-fail-resp/description.txt | 9 + testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat | 5 + .../tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf | 23 + .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 15 + .../tnccs-20-fail-resp/hosts/carol/etc/tnc_config | 3 + .../tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf | 34 + .../hosts/moon/etc/ipsec.secrets | 6 + .../hosts/moon/etc/strongswan.conf | 28 + .../tnccs-20-fail-resp/hosts/moon/etc/tnc_config | 3 + testing/tests/tnc/tnccs-20-fail-resp/posttest.dat | 4 + testing/tests/tnc/tnccs-20-fail-resp/pretest.dat | 8 + testing/tests/tnc/tnccs-20-fail-resp/test.conf | 26 + .../tests/tnc/tnccs-20-mutual-eap/description.txt | 3 + testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat | 11 + .../tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf | 23 + .../hosts/moon/etc/strongswan.conf | 26 + .../tnccs-20-mutual-eap/hosts/moon/etc/tnc_config | 4 + .../tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf | 23 + .../hosts/sun/etc/strongswan.conf | 28 + .../tnccs-20-mutual-eap/hosts/sun/etc/tnc_config | 4 + testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat | 4 + testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat | 6 + testing/tests/tnc/tnccs-20-mutual-eap/test.conf | 21 + .../tnc/tnccs-20-mutual-pt-tls/description.txt | 3 + .../tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat | 6 + .../hosts/moon/etc/ipsec.conf | 3 + .../hosts/moon/etc/pts/options | 8 + .../hosts/moon/etc/strongswan.conf | 16 + .../hosts/moon/etc/tnc_config | 4 + .../hosts/sun/etc/ipsec.conf | 9 + .../hosts/sun/etc/strongswan.conf | 28 + .../hosts/sun/etc/tnc_config | 4 + .../tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat | 1 + .../tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat | 4 + testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf | 21 + testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat | 4 +- 1048 files changed, 51014 insertions(+), 18586 deletions(-) create mode 100644 conf/plugins/bliss.conf create mode 100644 conf/plugins/bliss.opt create mode 100644 conf/plugins/forecast.conf create mode 100644 conf/plugins/forecast.opt create mode 100644 conf/plugins/kernel-pfkey.conf create mode 100644 conf/plugins/kernel-pfkey.opt delete mode 100644 src/_updown/_updown.8 delete mode 100644 src/_updown_espmark/Makefile.am delete mode 100644 src/_updown_espmark/Makefile.in delete mode 100644 src/_updown_espmark/_updown_espmark delete mode 100644 src/_updown_espmark/_updown_espmark.8 create mode 100644 src/charon-tkm/src/tkm/tkm_encoder.c~ create mode 100644 src/libcharon/attributes/attribute_handler.h create mode 100644 src/libcharon/attributes/attribute_manager.c create mode 100644 src/libcharon/attributes/attribute_manager.h create mode 100644 src/libcharon/attributes/attribute_provider.h create mode 100644 src/libcharon/attributes/attributes.c create mode 100644 src/libcharon/attributes/attributes.h create mode 100644 src/libcharon/attributes/mem_pool.c create mode 100644 src/libcharon/attributes/mem_pool.h create mode 100644 src/libcharon/plugins/attr/Makefile.am create mode 100644 src/libcharon/plugins/attr/Makefile.in create mode 100644 src/libcharon/plugins/attr/attr_plugin.c create mode 100644 src/libcharon/plugins/attr/attr_plugin.h create mode 100644 src/libcharon/plugins/attr/attr_provider.c create mode 100644 src/libcharon/plugins/attr/attr_provider.h create mode 100644 src/libcharon/plugins/attr_sql/Makefile.am create mode 100644 src/libcharon/plugins/attr_sql/Makefile.in create mode 100644 src/libcharon/plugins/attr_sql/attr_sql_plugin.c create mode 100644 src/libcharon/plugins/attr_sql/attr_sql_plugin.h create mode 100644 src/libcharon/plugins/attr_sql/attr_sql_provider.c create mode 100644 src/libcharon/plugins/attr_sql/attr_sql_provider.h create mode 100644 src/libcharon/plugins/connmark/Makefile.am create mode 100644 src/libcharon/plugins/connmark/Makefile.in create mode 100644 src/libcharon/plugins/connmark/connmark_listener.c create mode 100644 src/libcharon/plugins/connmark/connmark_listener.h create mode 100644 src/libcharon/plugins/connmark/connmark_plugin.c create mode 100644 src/libcharon/plugins/connmark/connmark_plugin.h create mode 100644 src/libcharon/plugins/forecast/Makefile.am create mode 100644 src/libcharon/plugins/forecast/Makefile.in create mode 100644 src/libcharon/plugins/forecast/forecast_forwarder.c create mode 100644 src/libcharon/plugins/forecast/forecast_forwarder.h create mode 100644 src/libcharon/plugins/forecast/forecast_listener.c create mode 100644 src/libcharon/plugins/forecast/forecast_listener.h create mode 100644 src/libcharon/plugins/forecast/forecast_plugin.c create mode 100644 src/libcharon/plugins/forecast/forecast_plugin.h create mode 100644 src/libcharon/plugins/resolve/Makefile.am create mode 100644 src/libcharon/plugins/resolve/Makefile.in create mode 100644 src/libcharon/plugins/resolve/resolve_handler.c create mode 100644 src/libcharon/plugins/resolve/resolve_handler.h create mode 100644 src/libcharon/plugins/resolve/resolve_plugin.c create mode 100644 src/libcharon/plugins/resolve/resolve_plugin.h delete mode 100644 src/libcharon/plugins/unit_tester/Makefile.am delete mode 100644 src/libcharon/plugins/unit_tester/Makefile.in delete mode 100644 src/libcharon/plugins/unit_tester/tests.h delete mode 100644 src/libcharon/plugins/unit_tester/tests/test_agent.c delete mode 100644 src/libcharon/plugins/unit_tester/tests/test_auth_info.c delete mode 100644 src/libcharon/plugins/unit_tester/tests/test_cert.c delete mode 100644 src/libcharon/plugins/unit_tester/tests/test_curl.c delete mode 100644 src/libcharon/plugins/unit_tester/tests/test_med_db.c delete mode 100644 src/libcharon/plugins/unit_tester/tests/test_mysql.c delete mode 100644 src/libcharon/plugins/unit_tester/tests/test_pool.c delete mode 100644 src/libcharon/plugins/unit_tester/tests/test_sqlite.c delete mode 100644 src/libcharon/plugins/unit_tester/unit_tester.c delete mode 100644 src/libcharon/plugins/unit_tester/unit_tester.h create mode 100644 src/libcharon/plugins/vici/python/LICENSE create mode 100644 src/libcharon/plugins/vici/python/MANIFEST.in create mode 100644 src/libcharon/plugins/vici/python/Makefile.am create mode 100644 src/libcharon/plugins/vici/python/Makefile.in create mode 100644 src/libcharon/plugins/vici/python/setup.py.in create mode 100644 src/libcharon/plugins/vici/python/vici/__init__.py create mode 100644 src/libcharon/plugins/vici/python/vici/compat.py create mode 100644 src/libcharon/plugins/vici/python/vici/exception.py create mode 100644 src/libcharon/plugins/vici/python/vici/protocol.py create mode 100644 src/libcharon/plugins/vici/python/vici/session.py create mode 100644 src/libcharon/plugins/vici/python/vici/test/__init__.py create mode 100644 src/libcharon/plugins/vici/python/vici/test/test_protocol.py create mode 100644 src/libcharon/processing/jobs/initiate_tasks_job.c create mode 100644 src/libcharon/processing/jobs/initiate_tasks_job.h create mode 100644 src/libcharon/sa/child_sa_manager.c create mode 100644 src/libcharon/sa/child_sa_manager.h create mode 100644 src/libcharon/sa/ikev2/tasks/ike_reauth_complete.c create mode 100644 src/libcharon/sa/ikev2/tasks/ike_reauth_complete.h create mode 100644 src/libcharon/tests/Makefile.am create mode 100644 src/libcharon/tests/Makefile.in create mode 100644 src/libcharon/tests/libcharon_tests.c create mode 100644 src/libcharon/tests/libcharon_tests.h create mode 100644 src/libcharon/tests/suites/test_mem_pool.c delete mode 100644 src/libhydra/attributes/attribute_handler.h delete mode 100644 src/libhydra/attributes/attribute_manager.c delete mode 100644 src/libhydra/attributes/attribute_manager.h delete mode 100644 src/libhydra/attributes/attribute_provider.h delete mode 100644 src/libhydra/attributes/attributes.c delete mode 100644 src/libhydra/attributes/attributes.h delete mode 100644 src/libhydra/attributes/mem_pool.c delete mode 100644 src/libhydra/attributes/mem_pool.h delete mode 100644 src/libhydra/plugins/attr/Makefile.am delete mode 100644 src/libhydra/plugins/attr/Makefile.in delete mode 100644 src/libhydra/plugins/attr/attr_plugin.c delete mode 100644 src/libhydra/plugins/attr/attr_plugin.h delete mode 100644 src/libhydra/plugins/attr/attr_provider.c delete mode 100644 src/libhydra/plugins/attr/attr_provider.h delete mode 100644 src/libhydra/plugins/attr_sql/Makefile.am delete mode 100644 src/libhydra/plugins/attr_sql/Makefile.in delete mode 100644 src/libhydra/plugins/attr_sql/attr_sql_plugin.c delete mode 100644 src/libhydra/plugins/attr_sql/attr_sql_plugin.h delete mode 100644 src/libhydra/plugins/attr_sql/sql_attribute.c delete mode 100644 src/libhydra/plugins/attr_sql/sql_attribute.h create mode 100644 src/libhydra/plugins/kernel_netlink/suites/test_socket.c create mode 100644 src/libhydra/plugins/kernel_netlink/tests.c create mode 100644 src/libhydra/plugins/kernel_netlink/tests.h delete mode 100644 src/libhydra/plugins/resolve/Makefile.am delete mode 100644 src/libhydra/plugins/resolve/Makefile.in delete mode 100644 src/libhydra/plugins/resolve/resolve_handler.c delete mode 100644 src/libhydra/plugins/resolve/resolve_handler.h delete mode 100644 src/libhydra/plugins/resolve/resolve_plugin.c delete mode 100644 src/libhydra/plugins/resolve/resolve_plugin.h create mode 100644 src/libhydra/tests/Makefile.am create mode 100644 src/libhydra/tests/Makefile.in create mode 100644 src/libhydra/tests/hydra_tests.c create mode 100644 src/libhydra/tests/hydra_tests.h create mode 100644 src/libstrongswan/crypto/hashers/hash_algorithm_set.c create mode 100644 src/libstrongswan/crypto/hashers/hash_algorithm_set.h create mode 100644 src/libstrongswan/crypto/mgf1/mgf1.c create mode 100644 src/libstrongswan/crypto/mgf1/mgf1.h create mode 100644 src/libstrongswan/crypto/mgf1/mgf1_bitspender.c create mode 100644 src/libstrongswan/crypto/mgf1/mgf1_bitspender.h create mode 100644 src/libstrongswan/plugins/bliss/Makefile.am create mode 100644 src/libstrongswan/plugins/bliss/Makefile.in create mode 100644 src/libstrongswan/plugins/bliss/bliss_bitpacker.c create mode 100644 src/libstrongswan/plugins/bliss/bliss_bitpacker.h create mode 100644 src/libstrongswan/plugins/bliss/bliss_fft.c create mode 100644 src/libstrongswan/plugins/bliss/bliss_fft.h create mode 100644 src/libstrongswan/plugins/bliss/bliss_fft_params.c create mode 100644 src/libstrongswan/plugins/bliss/bliss_fft_params.h create mode 100644 src/libstrongswan/plugins/bliss/bliss_huffman.c create mode 100644 src/libstrongswan/plugins/bliss/bliss_huffman_code.c create mode 100644 src/libstrongswan/plugins/bliss/bliss_huffman_code.h create mode 100644 src/libstrongswan/plugins/bliss/bliss_huffman_code_1.c create mode 100644 src/libstrongswan/plugins/bliss/bliss_huffman_code_3.c create mode 100644 src/libstrongswan/plugins/bliss/bliss_huffman_code_4.c create mode 100644 src/libstrongswan/plugins/bliss/bliss_huffman_coder.c create mode 100644 src/libstrongswan/plugins/bliss/bliss_huffman_coder.h create mode 100644 src/libstrongswan/plugins/bliss/bliss_param_set.c create mode 100644 src/libstrongswan/plugins/bliss/bliss_param_set.h create mode 100644 src/libstrongswan/plugins/bliss/bliss_plugin.c create mode 100644 src/libstrongswan/plugins/bliss/bliss_plugin.h create mode 100644 src/libstrongswan/plugins/bliss/bliss_private_key.c create mode 100644 src/libstrongswan/plugins/bliss/bliss_private_key.h create mode 100644 src/libstrongswan/plugins/bliss/bliss_public_key.c create mode 100644 src/libstrongswan/plugins/bliss/bliss_public_key.h create mode 100644 src/libstrongswan/plugins/bliss/bliss_sampler.c create mode 100644 src/libstrongswan/plugins/bliss/bliss_sampler.h create mode 100644 src/libstrongswan/plugins/bliss/bliss_signature.c create mode 100644 src/libstrongswan/plugins/bliss/bliss_signature.h create mode 100644 src/libstrongswan/plugins/bliss/bliss_utils.c create mode 100644 src/libstrongswan/plugins/bliss/bliss_utils.h create mode 100644 src/libstrongswan/plugins/bliss/tests/Makefile.am create mode 100644 src/libstrongswan/plugins/bliss/tests/Makefile.in create mode 100644 src/libstrongswan/plugins/bliss/tests/bliss_tests.c create mode 100644 src/libstrongswan/plugins/bliss/tests/bliss_tests.h create mode 100644 src/libstrongswan/plugins/bliss/tests/suites/test_bliss_bitpacker.c create mode 100644 src/libstrongswan/plugins/bliss/tests/suites/test_bliss_fft.c create mode 100644 src/libstrongswan/plugins/bliss/tests/suites/test_bliss_huffman.c create mode 100644 src/libstrongswan/plugins/bliss/tests/suites/test_bliss_keys.c create mode 100644 src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c create mode 100644 src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c create mode 100644 src/libstrongswan/plugins/bliss/tests/suites/test_bliss_signature.c create mode 100644 src/libstrongswan/plugins/files/Makefile.am create mode 100644 src/libstrongswan/plugins/files/Makefile.in create mode 100644 src/libstrongswan/plugins/files/files_fetcher.c create mode 100644 src/libstrongswan/plugins/files/files_fetcher.h create mode 100644 src/libstrongswan/plugins/files/files_plugin.c create mode 100644 src/libstrongswan/plugins/files/files_plugin.h delete mode 100644 src/libstrongswan/plugins/ntru/ntru_mgf1.c delete mode 100644 src/libstrongswan/plugins/ntru/ntru_mgf1.h create mode 100644 src/libstrongswan/tests/suites/test_certnames.c create mode 100644 src/libstrongswan/tests/suites/test_certpolicy.c create mode 100644 src/libstrongswan/tests/suites/test_mgf1.c create mode 100644 src/libstrongswan/tests/suites/test_traffic_selector.c create mode 100644 src/libstrongswan/utils/compat/apple.h create mode 100644 src/libstrongswan/utils/compat/windows.c create mode 100644 src/libstrongswan/utils/compat/windows.h delete mode 100644 src/libstrongswan/utils/windows.c delete mode 100644 src/libstrongswan/utils/windows.h create mode 100644 src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.c create mode 100644 src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.h create mode 100644 src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.c create mode 100644 src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.h create mode 100644 src/libtnccs/plugins/tnccs_20/tnccs_20_client.c create mode 100644 src/libtnccs/plugins/tnccs_20/tnccs_20_client.h create mode 100644 src/libtnccs/plugins/tnccs_20/tnccs_20_handler.h create mode 100644 src/libtnccs/plugins/tnccs_20/tnccs_20_server.c create mode 100644 src/libtnccs/plugins/tnccs_20/tnccs_20_server.h create mode 100644 src/pki/commands/pkcs12.c create mode 100644 src/pki/man/pki---pkcs12.1.in create mode 100644 testing/config/kernel/config-3.18 create mode 100644 testing/config/kernel/config-3.19 create mode 100644 testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissCert.der create mode 100644 testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissKey.der delete mode 100644 testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/rfc3779/35ef6b73537e090d3b09359bfee642eafa6192eb delete mode 100644 testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/rfc3779/6645da3911d7f86e5410b698e2a441f1e2e4491a delete mode 100644 testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da delete mode 100644 testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488 create mode 100644 testing/hosts/winnetou/etc/openssl/certs/rfc3779/e2d52f0f42f61f786f1c570a4acc8fa8d72a329f create mode 100644 testing/hosts/winnetou/etc/openssl/certs/rfc3779/f22389d26d00a7ddb5ff61f3b2e66022b18b2e3d create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/32.pem create mode 100644 testing/hosts/winnetou/etc/openssl/research/newcerts/0A.pem create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/05.pem create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/06.pem create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/07.pem create mode 100644 testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/08.pem create mode 100644 testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem create mode 100644 testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem create mode 100644 testing/tests/ikev2/forecast/description.txt create mode 100644 testing/tests/ikev2/forecast/evaltest.dat create mode 100644 testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/forecast/posttest.dat create mode 100644 testing/tests/ikev2/forecast/pretest.dat create mode 100644 testing/tests/ikev2/forecast/test.conf create mode 100644 testing/tests/ikev2/host2host-transport-connmark/description.txt create mode 100644 testing/tests/ikev2/host2host-transport-connmark/evaltest.dat create mode 100644 testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf create mode 100644 testing/tests/ikev2/host2host-transport-connmark/posttest.dat create mode 100644 testing/tests/ikev2/host2host-transport-connmark/pretest.dat create mode 100644 testing/tests/ikev2/host2host-transport-connmark/test.conf create mode 100644 testing/tests/ikev2/net2net-cert-sha2/description.txt create mode 100644 testing/tests/ikev2/net2net-cert-sha2/evaltest.dat create mode 100644 testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/net2net-cert-sha2/posttest.dat create mode 100644 testing/tests/ikev2/net2net-cert-sha2/pretest.dat create mode 100644 testing/tests/ikev2/net2net-cert-sha2/test.conf create mode 100644 testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt create mode 100644 testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat create mode 100644 testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat create mode 100644 testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat create mode 100644 testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf create mode 100644 testing/tests/ikev2/reauth-mbb/description.txt create mode 100644 testing/tests/ikev2/reauth-mbb/evaltest.dat create mode 100644 testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/reauth-mbb/posttest.dat create mode 100644 testing/tests/ikev2/reauth-mbb/pretest.dat create mode 100644 testing/tests/ikev2/reauth-mbb/test.conf create mode 100644 testing/tests/ikev2/rw-ntru-bliss/description.txt create mode 100644 testing/tests/ikev2/rw-ntru-bliss/evaltest.dat create mode 100644 testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der create mode 100644 testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der create mode 100644 testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der create mode 100644 testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der create mode 100644 testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der create mode 100644 testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der create mode 100644 testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der create mode 100644 testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der create mode 100644 testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der create mode 100644 testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-ntru-bliss/posttest.dat create mode 100644 testing/tests/ikev2/rw-ntru-bliss/pretest.dat create mode 100644 testing/tests/ikev2/rw-ntru-bliss/test.conf create mode 100644 testing/tests/ikev2/rw-sig-auth/description.txt create mode 100644 testing/tests/ikev2/rw-sig-auth/evaltest.dat create mode 100644 testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-sig-auth/posttest.dat create mode 100644 testing/tests/ikev2/rw-sig-auth/pretest.dat create mode 100644 testing/tests/ikev2/rw-sig-auth/test.conf create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem delete mode 100755 testing/tests/swanctl/net2net-cert-ipv6/description.txt delete mode 100755 testing/tests/swanctl/net2net-cert-ipv6/evaltest.dat delete mode 100755 testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf delete mode 100755 testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf delete mode 100755 testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf delete mode 100755 testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf delete mode 100755 testing/tests/swanctl/net2net-cert-ipv6/posttest.dat delete mode 100755 testing/tests/swanctl/net2net-cert-ipv6/pretest.dat delete mode 100755 testing/tests/swanctl/net2net-cert-ipv6/test.conf create mode 100644 testing/tests/tkm/xfrmproxy-expire/description.txt create mode 100644 testing/tests/tkm/xfrmproxy-expire/evaltest.dat create mode 100644 testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/moonKey.der create mode 100644 testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/strongswanCert.der create mode 100644 testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf create mode 100644 testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/tkm/xfrmproxy-expire/posttest.dat create mode 100644 testing/tests/tkm/xfrmproxy-expire/pretest.dat create mode 100644 testing/tests/tkm/xfrmproxy-expire/test.conf create mode 100644 testing/tests/tnc/tnccs-20-fail-init/description.txt create mode 100644 testing/tests/tnc/tnccs-20-fail-init/evaltest.dat create mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-fail-init/posttest.dat create mode 100644 testing/tests/tnc/tnccs-20-fail-init/pretest.dat create mode 100644 testing/tests/tnc/tnccs-20-fail-init/test.conf create mode 100644 testing/tests/tnc/tnccs-20-fail-resp/description.txt create mode 100644 testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat create mode 100644 testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-fail-resp/posttest.dat create mode 100644 testing/tests/tnc/tnccs-20-fail-resp/pretest.dat create mode 100644 testing/tests/tnc/tnccs-20-fail-resp/test.conf create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap/description.txt create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat create mode 100644 testing/tests/tnc/tnccs-20-mutual-eap/test.conf create mode 100644 testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt create mode 100644 testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat create mode 100644 testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options create mode 100644 testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat create mode 100644 testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat create mode 100644 testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf (limited to 'configure') diff --git a/Android.common.mk b/Android.common.mk index c650cb8d3..d33062aa7 100644 --- a/Android.common.mk +++ b/Android.common.mk @@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \ ) # strongSwan version, replaced by top Makefile -strongswan_VERSION := "5.2.1" +strongswan_VERSION := "5.3.0" diff --git a/Doxyfile.in b/Doxyfile.in index 8adf83c7f..eaf02d7de 100644 --- a/Doxyfile.in +++ b/Doxyfile.in @@ -743,7 +743,7 @@ WARN_LOGFILE = # spaces. # Note: If this tag is empty the current directory is searched. -INPUT = @SRC_DIR@/ +INPUT = @SRC_DIR@/src @SRC_DIR@/README.md # This tag can be used to specify the character encoding of the source files # that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses diff --git a/Makefile.am b/Makefile.am index 0703abc10..bea4ba7c0 100644 --- a/Makefile.am +++ b/Makefile.am @@ -34,7 +34,7 @@ Doxyfile : Doxyfile.in sed \ -e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \ -e "s:\@PACKAGE_NAME\@:$(PACKAGE_NAME):" \ - -e "s:\@SRC_DIR\@:$(srcdir):" \ + -e "s:\@SRC_DIR\@:$(srcdir):g" \ $(srcdir)/$@.in > $@ apidoc : Doxyfile diff --git a/Makefile.in b/Makefile.in index 8effaa3bc..e10818f54 100644 --- a/Makefile.in +++ b/Makefile.in @@ -257,6 +257,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -317,10 +318,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -394,6 +397,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -991,7 +996,7 @@ Doxyfile : Doxyfile.in sed \ -e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \ -e "s:\@PACKAGE_NAME\@:$(PACKAGE_NAME):" \ - -e "s:\@SRC_DIR\@:$(srcdir):" \ + -e "s:\@SRC_DIR\@:$(srcdir):g" \ $(srcdir)/$@.in > $@ apidoc : Doxyfile diff --git a/NEWS b/NEWS index f1a4b2146..81a7fc5fc 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,86 @@ +strongswan-5.3.0 +---------------- + +- Added support for IKEv2 make-before-break reauthentication. By using a global + CHILD_SA reqid allocation mechanism, charon supports overlapping CHILD_SAs. + This allows the use of make-before-break instead of the previously supported + break-before-make reauthentication, avoiding connectivity gaps during that + procedure. As the new mechanism may fail with peers not supporting it (such + as any previous strongSwan release) it must be explicitly enabled using + the charon.make_before_break strongswan.conf option. + +- Support for "Signature Authentication in IKEv2" (RFC 7427) has been added. + This allows the use of stronger hash algorithms for public key authentication. + By default, signature schemes are chosen based on the strength of the + signature key, but specific hash algorithms may be configured in leftauth. + +- Key types and hash algorithms specified in rightauth are now also checked + against IKEv2 signature schemes. If such constraints are used for certificate + chain validation in existing configurations, in particular with peers that + don't support RFC 7427, it may be necessary to disable this feature with the + charon.signature_authentication_constraints setting, because the signature + scheme used in classic IKEv2 public key authentication may not be strong + enough. + +- The new connmark plugin allows a host to bind conntrack flows to a specific + CHILD_SA by applying and restoring the SA mark to conntrack entries. This + allows a peer to handle multiple transport mode connections coming over the + same NAT device for client-initiated flows. A common use case is to protect + L2TP/IPsec, as supported by some systems. + +- The forecast plugin can forward broadcast and multicast messages between + connected clients and a LAN. For CHILD_SA using unique marks, it sets up + the required Netfilter rules and uses a multicast/broadcast listener that + forwards such messages to all connected clients. This plugin is designed for + Windows 7 IKEv2 clients, which announces its services over the tunnel if the + negotiated IPsec policy allows it. + +- For the vici plugin a Python Egg has been added to allow Python applications + to control or monitor the IKE daemon using the VICI interface, similar to the + existing ruby gem. The Python library has been contributed by Björn Schuberg. + +- EAP server methods now can fulfill public key constraints, such as rightcert + or rightca. Additionally, public key and signature constraints can be + specified for EAP methods in the rightauth keyword. Currently the EAP-TLS and + EAP-TTLS methods provide verification details to constraints checking. + +- Upgrade of the BLISS post-quantum signature algorithm to the improved BLISS-B + variant. Can be used in conjunction with the SHA256, SHA384 and SHA512 hash + algorithms with SHA512 being the default. + +- The IF-IMV 1.4 interface now makes the IP address of the TNC access requestor + as seen by the TNC server available to all IMVs. This information can be + forwarded to policy enforcement points (e.g. firewalls or routers). + +- The new mutual tnccs-20 plugin parameter activates mutual TNC measurements + in PB-TNC half-duplex mode between two endpoints over either a PT-EAP or + PT-TLS transport medium. + + +strongswan-5.2.2 +---------------- + +- Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange + payload that contains the Diffie-Hellman group 1025. This identifier was + used internally for DH groups with custom generator and prime. Because + these arguments are missing when creating DH objects based on the KE payload + an invalid pointer dereference occurred. This allowed an attacker to crash + the IKE daemon with a single IKE_SA_INIT message containing such a KE + payload. The vulnerability has been registered as CVE-2014-9221. + +- The left/rightid options in ipsec.conf, or any other identity in strongSwan, + now accept prefixes to enforce an explicit type, such as email: or fqdn:. + Note that no conversion is done for the remaining string, refer to + ipsec.conf(5) for details. + +- The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as + an IKEv2 public key authentication method. The pki tool offers full support + for the generation of BLISS key pairs and certificates. + +- Fixed mapping of integrity algorithms negotiated for AH via IKEv1. This could + cause interoperability issues when connecting to older versions of charon. + + strongswan-5.2.1 ---------------- diff --git a/conf/Makefile.am b/conf/Makefile.am index e5077391a..f10af25a2 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -28,6 +28,7 @@ plugins = \ plugins/android_log.opt \ plugins/attr.opt \ plugins/attr-sql.opt \ + plugins/bliss.opt \ plugins/certexpire.opt \ plugins/coupling.opt \ plugins/dhcp.opt \ @@ -46,6 +47,7 @@ plugins = \ plugins/eap-ttls.opt \ plugins/error-notify.opt \ plugins/ext-auth.opt \ + plugins/forecast.opt \ plugins/gcrypt.opt \ plugins/ha.opt \ plugins/imc-attestation.opt \ @@ -62,6 +64,7 @@ plugins = \ plugins/led.opt \ plugins/kernel-libipsec.opt \ plugins/kernel-netlink.opt \ + plugins/kernel-pfkey.opt \ plugins/kernel-pfroute.opt \ plugins/load-tester.opt \ plugins/lookip.opt \ diff --git a/conf/Makefile.in b/conf/Makefile.in index d5bb3ffa7..4b391402a 100644 --- a/conf/Makefile.in +++ b/conf/Makefile.in @@ -180,6 +180,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -240,10 +241,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -317,6 +320,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -405,6 +410,7 @@ plugins = \ plugins/android_log.opt \ plugins/attr.opt \ plugins/attr-sql.opt \ + plugins/bliss.opt \ plugins/certexpire.opt \ plugins/coupling.opt \ plugins/dhcp.opt \ @@ -423,6 +429,7 @@ plugins = \ plugins/eap-ttls.opt \ plugins/error-notify.opt \ plugins/ext-auth.opt \ + plugins/forecast.opt \ plugins/gcrypt.opt \ plugins/ha.opt \ plugins/imc-attestation.opt \ @@ -439,6 +446,7 @@ plugins = \ plugins/led.opt \ plugins/kernel-libipsec.opt \ plugins/kernel-netlink.opt \ + plugins/kernel-pfkey.opt \ plugins/kernel-pfroute.opt \ plugins/load-tester.opt \ plugins/lookip.opt \ diff --git a/conf/options/charon.conf b/conf/options/charon.conf index 0bec9bb0a..bd8e29940 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -58,6 +58,10 @@ charon { # Allow IKEv1 Aggressive Mode with pre-shared keys as responder. # i_dont_care_about_security_and_use_aggressive_mode_psk = no + # Whether to ignore the traffic selectors from the kernel's acquire events + # for IKEv2 connections (they are not used for IKEv1). + # ignore_acquire_ts = no + # A space-separated list of routing tables to be excluded from route # lookups. # ignore_routing_tables = @@ -116,6 +120,9 @@ charon { # Determine plugins to load via each plugin's load option. # load_modular = no + # Initiate IKEv2 reauthentication with a make-before-break scheme. + # make_before_break = no + # Maximum packet size accepted by charon. # max_packet = 10000 @@ -197,6 +204,12 @@ charon { # Send strongSwan vendor ID payload # send_vendor_id = no + # Whether to enable Signature Authentication as per RFC 7427. + # signature_authentication = yes + + # Whether to enable constraints against IKEv2 signature schemes. + # signature_authentication_constraints = yes + # Number of worker threads in charon. # threads = 16 diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 678aa37bc..bbc50ba37 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -117,6 +117,17 @@ charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no charon.ignore_routing_tables A space-separated list of routing tables to be excluded from route lookups. +charon.ignore_acquire_ts = no + Whether to ignore the traffic selectors from the kernel's acquire events for + IKEv2 connections (they are not used for IKEv1). + + If this is disabled the traffic selectors from the kernel's acquire events, + which are derived from the triggering packet, are prepended to the traffic + selectors from the configuration for IKEv2 connection. By enabling this, + such specific traffic selectors will be ignored and only the ones in the + config will be sent. This always happens for IKEv1 connections as the + protocol only supports one set of traffic selectors per CHILD_SA. + charon.ikesa_limit = 0 Maximum number of IKE_SAs that can be established at the same time before new connection attempts are blocked. @@ -196,6 +207,16 @@ charon.load_modular = no charon.max_packet = 10000 Maximum packet size accepted by charon. +charon.make_before_break = no + Initiate IKEv2 reauthentication with a make-before-break scheme. + + Initiate IKEv2 reauthentication with a make-before-break instead of a + break-before-make scheme. Make-before-break uses overlapping IKE and + CHILD_SA during reauthentication by first recreating all new SAs before + deleting the old ones. This behavior can be beneficial to avoid connectivity + gaps during reauthentication, but requires support for overlapping SAs by + the peer. strongSwan can handle such overlapping SAs since version 5.3.0. + charon.multiple_authentication = yes Enable multiple authentication exchanges (RFC 4739). @@ -277,6 +298,17 @@ charon.send_delay_type = 0 charon.send_vendor_id = no Send strongSwan vendor ID payload +charon.signature_authentication = yes + Whether to enable Signature Authentication as per RFC 7427. + +charon.signature_authentication_constraints = yes + Whether to enable constraints against IKEv2 signature schemes. + + If enabled, signature schemes configured in _rightauth_, in addition to + getting used as constraints against signature schemes employed in the + certificate chain, are also used as constraints against the signature scheme + used by peers during IKEv2. + charon.start-scripts {} Section containing a list of scripts (name = path) that are executed when the daemon is started. diff --git a/conf/plugins/bliss.conf b/conf/plugins/bliss.conf new file mode 100644 index 000000000..e35c27dc4 --- /dev/null +++ b/conf/plugins/bliss.conf @@ -0,0 +1,11 @@ +bliss { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Use the enhanced BLISS-B key generation and signature algorithm. + # use_bliss_b = yes + +} + diff --git a/conf/plugins/bliss.opt b/conf/plugins/bliss.opt new file mode 100644 index 000000000..0983da026 --- /dev/null +++ b/conf/plugins/bliss.opt @@ -0,0 +1,2 @@ +charon.plugins.bliss.use_bliss_b = yes + Use the enhanced BLISS-B key generation and signature algorithm. diff --git a/conf/plugins/forecast.conf b/conf/plugins/forecast.conf new file mode 100644 index 000000000..79edb4bc8 --- /dev/null +++ b/conf/plugins/forecast.conf @@ -0,0 +1,17 @@ +forecast { + + # Multicast groups to join locally, allowing forwarding of them. + # groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250 + + # Local interface to listen for broadcasts to forward. + # interface = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # CHILD_SA configurations names to perform multi/broadcast reinjection. + # reinject = + +} + diff --git a/conf/plugins/forecast.opt b/conf/plugins/forecast.opt new file mode 100644 index 000000000..444cced63 --- /dev/null +++ b/conf/plugins/forecast.opt @@ -0,0 +1,29 @@ +charon.plugins.forecast.interface = + Local interface to listen for broadcasts to forward. + + Name of the local interface to listen for broadcasts messages to forward. + If no interface is configured, the first usable interface is used, which + is usually just fine for single-homed hosts. If your host has multiple + interfaces, set this option to the local LAN interface you want to forward + broadcasts from/to. + +charon.plugins.forecast.reinject = + CHILD_SA configurations names to perform multi/broadcast reinjection. + + Comma separated list of CHILD_SA configuration names for which to perform + multi/broadcast reinjection. For clients connecting over such a + configuration, any multi/broadcast received over the tunnel gets reinjected + to all active tunnels. This makes the broadcasts visible to other peers, + and for examples allows clients to see others shares. If disabled, + multi/broadcast messages received over a tunnel are injected to the local + network only, but not to other IPsec clients. + +charon.plugins.forecast.groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250 + Multicast groups to join locally, allowing forwarding of them. + + Comma separated list of multicast groups to join locally. The local host + receives and forwards packets in the local LAN for joined multicast groups + only. Packets matching the list of multicast groups get forwarded to + connected clients. The default group includes host multicasts, IGMP, mDNS, + LLMNR and SSDP/WS-Discovery, and is usually a good choice for Windows + clients. diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt index 9b60b9ede..7a40bc962 100644 --- a/conf/plugins/imc-attestation.opt +++ b/conf/plugins/imc-attestation.opt @@ -18,3 +18,21 @@ libimcv.plugins.imc-attestation.use_quote2 = yes libimcv.plugins.imc-attestation.pcr_info = no Whether to send pcr_before and pcr_after info. + +libimcv.plugins.imc-attestation.pcr17_before = + PCR17 value before measurement. + +libimcv.plugins.imc-attestation.pcr17_meas = + Dummy measurement value extended into PCR17 if the TBOOT log is not available. + +libimcv.plugins.imc-attestation.pcr17_after = + PCR17 value after measurement. + +libimcv.plugins.imc-attestation.pcr18_before = + PCR18 value before measurement. + +libimcv.plugins.imc-attestation.pcr18_meas = + Dummy measurement value extended into PCR17 if the TBOOT log is not available. + +libimcv.plugins.imc-attestation.pcr18_after = + PCR18 value after measurement. diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt index 3ad51625d..f55225023 100644 --- a/conf/plugins/imv-attestation.opt +++ b/conf/plugins/imv-attestation.opt @@ -12,21 +12,3 @@ libimcv.plugins.imv-attestation.hash_algorithm = sha256 libimcv.plugins.imv-attestation.min_nonce_len = 0 DH minimum nonce length. - -libimcv.plugins.imc-attestation.pcr17_after - Dummy data if the TBOOT log is not retrieved. - -libimcv.plugins.imc-attestation.pcr17_before - Dummy data if the TBOOT log is not retrieved. - -libimcv.plugins.imc-attestation.pcr17_meas - Dummy data if the TBOOT log is not retrieved. - -libimcv.plugins.imc-attestation.pcr18_after - Dummy data if the TBOOT log is not retrieved. - -libimcv.plugins.imc-attestation.pcr18_before - Dummy data if the TBOOT log is not retrieved. - -libimcv.plugins.imc-attestation.pcr18_meas - Dummy data if the TBOOT log is not retrieved. diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf index f05f486b1..723bf0a49 100644 --- a/conf/plugins/kernel-netlink.conf +++ b/conf/plugins/kernel-netlink.conf @@ -4,6 +4,9 @@ kernel-netlink { # routing table. # fwmark = + # Whether to ignore errors potentially resulting from a retransmission. + # ignore_retransmit_errors = no + # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes @@ -14,6 +17,21 @@ kernel-netlink { # MTU to set on installed routes, 0 to disable. # mtu = 0 + # Whether to perform concurrent Netlink ROUTE queries on a single socket. + # parallel_route = no + + # Whether to perform concurrent Netlink XFRM queries on a single socket. + # parallel_xfrm = no + + # Whether to always use XFRM_MSG_UPDPOLICY to install policies. + # policy_update = no + + # Whether to use port or socket based IKE XFRM bypass policies. + # port_bypass = no + + # Number of Netlink message retransmissions to send on timeout. + # retries = 0 + # Whether to trigger roam events when interfaces, addresses or routes # change. # roam_events = yes @@ -22,6 +40,9 @@ kernel-netlink { # mode IPsec SAs in the kernel. # set_proto_port_transport_sa = no + # Netlink message retransmission timeout, 0 to disable retransmissions. + # timeout = 0 + # Lifetime of XFRM acquire state in kernel. # xfrm_acq_expires = 165 diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt index 7d44581a5..800ba20c0 100644 --- a/conf/plugins/kernel-netlink.opt +++ b/conf/plugins/kernel-netlink.opt @@ -13,6 +13,29 @@ charon.plugins.kernel-netlink.mss = 0 charon.plugins.kernel-netlink.mtu = 0 MTU to set on installed routes, 0 to disable. +charon.plugins.kernel-netlink.parallel_route = no + Whether to perform concurrent Netlink ROUTE queries on a single socket. + + Whether to perform concurrent Netlink ROUTE queries on a single socket. + While parallel queries can improve throughput, it has more overhead. On + vanilla Linux, DUMP queries fail with EBUSY and must be retried, further + decreasing performance. + +charon.plugins.kernel-netlink.parallel_xfrm = no + Whether to perform concurrent Netlink XFRM queries on a single socket. + +charon.plugins.kernel-netlink.policy_update = no + Whether to always use XFRM_MSG_UPDPOLICY to install policies. + +charon.plugins.kernel-netlink.port_bypass = no + Whether to use port or socket based IKE XFRM bypass policies. + + Whether to use port or socket based IKE XFRM bypass policies. + IKE bypass policies are used to exempt IKE traffic from XFRM processing. + The default socket based policies are directly tied to the IKE UDP sockets, + port based policies use global XFRM bypass policies for the used IKE UDP + ports. + charon.plugins.kernel-netlink.roam_events = yes Whether to trigger roam events when interfaces, addresses or routes change. @@ -25,6 +48,15 @@ charon.plugins.kernel-netlink.set_proto_port_transport_sa = no traffic, it also prevents the use of a single IPsec SA by more than one traffic selector. +charon.plugins.kernel-netlink.retries = 0 + Number of Netlink message retransmissions to send on timeout. + +charon.plugins.kernel-netlink.timeout = 0 + Netlink message retransmission timeout, 0 to disable retransmissions. + +charon.plugins.kernel-netlink.ignore_retransmit_errors = no + Whether to ignore errors potentially resulting from a retransmission. + charon.plugins.kernel-netlink.xfrm_acq_expires = 165 Lifetime of XFRM acquire state in kernel. diff --git a/conf/plugins/kernel-pfkey.conf b/conf/plugins/kernel-pfkey.conf new file mode 100644 index 000000000..2d4733e74 --- /dev/null +++ b/conf/plugins/kernel-pfkey.conf @@ -0,0 +1,11 @@ +kernel-pfkey { + + # Size of the receive buffer for the event socket (0 for default size). + # events_buffer_size = 0 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/kernel-pfkey.opt b/conf/plugins/kernel-pfkey.opt new file mode 100644 index 000000000..ec05215d3 --- /dev/null +++ b/conf/plugins/kernel-pfkey.opt @@ -0,0 +1,7 @@ +charon.plugins.kernel-pfkey.events_buffer_size = 0 + Size of the receive buffer for the event socket (0 for default size). + + Size of the receive buffer for the event socket (0 for default size). + Because events are received asynchronously installing e.g. lots of policies + may require a larger buffer than the default on certain platforms in order + to receive all messages. diff --git a/conf/plugins/tnccs-20.conf b/conf/plugins/tnccs-20.conf index 9a57ee14d..e8c45ae5c 100644 --- a/conf/plugins/tnccs-20.conf +++ b/conf/plugins/tnccs-20.conf @@ -10,5 +10,18 @@ tnccs-20 { # Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497). # max_message_size = 65490 + # Enable PB-TNC mutual protocol. + # mutual = no + + tests { + + # Send an unsupported PB-TNC message type with the NOSKIP flag set. + # pb_tnc_noskip = no + + # Send a PB-TNC batch with a modified PB-TNC version. + # pb_tnc_version = 2 + + } + } diff --git a/conf/plugins/tnccs-20.opt b/conf/plugins/tnccs-20.opt index b15bc3fa1..8d16d1cb2 100644 --- a/conf/plugins/tnccs-20.opt +++ b/conf/plugins/tnccs-20.opt @@ -3,3 +3,12 @@ charon.plugins.tnccs-20.max_batch_size = 65522 charon.plugins.tnccs-20.max_message_size = 65490 Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497). + +charon.plugins.tnccs-20.mutual = no + Enable PB-TNC mutual protocol. + +charon.plugins.tnccs-20.tests.pb_tnc_noskip = no + Send an unsupported PB-TNC message type with the NOSKIP flag set. + +charon.plugins.tnccs-20.tests.pb_tnc_version = 2 + Send a PB-TNC batch with a modified PB-TNC version. diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index 28f6b12ec..b6db9c914 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -197,6 +197,15 @@ If enabled responders are allowed to use IKEv1 Aggressive Mode with pre\-shared keys, which is discouraged due to security concerns (offline attacks on the openly transmitted hash of the PSK). +.TP +.BR charon.ignore_acquire_ts " [no]" +If this is disabled the traffic selectors from the kernel's acquire events, +which are derived from the triggering packet, are prepended to the traffic +selectors from the configuration for IKEv2 connection. By enabling this, such +specific traffic selectors will be ignored and only the ones in the config will +be sent. This always happens for IKEv1 connections as the protocol only supports +one set of traffic selectors per CHILD_SA. + .TP .BR charon.ignore_routing_tables " []" A space\-separated list of routing tables to be excluded from route lookups. @@ -321,6 +330,15 @@ two plugins have the same priority their order in the default plugin list is preserved. Enabled plugins not found in that list are ordered alphabetically before other plugins with the same priority. +.TP +.BR charon.make_before_break " [no]" +Initiate IKEv2 reauthentication with a make\-before\-break instead of a +break\-before\-make scheme. Make\-before\-break uses overlapping IKE and CHILD_SA +during reauthentication by first recreating all new SAs before deleting the old +ones. This behavior can be beneficial to avoid connectivity gaps during +reauthentication, but requires support for overlapping SAs by the peer. +strongSwan can handle such overlapping SAs since version 5.3.0. + .TP .BR charon.max_packet " [10000]" Maximum packet size accepted by charon. @@ -373,6 +391,10 @@ sure to adjust the permissions of the config file accordingly. .BR charon.plugins.attr-sql.lease_history " [yes]" Enable logging of SQL IP pool leases. +.TP +.BR charon.plugins.bliss.use_bliss_b " [yes]" +Use the enhanced BLISS\-B key generation and signature algorithm. + .TP .BR charon.plugins.certexpire.csv.cron " []" Cron style string specifying CSV export times. @@ -761,6 +783,31 @@ Remote IKE identity. .RI "" "IKE_REMOTE_EAP_ID" ":" Remote EAP or XAuth identity, if used. +.TP +.BR charon.plugins.forecast.groups " [224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250]" +Comma separated list of multicast groups to join locally. The local host +receives and forwards packets in the local LAN for joined multicast groups only. +Packets matching the list of multicast groups get forwarded to connected +clients. The default group includes host multicasts, IGMP, mDNS, LLMNR and +SSDP/WS\-Discovery, and is usually a good choice for Windows clients. + +.TP +.BR charon.plugins.forecast.interface " []" +Name of the local interface to listen for broadcasts messages to forward. If no +interface is configured, the first usable interface is used, which is usually +just fine for single\-homed hosts. If your host has multiple interfaces, set this +option to the local LAN interface you want to forward broadcasts from/to. + +.TP +.BR charon.plugins.forecast.reinject " []" +Comma separated list of CHILD_SA configuration names for which to perform +multi/broadcast reinjection. For clients connecting over such a configuration, +any multi/broadcast received over the tunnel gets reinjected to all active +tunnels. This makes the broadcasts visible to other peers, and for examples +allows clients to see others shares. If disabled, multi/broadcast messages +received over a tunnel are injected to the local network only, but not to other +IPsec clients. + .TP .BR charon.plugins.gcrypt.quick_random " [no]" Use faster random numbers in gcrypt; for testing only, produces weak keys! @@ -811,6 +858,10 @@ Firewall mark to set on the routing rule that directs traffic to our routing table. The format is [!]mark[/mask], where the optional exclamation mark inverts the meaning (i.e. the rule only applies to packets that don't match the mark). +.TP +.BR charon.plugins.kernel-netlink.ignore_retransmit_errors " [no]" +Whether to ignore errors potentially resulting from a retransmission. + .TP .BR charon.plugins.kernel-netlink.mss " [0]" MSS to set on installed routes, 0 to disable. @@ -819,6 +870,32 @@ MSS to set on installed routes, 0 to disable. .BR charon.plugins.kernel-netlink.mtu " [0]" MTU to set on installed routes, 0 to disable. +.TP +.BR charon.plugins.kernel-netlink.parallel_route " [no]" +Whether to perform concurrent Netlink ROUTE queries on a single socket. While +parallel queries can improve throughput, it has more overhead. On vanilla Linux, +DUMP queries fail with EBUSY and must be retried, further decreasing +performance. + +.TP +.BR charon.plugins.kernel-netlink.parallel_xfrm " [no]" +Whether to perform concurrent Netlink XFRM queries on a single socket. + +.TP +.BR charon.plugins.kernel-netlink.policy_update " [no]" +Whether to always use XFRM_MSG_UPDPOLICY to install policies. + +.TP +.BR charon.plugins.kernel-netlink.port_bypass " [no]" +Whether to use port or socket based IKE XFRM bypass policies. IKE bypass +policies are used to exempt IKE traffic from XFRM processing. The default socket +based policies are directly tied to the IKE UDP sockets, port based policies use +global XFRM bypass policies for the used IKE UDP ports. + +.TP +.BR charon.plugins.kernel-netlink.retries " [0]" +Number of Netlink message retransmissions to send on timeout. + .TP .BR charon.plugins.kernel-netlink.roam_events " [yes]" Whether to trigger roam events when interfaces, addresses or routes change. @@ -829,12 +906,23 @@ Whether to set protocol and ports in the selector installed on transport mode IPsec SAs in the kernel. While doing so enforces policies for inbound traffic, it also prevents the use of a single IPsec SA by more than one traffic selector. +.TP +.BR charon.plugins.kernel-netlink.timeout " [0]" +Netlink message retransmission timeout, 0 to disable retransmissions. + .TP .BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]" Lifetime of XFRM acquire state in kernel. The value gets written to /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM acquire messages sent. +.TP +.BR charon.plugins.kernel-pfkey.events_buffer_size " [0]" +Size of the receive buffer for the event socket (0 for default size). Because +events are received asynchronously installing e.g. lots of policies may require +a larger buffer than the default on certain platforms in order to receive all +messages. + .TP .BR charon.plugins.kernel-pfroute.vip_wait " [1000]" Time in ms to wait until virtual IP addresses appear/disappear before failing. @@ -1290,6 +1378,18 @@ Maximum size of a PB\-TNC batch (upper limit via PT\-EAP = 65529). .BR charon.plugins.tnccs-20.max_message_size " [65490]" Maximum size of a PA\-TNC message (upper limit via PT\-EAP = 65497). +.TP +.BR charon.plugins.tnccs-20.mutual " [no]" +Enable PB\-TNC mutual protocol. + +.TP +.BR charon.plugins.tnccs-20.tests.pb_tnc_noskip " [no]" +Send an unsupported PB\-TNC message type with the NOSKIP flag set. + +.TP +.BR charon.plugins.tnccs-20.tests.pb_tnc_version " [2]" +Send a PB\-TNC batch with a modified PB\-TNC version. + .TP .BR charon.plugins.unbound.dlv_anchors " []" File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses @@ -1443,6 +1543,19 @@ Specific IKEv2 message type to delay, 0 for any. .BR charon.send_vendor_id " [no]" Send strongSwan vendor ID payload +.TP +.BR charon.signature_authentication " [yes]" +Whether to enable Signature Authentication as per RFC 7427. + +.TP +.BR charon.signature_authentication_constraints " [yes]" +If enabled, signature schemes configured in +.RI "" "rightauth" "," +in addition to getting +used as constraints against signature schemes employed in the certificate chain, +are also used as constraints against the signature scheme used by peers during +IKEv2. + .TP .B charon.start-scripts .br @@ -1581,27 +1694,27 @@ DH nonce length. .TP .BR libimcv.plugins.imc-attestation.pcr17_after " []" -Dummy data if the TBOOT log is not retrieved. +PCR17 value after measurement. .TP .BR libimcv.plugins.imc-attestation.pcr17_before " []" -Dummy data if the TBOOT log is not retrieved. +PCR17 value before measurement. .TP .BR libimcv.plugins.imc-attestation.pcr17_meas " []" -Dummy data if the TBOOT log is not retrieved. +Dummy measurement value extended into PCR17 if the TBOOT log is not available. .TP .BR libimcv.plugins.imc-attestation.pcr18_after " []" -Dummy data if the TBOOT log is not retrieved. +PCR18 value after measurement. .TP .BR libimcv.plugins.imc-attestation.pcr18_before " []" -Dummy data if the TBOOT log is not retrieved. +PCR18 value before measurement. .TP .BR libimcv.plugins.imc-attestation.pcr18_meas " []" -Dummy data if the TBOOT log is not retrieved. +Dummy measurement value extended into PCR17 if the TBOOT log is not available. .TP .BR libimcv.plugins.imc-attestation.pcr_info " [no]" diff --git a/configure b/configure index ee7d4cb05..811e45288 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for strongSwan 5.2.1. +# Generated by GNU Autoconf 2.69 for strongSwan 5.3.0. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='5.2.1' -PACKAGE_STRING='strongSwan 5.2.1' +PACKAGE_VERSION='5.3.0' +PACKAGE_STRING='strongSwan 5.3.0' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -633,6 +633,10 @@ am__EXEEXT_TRUE LTLIBOBJS LIBOBJS strongswan_options +USE_PY_TEST_FALSE +USE_PY_TEST_TRUE +USE_PYTHON_EGGS_FALSE +USE_PYTHON_EGGS_TRUE USE_RUBY_GEMS_FALSE USE_RUBY_GEMS_TRUE USE_LEGACY_SYSTEMD_FALSE @@ -727,8 +731,6 @@ USE_LOCK_PROFILER_FALSE USE_LOCK_PROFILER_TRUE USE_LEAK_DETECTIVE_FALSE USE_LEAK_DETECTIVE_TRUE -USE_RESOLVE_FALSE -USE_RESOLVE_TRUE USE_KERNEL_PFROUTE_FALSE USE_KERNEL_PFROUTE_TRUE USE_KERNEL_PFKEY_FALSE @@ -739,12 +741,18 @@ USE_ATTR_SQL_FALSE USE_ATTR_SQL_TRUE USE_ATTR_FALSE USE_ATTR_TRUE +USE_RESOLVE_FALSE +USE_RESOLVE_TRUE USE_UNITY_FALSE USE_UNITY_TRUE USE_ADDRBLOCK_FALSE USE_ADDRBLOCK_TRUE USE_FARP_FALSE USE_FARP_TRUE +USE_FORECAST_FALSE +USE_FORECAST_TRUE +USE_CONNMARK_FALSE +USE_CONNMARK_TRUE USE_SOCKET_WIN_FALSE USE_SOCKET_WIN_TRUE USE_SOCKET_DYNAMIC_FALSE @@ -861,8 +869,6 @@ USE_HA_FALSE USE_HA_TRUE USE_LOAD_TESTER_FALSE USE_LOAD_TESTER_TRUE -USE_UNIT_TESTS_FALSE -USE_UNIT_TESTS_TRUE USE_DHCP_FALSE USE_DHCP_TRUE USE_UPDOWN_FALSE @@ -893,6 +899,8 @@ USE_VICI_FALSE USE_VICI_TRUE USE_STROKE_FALSE USE_STROKE_TRUE +USE_BLISS_FALSE +USE_BLISS_TRUE USE_NTRU_FALSE USE_NTRU_TRUE USE_AF_ALG_FALSE @@ -985,6 +993,8 @@ USE_UNBOUND_FALSE USE_UNBOUND_TRUE USE_WINHTTP_FALSE USE_WINHTTP_TRUE +USE_FILES_FALSE +USE_FILES_TRUE USE_CURL_FALSE USE_CURL_TRUE USE_TEST_VECTORS_FALSE @@ -1005,6 +1015,9 @@ attest_plugins pool_plugins starter_plugins charon_plugins +PY_TEST +PYTHONEGGINSTALLDIR +EASY_INSTALL RUBYGEMDIR GEM COVERAGE_LDFLAGS @@ -1017,6 +1030,8 @@ USE_DEV_HEADERS_FALSE USE_DEV_HEADERS_TRUE UNWINDLIB BFDLIB +libiptc_LIBS +libiptc_CFLAGS nm_LIBS nm_CFLAGS pcsclite_LIBS @@ -1238,6 +1253,7 @@ with_mpz_powm_sec with_dev_headers with_printf_hooks with_rubygemdir +with_pythoneggdir with_systemdsystemunitdir with_user with_group @@ -1245,6 +1261,7 @@ with_charon_udp_port with_charon_natt_port enable_aes enable_af_alg +enable_bliss enable_blowfish enable_ccm enable_cmac @@ -1278,6 +1295,7 @@ enable_pubkey enable_sshkey enable_x509 enable_curl +enable_files enable_ldap enable_soup enable_unbound @@ -1358,6 +1376,8 @@ enable_tnccs_20 enable_tnccs_dynamic enable_android_log enable_certexpire +enable_connmark +enable_forecast enable_duplicheck enable_error_notify enable_farp @@ -1369,7 +1389,6 @@ enable_maemo enable_radattr enable_systime_fix enable_test_vectors -enable_unit_tester enable_updown enable_aikgen enable_charon @@ -1398,6 +1417,7 @@ enable_load_warning enable_mediation enable_unwind_backtraces enable_ruby_gems +enable_python_eggs enable_coverage enable_leak_detective enable_lock_profiler @@ -1446,7 +1466,9 @@ maemo_LIBS pcsclite_CFLAGS pcsclite_LIBS nm_CFLAGS -nm_LIBS' +nm_LIBS +libiptc_CFLAGS +libiptc_LIBS' # Initialize some variables set by options. @@ -1987,7 +2009,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 5.2.1 to adapt to many kinds of systems. +\`configure' configures strongSwan 5.3.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -2057,7 +2079,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 5.2.1:";; + short | recursive ) echo "Configuration of strongSwan 5.3.0:";; esac cat <<\_ACEOF @@ -2069,6 +2091,7 @@ Optional Features: --disable-silent-rules verbose build output (undo: "make V=0") --disable-aes disable AES software implementation plugin. --enable-af-alg enable AF_ALG crypto interface to Linux Crypto API. + --enable-bliss enable BLISS software implementation plugin. --enable-blowfish enable Blowfish software implementation plugin. --enable-ccm enables the CCM AEAD wrapper crypto plugin. --disable-cmac disable CMAC crypto implementation plugin. @@ -2105,6 +2128,7 @@ Optional Features: --disable-x509 disable X509 certificate implementation plugin. --enable-curl enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl. + --enable-files enable simple file:// URI fetcher. --enable-ldap enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP. --enable-soup enable soup fetcher plugin to fetch from HTTP via @@ -2210,6 +2234,10 @@ Optional Features: --enable-android-log enable Android specific logger plugin. --enable-certexpire enable CSV export of expiration dates of used certificates. + --enable-connmark enable connmark plugin using conntrack based marks + to select return path SA. + --enable-forecast enable forecast plugin forwarding + broadcast/multicast messages. --enable-duplicheck advanced duplicate checking plugin using liveness checks. --enable-error-notify enable error notification plugin. @@ -2227,7 +2255,6 @@ Optional Features: --enable-systime-fix enable plugin to handle cert lifetimes with invalid system time gracefully. --enable-test-vectors enable plugin providing crypto test vectors. - --enable-unit-tester enable unit tests on IKEv2 daemon startup. --disable-updown disable updown firewall script plugin. --enable-aikgen enable AIK generator. --disable-charon disable the IKEv1/IKEv2 keying daemon charon. @@ -2267,6 +2294,7 @@ Optional Features: use libunwind to create backtraces for memory leaks and segfaults. --enable-ruby-gems enable installation of provided ruby gems. + --enable-python-eggs enable installation of provided python eggs. --enable-coverage enable lcov coverage report generation. --enable-leak-detective enable malloc hooks to find memory leaks. --enable-lock-profiler enable lock/mutex profiling code. @@ -2343,6 +2371,8 @@ Optional Packages: (default: auto). --with-rubygemdir=arg path to install ruby gems to (default: "gem environment gemdir"). + --with-pythoneggdir=arg path to install python eggs to to (default: "main + site-packages directory"). --with-systemdsystemunitdir=arg directory for systemd service files (default: $systemdsystemunitdir_default). @@ -2411,6 +2441,10 @@ Some influential environment variables: linker flags for pcsclite, overriding pkg-config nm_CFLAGS C compiler flags for nm, overriding pkg-config nm_LIBS linker flags for nm, overriding pkg-config + libiptc_CFLAGS + C compiler flags for libiptc, overriding pkg-config + libiptc_LIBS + linker flags for libiptc, overriding pkg-config Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. @@ -2478,7 +2512,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 5.2.1 +strongSwan configure 5.3.0 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3000,7 +3034,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 5.2.1, which was +It was created by strongSwan $as_me 5.3.0, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3863,7 +3897,7 @@ fi # Define the identity of the package. PACKAGE='strongswan' - VERSION='5.2.1' + VERSION='5.3.0' cat >>confdefs.h <<_ACEOF @@ -4595,6 +4629,16 @@ fi +# Check whether --with-pythoneggdir was given. +if test "${with_pythoneggdir+set}" = set; then : + withval=$with_pythoneggdir; pythoneggdir="$withval" +else + pythoneggdir="main site-packages directory" + +fi + + + if test -n "$PKG_CONFIG"; then systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd) fi @@ -4738,6 +4782,22 @@ fi disabled_by_default=${disabled_by_default}" af_alg" +# Check whether --enable-bliss was given. +if test "${enable_bliss+set}" = set; then : + enableval=$enable_bliss; bliss_given=true + if test x$enableval = xyes; then + bliss=true + else + bliss=false + fi +else + bliss=false + bliss_given=false + +fi + + disabled_by_default=${disabled_by_default}" bliss" + # Check whether --enable-blowfish was given. if test "${enable_blowfish+set}" = set; then : enableval=$enable_blowfish; blowfish_given=true @@ -5268,6 +5328,22 @@ fi disabled_by_default=${disabled_by_default}" curl" +# Check whether --enable-files was given. +if test "${enable_files+set}" = set; then : + enableval=$enable_files; files_given=true + if test x$enableval = xyes; then + files=true + else + files=false + fi +else + files=false + files_given=false + +fi + + disabled_by_default=${disabled_by_default}" files" + # Check whether --enable-ldap was given. if test "${enable_ldap+set}" = set; then : enableval=$enable_ldap; ldap_given=true @@ -6555,6 +6631,38 @@ fi disabled_by_default=${disabled_by_default}" certexpire" +# Check whether --enable-connmark was given. +if test "${enable_connmark+set}" = set; then : + enableval=$enable_connmark; connmark_given=true + if test x$enableval = xyes; then + connmark=true + else + connmark=false + fi +else + connmark=false + connmark_given=false + +fi + + disabled_by_default=${disabled_by_default}" connmark" + +# Check whether --enable-forecast was given. +if test "${enable_forecast+set}" = set; then : + enableval=$enable_forecast; forecast_given=true + if test x$enableval = xyes; then + forecast=true + else + forecast=false + fi +else + forecast=false + forecast_given=false + +fi + + disabled_by_default=${disabled_by_default}" forecast" + # Check whether --enable-duplicheck was given. if test "${enable_duplicheck+set}" = set; then : enableval=$enable_duplicheck; duplicheck_given=true @@ -6731,22 +6839,6 @@ fi disabled_by_default=${disabled_by_default}" test_vectors" -# Check whether --enable-unit-tester was given. -if test "${enable_unit_tester+set}" = set; then : - enableval=$enable_unit_tester; unit_tester_given=true - if test x$enableval = xyes; then - unit_tester=true - else - unit_tester=false - fi -else - unit_tester=false - unit_tester_given=false - -fi - - disabled_by_default=${disabled_by_default}" unit_tester" - # Check whether --enable-updown was given. if test "${enable_updown+set}" = set; then : enableval=$enable_updown; updown_given=true @@ -7197,6 +7289,22 @@ fi disabled_by_default=${disabled_by_default}" ruby_gems" +# Check whether --enable-python-eggs was given. +if test "${enable_python_eggs+set}" = set; then : + enableval=$enable_python_eggs; python_eggs_given=true + if test x$enableval = xyes; then + python_eggs=true + else + python_eggs=false + fi +else + python_eggs=false + python_eggs_given=false + +fi + + disabled_by_default=${disabled_by_default}" python_eggs" + # compile options # Check whether --enable-coverage was given. if test "${enable_coverage+set}" = set; then : @@ -20876,6 +20984,102 @@ else fi +fi + +if test x$connmark = xtrue -o x$forecast = xtrue; then + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libiptc" >&5 +$as_echo_n "checking for libiptc... " >&6; } + +if test -n "$libiptc_CFLAGS"; then + pkg_cv_libiptc_CFLAGS="$libiptc_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libiptc\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libiptc") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_libiptc_CFLAGS=`$PKG_CONFIG --cflags "libiptc" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$libiptc_LIBS"; then + pkg_cv_libiptc_LIBS="$libiptc_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libiptc\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libiptc") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_libiptc_LIBS=`$PKG_CONFIG --libs "libiptc" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + libiptc_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libiptc" 2>&1` + else + libiptc_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libiptc" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$libiptc_PKG_ERRORS" >&5 + + as_fn_error $? "Package requirements (libiptc) were not met: + +$libiptc_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +Alternatively, you may set the environment variables libiptc_CFLAGS +and libiptc_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details." "$LINENO" 5 +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +Alternatively, you may set the environment variables libiptc_CFLAGS +and libiptc_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. + +To get pkg-config, see . +See \`config.log' for more details" "$LINENO" 5; } +else + libiptc_CFLAGS=$pkg_cv_libiptc_CFLAGS + libiptc_LIBS=$pkg_cv_libiptc_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +fi + + fi if test x$capabilities = xnative; then @@ -21324,6 +21528,101 @@ fi fi RUBYGEMDIR="$rubygemdir" +fi + +if test x$python_eggs = xtrue; then + # Extract the first word of "easy_install", so it can be a program name with args. +set dummy easy_install; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_EASY_INSTALL+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $EASY_INSTALL in + [\\/]* | ?:[\\/]*) + ac_cv_path_EASY_INSTALL="$EASY_INSTALL" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin" +for as_dir in $as_dummy +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_EASY_INSTALL="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +EASY_INSTALL=$ac_cv_path_EASY_INSTALL +if test -n "$EASY_INSTALL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $EASY_INSTALL" >&5 +$as_echo "$EASY_INSTALL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test x$EASY_INSTALL = x; then + as_fn_error $? "Python easy_install not found" "$LINENO" 5 + fi + if test "x$pythoneggdir" = "xmain site-packages directory"; then + PYTHONEGGINSTALLDIR="" + + else + PYTHONEGGINSTALLDIR="--install-dir $pythoneggdir" + + fi + # Extract the first word of "py.test", so it can be a program name with args. +set dummy py.test; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PY_TEST+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $PY_TEST in + [\\/]* | ?:[\\/]*) + ac_cv_path_PY_TEST="$PY_TEST" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin" +for as_dir in $as_dummy +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_PY_TEST="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PY_TEST=$ac_cv_path_PY_TEST +if test -n "$PY_TEST"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PY_TEST" >&5 +$as_echo "$PY_TEST" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + fi # =============================================== @@ -21382,26 +21681,6 @@ if test x$ldap = xtrue; then fi -if test x$mysql = xtrue; then - s_plugins=${s_plugins}" mysql" - charon_plugins=${charon_plugins}" mysql" - pool_plugins=${pool_plugins}" mysql" - manager_plugins=${manager_plugins}" mysql" - medsrv_plugins=${medsrv_plugins}" mysql" - attest_plugins=${attest_plugins}" mysql" - - fi - -if test x$sqlite = xtrue; then - s_plugins=${s_plugins}" sqlite" - charon_plugins=${charon_plugins}" sqlite" - pool_plugins=${pool_plugins}" sqlite" - manager_plugins=${manager_plugins}" sqlite" - medsrv_plugins=${medsrv_plugins}" sqlite" - attest_plugins=${attest_plugins}" sqlite" - - fi - if test x$pkcs11 = xtrue; then s_plugins=${s_plugins}" pkcs11" charon_plugins=${charon_plugins}" pkcs11" @@ -21794,6 +22073,7 @@ if test x$cmac = xtrue; then if test x$hmac = xtrue; then s_plugins=${s_plugins}" hmac" charon_plugins=${charon_plugins}" hmac" + pki_plugins=${pki_plugins}" hmac" scripts_plugins=${scripts_plugins}" hmac" nm_plugins=${nm_plugins}" hmac" cmd_plugins=${cmd_plugins}" hmac" @@ -21836,6 +22116,16 @@ if test x$ntru = xtrue; then fi +if test x$bliss = xtrue; then + s_plugins=${s_plugins}" bliss" + charon_plugins=${charon_plugins}" bliss" + pki_plugins=${pki_plugins}" bliss" + scripts_plugins=${scripts_plugins}" bliss" + nm_plugins=${nm_plugins}" bliss" + cmd_plugins=${cmd_plugins}" bliss" + + fi + if test x$curl = xtrue; then s_plugins=${s_plugins}" curl" charon_plugins=${charon_plugins}" curl" @@ -21847,6 +22137,17 @@ if test x$curl = xtrue; then fi +if test x$files = xtrue; then + s_plugins=${s_plugins}" files" + charon_plugins=${charon_plugins}" files" + scepclient_plugins=${scepclient_plugins}" files" + pki_plugins=${pki_plugins}" files" + scripts_plugins=${scripts_plugins}" files" + nm_plugins=${nm_plugins}" files" + cmd_plugins=${cmd_plugins}" files" + + fi + if test x$winhttp = xtrue; then s_plugins=${s_plugins}" winhttp" charon_plugins=${charon_plugins}" winhttp" @@ -21865,14 +22166,34 @@ if test x$soup = xtrue; then fi +if test x$mysql = xtrue; then + s_plugins=${s_plugins}" mysql" + charon_plugins=${charon_plugins}" mysql" + pool_plugins=${pool_plugins}" mysql" + manager_plugins=${manager_plugins}" mysql" + medsrv_plugins=${medsrv_plugins}" mysql" + attest_plugins=${attest_plugins}" mysql" + + fi + +if test x$sqlite = xtrue; then + s_plugins=${s_plugins}" sqlite" + charon_plugins=${charon_plugins}" sqlite" + pool_plugins=${pool_plugins}" sqlite" + manager_plugins=${manager_plugins}" sqlite" + medsrv_plugins=${medsrv_plugins}" sqlite" + attest_plugins=${attest_plugins}" sqlite" + + fi + if test x$attr = xtrue; then - h_plugins=${h_plugins}" attr" + c_plugins=${c_plugins}" attr" charon_plugins=${charon_plugins}" attr" fi if test x$attr_sql = xtrue; then - h_plugins=${h_plugins}" attr-sql" + c_plugins=${c_plugins}" attr-sql" charon_plugins=${charon_plugins}" attr-sql" fi @@ -21930,7 +22251,7 @@ if test x$kernel_netlink = xtrue; then fi if test x$resolve = xtrue; then - h_plugins=${h_plugins}" resolve" + c_plugins=${c_plugins}" resolve" charon_plugins=${charon_plugins}" resolve" cmd_plugins=${cmd_plugins}" resolve" @@ -21957,6 +22278,18 @@ if test x$socket_win = xtrue; then fi +if test x$connmark = xtrue; then + c_plugins=${c_plugins}" connmark" + charon_plugins=${charon_plugins}" connmark" + + fi + +if test x$forecast = xtrue; then + c_plugins=${c_plugins}" forecast" + charon_plugins=${charon_plugins}" forecast" + + fi + if test x$farp = xtrue; then c_plugins=${c_plugins}" farp" charon_plugins=${charon_plugins}" farp" @@ -22315,12 +22648,6 @@ if test x$unity = xtrue; then fi -if test x$unit_tester = xtrue; then - c_plugins=${c_plugins}" unit-tester" - charon_plugins=${charon_plugins}" unit-tester" - - fi - @@ -22362,6 +22689,14 @@ else USE_CURL_FALSE= fi + if test x$files = xtrue; then + USE_FILES_TRUE= + USE_FILES_FALSE='#' +else + USE_FILES_TRUE='#' + USE_FILES_FALSE= +fi + if test x$winhttp = xtrue; then USE_WINHTTP_TRUE= USE_WINHTTP_FALSE='#' @@ -22730,6 +23065,14 @@ else USE_NTRU_FALSE= fi + if test x$bliss = xtrue; then + USE_BLISS_TRUE= + USE_BLISS_FALSE='#' +else + USE_BLISS_TRUE='#' + USE_BLISS_FALSE= +fi + # charon plugins # ---------------- @@ -22853,14 +23196,6 @@ else USE_DHCP_FALSE= fi - if test x$unit_tester = xtrue; then - USE_UNIT_TESTS_TRUE= - USE_UNIT_TESTS_FALSE='#' -else - USE_UNIT_TESTS_TRUE='#' - USE_UNIT_TESTS_FALSE= -fi - if test x$load_tester = xtrue; then USE_LOAD_TESTER_TRUE= USE_LOAD_TESTER_FALSE='#' @@ -23325,6 +23660,22 @@ else USE_SOCKET_WIN_FALSE= fi + if test x$connmark = xtrue; then + USE_CONNMARK_TRUE= + USE_CONNMARK_FALSE='#' +else + USE_CONNMARK_TRUE='#' + USE_CONNMARK_FALSE= +fi + + if test x$forecast = xtrue; then + USE_FORECAST_TRUE= + USE_FORECAST_FALSE='#' +else + USE_FORECAST_TRUE='#' + USE_FORECAST_FALSE= +fi + if test x$farp = xtrue; then USE_FARP_TRUE= USE_FARP_FALSE='#' @@ -23349,9 +23700,14 @@ else USE_UNITY_FALSE= fi + if test x$resolve = xtrue; then + USE_RESOLVE_TRUE= + USE_RESOLVE_FALSE='#' +else + USE_RESOLVE_TRUE='#' + USE_RESOLVE_FALSE= +fi -# hydra plugins -# --------------- if test x$attr = xtrue; then USE_ATTR_TRUE= USE_ATTR_FALSE='#' @@ -23368,6 +23724,9 @@ else USE_ATTR_SQL_FALSE= fi + +# hydra plugins +# --------------- if test x$kernel_netlink = xtrue; then USE_KERNEL_NETLINK_TRUE= USE_KERNEL_NETLINK_FALSE='#' @@ -23392,14 +23751,6 @@ else USE_KERNEL_PFROUTE_FALSE= fi - if test x$resolve = xtrue; then - USE_RESOLVE_TRUE= - USE_RESOLVE_FALSE='#' -else - USE_RESOLVE_TRUE='#' - USE_RESOLVE_FALSE= -fi - # other options # --------------- @@ -23779,6 +24130,22 @@ else USE_RUBY_GEMS_FALSE= fi + if test x$python_eggs = xtrue; then + USE_PYTHON_EGGS_TRUE= + USE_PYTHON_EGGS_FALSE='#' +else + USE_PYTHON_EGGS_TRUE='#' + USE_PYTHON_EGGS_FALSE= +fi + + if test "x$PY_TEST" != x; then + USE_PY_TEST_TRUE= + USE_PY_TEST_FALSE='#' +else + USE_PY_TEST_TRUE='#' + USE_PY_TEST_FALSE= +fi + # ======================== # set global definitions @@ -23862,14 +24229,14 @@ fi # build Makefiles # ================= -ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile" +ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/files/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/bliss/Makefile src/libstrongswan/plugins/bliss/tests/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/tests/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/connmark/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/vici/python/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/load_tester/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/attr/Makefile src/libcharon/plugins/attr_sql/Makefile src/libcharon/tests/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile" # ================= # build man pages # ================= -ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---acert.1 src/pki/man/pki---verify.1 src/swanctl/swanctl.8 src/swanctl/swanctl.conf.5.head src/swanctl/swanctl.conf.5.tail" +ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---pkcs12.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---acert.1 src/pki/man/pki---verify.1 src/swanctl/swanctl.8 src/swanctl/swanctl.conf.5.head src/swanctl/swanctl.conf.5.tail" cat >confcache <<\_ACEOF @@ -24026,6 +24393,10 @@ if test -z "${USE_CURL_TRUE}" && test -z "${USE_CURL_FALSE}"; then as_fn_error $? "conditional \"USE_CURL\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_FILES_TRUE}" && test -z "${USE_FILES_FALSE}"; then + as_fn_error $? "conditional \"USE_FILES\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_WINHTTP_TRUE}" && test -z "${USE_WINHTTP_FALSE}"; then as_fn_error $? "conditional \"USE_WINHTTP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -24210,6 +24581,10 @@ if test -z "${USE_NTRU_TRUE}" && test -z "${USE_NTRU_FALSE}"; then as_fn_error $? "conditional \"USE_NTRU\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_BLISS_TRUE}" && test -z "${USE_BLISS_FALSE}"; then + as_fn_error $? "conditional \"USE_BLISS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_STROKE_TRUE}" && test -z "${USE_STROKE_FALSE}"; then as_fn_error $? "conditional \"USE_STROKE\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -24270,10 +24645,6 @@ if test -z "${USE_DHCP_TRUE}" && test -z "${USE_DHCP_FALSE}"; then as_fn_error $? "conditional \"USE_DHCP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi -if test -z "${USE_UNIT_TESTS_TRUE}" && test -z "${USE_UNIT_TESTS_FALSE}"; then - as_fn_error $? "conditional \"USE_UNIT_TESTS\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 -fi if test -z "${USE_LOAD_TESTER_TRUE}" && test -z "${USE_LOAD_TESTER_FALSE}"; then as_fn_error $? "conditional \"USE_LOAD_TESTER\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -24506,6 +24877,14 @@ if test -z "${USE_SOCKET_WIN_TRUE}" && test -z "${USE_SOCKET_WIN_FALSE}"; then as_fn_error $? "conditional \"USE_SOCKET_WIN\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_CONNMARK_TRUE}" && test -z "${USE_CONNMARK_FALSE}"; then + as_fn_error $? "conditional \"USE_CONNMARK\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${USE_FORECAST_TRUE}" && test -z "${USE_FORECAST_FALSE}"; then + as_fn_error $? "conditional \"USE_FORECAST\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_FARP_TRUE}" && test -z "${USE_FARP_FALSE}"; then as_fn_error $? "conditional \"USE_FARP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -24518,6 +24897,10 @@ if test -z "${USE_UNITY_TRUE}" && test -z "${USE_UNITY_FALSE}"; then as_fn_error $? "conditional \"USE_UNITY\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_RESOLVE_TRUE}" && test -z "${USE_RESOLVE_FALSE}"; then + as_fn_error $? "conditional \"USE_RESOLVE\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_ATTR_TRUE}" && test -z "${USE_ATTR_FALSE}"; then as_fn_error $? "conditional \"USE_ATTR\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -24538,10 +24921,6 @@ if test -z "${USE_KERNEL_PFROUTE_TRUE}" && test -z "${USE_KERNEL_PFROUTE_FALSE}" as_fn_error $? "conditional \"USE_KERNEL_PFROUTE\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi -if test -z "${USE_RESOLVE_TRUE}" && test -z "${USE_RESOLVE_FALSE}"; then - as_fn_error $? "conditional \"USE_RESOLVE\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 -fi if test -z "${USE_LEAK_DETECTIVE_TRUE}" && test -z "${USE_LEAK_DETECTIVE_FALSE}"; then as_fn_error $? "conditional \"USE_LEAK_DETECTIVE\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -24730,6 +25109,14 @@ if test -z "${USE_RUBY_GEMS_TRUE}" && test -z "${USE_RUBY_GEMS_FALSE}"; then as_fn_error $? "conditional \"USE_RUBY_GEMS\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_PYTHON_EGGS_TRUE}" && test -z "${USE_PYTHON_EGGS_FALSE}"; then + as_fn_error $? "conditional \"USE_PYTHON_EGGS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${USE_PY_TEST_TRUE}" && test -z "${USE_PY_TEST_FALSE}"; then + as_fn_error $? "conditional \"USE_PY_TEST\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi : "${CONFIG_STATUS=./config.status}" ac_write_fail=0 @@ -25127,7 +25514,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 5.2.1, which was +This file was extended by strongSwan $as_me 5.3.0, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -25193,7 +25580,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -strongSwan config.status 5.2.1 +strongSwan config.status 5.3.0 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -25641,6 +26028,7 @@ do "src/libstrongswan/plugins/sshkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sshkey/Makefile" ;; "src/libstrongswan/plugins/pem/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pem/Makefile" ;; "src/libstrongswan/plugins/curl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/curl/Makefile" ;; + "src/libstrongswan/plugins/files/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/files/Makefile" ;; "src/libstrongswan/plugins/winhttp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/winhttp/Makefile" ;; "src/libstrongswan/plugins/unbound/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/unbound/Makefile" ;; "src/libstrongswan/plugins/soup/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/soup/Makefile" ;; @@ -25658,15 +26046,15 @@ do "src/libstrongswan/plugins/gcm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcm/Makefile" ;; "src/libstrongswan/plugins/af_alg/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/af_alg/Makefile" ;; "src/libstrongswan/plugins/ntru/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ntru/Makefile" ;; + "src/libstrongswan/plugins/bliss/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/bliss/Makefile" ;; + "src/libstrongswan/plugins/bliss/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/bliss/tests/Makefile" ;; "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;; "src/libstrongswan/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/tests/Makefile" ;; "src/libhydra/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/Makefile" ;; - "src/libhydra/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr/Makefile" ;; - "src/libhydra/plugins/attr_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr_sql/Makefile" ;; "src/libhydra/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_netlink/Makefile" ;; "src/libhydra/plugins/kernel_pfkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_pfkey/Makefile" ;; "src/libhydra/plugins/kernel_pfroute/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_pfroute/Makefile" ;; - "src/libhydra/plugins/resolve/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/resolve/Makefile" ;; + "src/libhydra/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/tests/Makefile" ;; "src/libipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/libipsec/Makefile" ;; "src/libsimaka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libsimaka/Makefile" ;; "src/libtls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtls/Makefile" ;; @@ -25726,6 +26114,8 @@ do "src/libcharon/plugins/socket_default/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_default/Makefile" ;; "src/libcharon/plugins/socket_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_dynamic/Makefile" ;; "src/libcharon/plugins/socket_win/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_win/Makefile" ;; + "src/libcharon/plugins/connmark/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/connmark/Makefile" ;; + "src/libcharon/plugins/forecast/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/forecast/Makefile" ;; "src/libcharon/plugins/farp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/farp/Makefile" ;; "src/libcharon/plugins/smp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/smp/Makefile" ;; "src/libcharon/plugins/sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/sql/Makefile" ;; @@ -25757,16 +26147,19 @@ do "src/libcharon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/stroke/Makefile" ;; "src/libcharon/plugins/vici/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/Makefile" ;; "src/libcharon/plugins/vici/ruby/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/ruby/Makefile" ;; + "src/libcharon/plugins/vici/python/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/python/Makefile" ;; "src/libcharon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/updown/Makefile" ;; "src/libcharon/plugins/dhcp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/dhcp/Makefile" ;; - "src/libcharon/plugins/unit_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/unit_tester/Makefile" ;; "src/libcharon/plugins/load_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/load_tester/Makefile" ;; + "src/libcharon/plugins/resolve/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/resolve/Makefile" ;; + "src/libcharon/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/attr/Makefile" ;; + "src/libcharon/plugins/attr_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/attr_sql/Makefile" ;; + "src/libcharon/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/tests/Makefile" ;; "src/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/stroke/Makefile" ;; "src/ipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/ipsec/Makefile" ;; "src/starter/Makefile") CONFIG_FILES="$CONFIG_FILES src/starter/Makefile" ;; "src/starter/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/starter/tests/Makefile" ;; "src/_updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown/Makefile" ;; - "src/_updown_espmark/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown_espmark/Makefile" ;; "src/_copyright/Makefile") CONFIG_FILES="$CONFIG_FILES src/_copyright/Makefile" ;; "src/scepclient/Makefile") CONFIG_FILES="$CONFIG_FILES src/scepclient/Makefile" ;; "src/aikgen/Makefile") CONFIG_FILES="$CONFIG_FILES src/aikgen/Makefile" ;; @@ -25794,6 +26187,7 @@ do "src/pki/man/pki---issue.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---issue.1" ;; "src/pki/man/pki---keyid.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---keyid.1" ;; "src/pki/man/pki---pkcs7.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---pkcs7.1" ;; + "src/pki/man/pki---pkcs12.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---pkcs12.1" ;; "src/pki/man/pki---print.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---print.1" ;; "src/pki/man/pki---pub.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---pub.1" ;; "src/pki/man/pki---req.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---req.1" ;; diff --git a/configure.ac b/configure.ac index 7a3c3281b..73c288495 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ # -# Copyright (C) 2007-2014 Tobias Brunner +# Copyright (C) 2007-2015 Tobias Brunner # Copyright (C) 2006-2014 Andreas Steffen # Copyright (C) 2006-2014 Martin Willi # Hochschule fuer Technik Rapperswil @@ -19,7 +19,7 @@ # initialize & set some vars # ============================ -AC_INIT([strongSwan],[5.2.1]) +AC_INIT([strongSwan],[5.3.0]) AM_INIT_AUTOMAKE(m4_esyscmd([ echo tar-ustar echo subdir-objects @@ -69,6 +69,7 @@ ARG_WITH_SET([mpz_powm_sec], [yes], [use the more side-channel resistant ARG_WITH_SET([dev-headers], [no], [install strongSwan development headers to directory.]) ARG_WITH_SET([printf-hooks], [auto], [force the use of a specific printf hook implementation (auto, builtin, glibc, vstr).]) ARG_WITH_SET([rubygemdir], ["gem environment gemdir"], [path to install ruby gems to]) +ARG_WITH_SET([pythoneggdir], ["main site-packages directory"], [path to install python eggs to to]) if test -n "$PKG_CONFIG"; then systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd) @@ -123,6 +124,7 @@ m4_include(m4/macros/enable-disable.m4) # crypto plugins ARG_DISBL_SET([aes], [disable AES software implementation plugin.]) ARG_ENABL_SET([af-alg], [enable AF_ALG crypto interface to Linux Crypto API.]) +ARG_ENABL_SET([bliss], [enable BLISS software implementation plugin.]) ARG_ENABL_SET([blowfish], [enable Blowfish software implementation plugin.]) ARG_ENABL_SET([ccm], [enables the CCM AEAD wrapper crypto plugin.]) ARG_DISBL_SET([cmac], [disable CMAC crypto implementation plugin.]) @@ -158,6 +160,7 @@ ARG_DISBL_SET([sshkey], [disable SSH key decoding plugin.]) ARG_DISBL_SET([x509], [disable X509 certificate implementation plugin.]) # fetcher/resolver plugins ARG_ENABL_SET([curl], [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.]) +ARG_ENABL_SET([files], [enable simple file:// URI fetcher.]) ARG_ENABL_SET([ldap], [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.]) ARG_ENABL_SET([soup], [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.]) ARG_ENABL_SET([unbound], [enable UNBOUND resolver plugin to perform DNS queries via libunbound. Requires libldns and libunbound.]) @@ -245,6 +248,8 @@ ARG_ENABL_SET([tnccs-dynamic], [enable dynamic TNCCS protocol discovery module. # misc plugins ARG_ENABL_SET([android-log], [enable Android specific logger plugin.]) ARG_ENABL_SET([certexpire], [enable CSV export of expiration dates of used certificates.]) +ARG_ENABL_SET([connmark], [enable connmark plugin using conntrack based marks to select return path SA.]) +ARG_ENABL_SET([forecast], [enable forecast plugin forwarding broadcast/multicast messages.]) ARG_ENABL_SET([duplicheck], [advanced duplicate checking plugin using liveness checks.]) ARG_ENABL_SET([error-notify], [enable error notification plugin.]) ARG_ENABL_SET([farp], [enable ARP faking plugin that responds to ARP requests to peers virtual IP]) @@ -256,7 +261,6 @@ ARG_ENABL_SET([maemo], [enable Maemo specific plugin.]) ARG_ENABL_SET([radattr], [enable plugin to inject and process custom RADIUS attributes as IKEv2 client.]) ARG_ENABL_SET([systime-fix], [enable plugin to handle cert lifetimes with invalid system time gracefully.]) ARG_ENABL_SET([test-vectors], [enable plugin providing crypto test vectors.]) -ARG_ENABL_SET([unit-tester], [enable unit tests on IKEv2 daemon startup.]) ARG_DISBL_SET([updown], [disable updown firewall script plugin.]) # programs/components ARG_ENABL_SET([aikgen], [enable AIK generator.]) @@ -287,6 +291,7 @@ ARG_DISBL_SET([load-warning], [disable the charon plugin load option warning i ARG_ENABL_SET([mediation], [enable IKEv2 Mediation Extension.]) ARG_ENABL_SET([unwind-backtraces],[use libunwind to create backtraces for memory leaks and segfaults.]) ARG_ENABL_SET([ruby-gems], [enable installation of provided ruby gems.]) +ARG_ENABL_SET([python-eggs], [enable installation of provided python eggs.]) # compile options ARG_ENABL_SET([coverage], [enable lcov coverage report generation.]) ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.]) @@ -1076,6 +1081,12 @@ if test x$xauth_pam = xtrue; then AC_CHECK_HEADER([security/pam_appl.h],,[AC_MSG_ERROR([PAM header security/pam_appl.h not found!])]) fi +if test x$connmark = xtrue -o x$forecast = xtrue; then + PKG_CHECK_MODULES(libiptc, [libiptc]) + AC_SUBST(libiptc_CFLAGS) + AC_SUBST(libiptc_LIBS) +fi + if test x$capabilities = xnative; then AC_MSG_NOTICE([Usage of the native Linux capabilities interface is deprecated, use libcap instead]) # Linux requires the following for capset(), Android does not have it, @@ -1177,6 +1188,19 @@ if test x$ruby_gems = xtrue; then AC_SUBST(RUBYGEMDIR, "$rubygemdir") fi +if test x$python_eggs = xtrue; then + AC_PATH_PROG([EASY_INSTALL], [easy_install], [], [$PATH:/bin:/usr/bin:/usr/local/bin]) + if test x$EASY_INSTALL = x; then + AC_MSG_ERROR(Python easy_install not found) + fi + if test "x$pythoneggdir" = "xmain site-packages directory"; then + AC_SUBST(PYTHONEGGINSTALLDIR, "") + else + AC_SUBST(PYTHONEGGINSTALLDIR, "--install-dir $pythoneggdir") + fi + AC_PATH_PROG([PY_TEST], [py.test], [], [$PATH:/bin:/usr/bin:/usr/local/bin]) +fi + # =============================================== # collect plugin list for strongSwan components # =============================================== @@ -1207,8 +1231,6 @@ t_plugins= ADD_PLUGIN([test-vectors], [s charon scepclient pki]) ADD_PLUGIN([unbound], [s charon scripts]) ADD_PLUGIN([ldap], [s charon scepclient scripts nm cmd]) -ADD_PLUGIN([mysql], [s charon pool manager medsrv attest]) -ADD_PLUGIN([sqlite], [s charon pool manager medsrv attest]) ADD_PLUGIN([pkcs11], [s charon pki nm cmd]) ADD_PLUGIN([aes], [s charon scepclient pki scripts nm cmd]) ADD_PLUGIN([des], [s charon scepclient pki scripts nm cmd]) @@ -1246,16 +1268,20 @@ ADD_PLUGIN([agent], [s charon nm cmd]) ADD_PLUGIN([keychain], [s charon cmd]) ADD_PLUGIN([xcbc], [s charon nm cmd]) ADD_PLUGIN([cmac], [s charon nm cmd]) -ADD_PLUGIN([hmac], [s charon scripts nm cmd]) +ADD_PLUGIN([hmac], [s charon pki scripts nm cmd]) ADD_PLUGIN([ctr], [s charon scripts nm cmd]) ADD_PLUGIN([ccm], [s charon scripts nm cmd]) ADD_PLUGIN([gcm], [s charon scripts nm cmd]) ADD_PLUGIN([ntru], [s charon scripts nm cmd]) +ADD_PLUGIN([bliss], [s charon pki scripts nm cmd]) ADD_PLUGIN([curl], [s charon scepclient pki scripts nm cmd]) +ADD_PLUGIN([files], [s charon scepclient pki scripts nm cmd]) ADD_PLUGIN([winhttp], [s charon pki scripts]) ADD_PLUGIN([soup], [s charon pki scripts nm cmd]) -ADD_PLUGIN([attr], [h charon]) -ADD_PLUGIN([attr-sql], [h charon]) +ADD_PLUGIN([mysql], [s charon pool manager medsrv attest]) +ADD_PLUGIN([sqlite], [s charon pool manager medsrv attest]) +ADD_PLUGIN([attr], [c charon]) +ADD_PLUGIN([attr-sql], [c charon]) ADD_PLUGIN([load-tester], [c charon]) ADD_PLUGIN([kernel-libipsec], [c charon cmd]) ADD_PLUGIN([kernel-wfp], [c charon]) @@ -1263,10 +1289,12 @@ ADD_PLUGIN([kernel-iph], [c charon]) ADD_PLUGIN([kernel-pfkey], [h charon starter nm cmd]) ADD_PLUGIN([kernel-pfroute], [h charon starter nm cmd]) ADD_PLUGIN([kernel-netlink], [h charon starter nm cmd]) -ADD_PLUGIN([resolve], [h charon cmd]) +ADD_PLUGIN([resolve], [c charon cmd]) ADD_PLUGIN([socket-default], [c charon nm cmd]) ADD_PLUGIN([socket-dynamic], [c charon cmd]) ADD_PLUGIN([socket-win], [c charon]) +ADD_PLUGIN([connmark], [c charon]) +ADD_PLUGIN([forecast], [c charon]) ADD_PLUGIN([farp], [c charon]) ADD_PLUGIN([stroke], [c charon]) ADD_PLUGIN([vici], [c charon]) @@ -1324,7 +1352,6 @@ ADD_PLUGIN([maemo], [c charon]) ADD_PLUGIN([uci], [c charon]) ADD_PLUGIN([addrblock], [c charon]) ADD_PLUGIN([unity], [c charon]) -ADD_PLUGIN([unit-tester], [c charon]) AC_SUBST(charon_plugins) AC_SUBST(starter_plugins) @@ -1352,6 +1379,7 @@ AC_SUBST(t_plugins) # ----------------------- AM_CONDITIONAL(USE_TEST_VECTORS, test x$test_vectors = xtrue) AM_CONDITIONAL(USE_CURL, test x$curl = xtrue) +AM_CONDITIONAL(USE_FILES, test x$files = xtrue) AM_CONDITIONAL(USE_WINHTTP, test x$winhttp = xtrue) AM_CONDITIONAL(USE_UNBOUND, test x$unbound = xtrue) AM_CONDITIONAL(USE_SOUP, test x$soup = xtrue) @@ -1398,6 +1426,7 @@ AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue) AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue) AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue) AM_CONDITIONAL(USE_NTRU, test x$ntru = xtrue) +AM_CONDITIONAL(USE_BLISS, test x$bliss = xtrue) # charon plugins # ---------------- @@ -1416,7 +1445,6 @@ AM_CONDITIONAL(USE_DNSCERT, test x$dnscert = xtrue) AM_CONDITIONAL(USE_IPSECKEY, test x$ipseckey = xtrue) AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue) AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue) -AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tester = xtrue) AM_CONDITIONAL(USE_LOAD_TESTER, test x$load_tester = xtrue) AM_CONDITIONAL(USE_HA, test x$ha = xtrue) AM_CONDITIONAL(USE_KERNEL_LIBIPSEC, test x$kernel_libipsec = xtrue) @@ -1475,18 +1503,20 @@ AM_CONDITIONAL(USE_IMV_SWID, test x$imv_swid = xtrue) AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue) AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue) AM_CONDITIONAL(USE_SOCKET_WIN, test x$socket_win = xtrue) +AM_CONDITIONAL(USE_CONNMARK, test x$connmark = xtrue) +AM_CONDITIONAL(USE_FORECAST, test x$forecast = xtrue) AM_CONDITIONAL(USE_FARP, test x$farp = xtrue) AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue) AM_CONDITIONAL(USE_UNITY, test x$unity = xtrue) +AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue) +AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue) +AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue) # hydra plugins # --------------- -AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue) -AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue) AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue) AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue) AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue) -AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue) # other options # --------------- @@ -1537,6 +1567,8 @@ AM_CONDITIONAL(USE_SVC, test x$svc = xtrue) AM_CONDITIONAL(USE_SYSTEMD, test x$systemd = xtrue) AM_CONDITIONAL(USE_LEGACY_SYSTEMD, test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno) AM_CONDITIONAL(USE_RUBY_GEMS, test x$ruby_gems = xtrue) +AM_CONDITIONAL(USE_PYTHON_EGGS, test x$python_eggs = xtrue) +AM_CONDITIONAL(USE_PY_TEST, test "x$PY_TEST" != x) # ======================== # set global definitions @@ -1624,6 +1656,7 @@ AC_CONFIG_FILES([ src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile + src/libstrongswan/plugins/files/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile @@ -1641,15 +1674,15 @@ AC_CONFIG_FILES([ src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile + src/libstrongswan/plugins/bliss/Makefile + src/libstrongswan/plugins/bliss/tests/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile - src/libhydra/plugins/attr/Makefile - src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile - src/libhydra/plugins/resolve/Makefile + src/libhydra/tests/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile @@ -1709,6 +1742,8 @@ AC_CONFIG_FILES([ src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile + src/libcharon/plugins/connmark/Makefile + src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile @@ -1740,16 +1775,19 @@ AC_CONFIG_FILES([ src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile + src/libcharon/plugins/vici/python/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile - src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile + src/libcharon/plugins/resolve/Makefile + src/libcharon/plugins/attr/Makefile + src/libcharon/plugins/attr_sql/Makefile + src/libcharon/tests/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile - src/_updown_espmark/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile @@ -1784,6 +1822,7 @@ AC_CONFIG_FILES([ src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 + src/pki/man/pki---pkcs12.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 diff --git a/init/Makefile.in b/init/Makefile.in index 3da1e6514..18c69f1b0 100644 --- a/init/Makefile.in +++ b/init/Makefile.in @@ -204,6 +204,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -264,10 +265,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -341,6 +344,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/init/systemd-swanctl/Makefile.in b/init/systemd-swanctl/Makefile.in index 14089c479..28cedbda8 100644 --- a/init/systemd-swanctl/Makefile.in +++ b/init/systemd-swanctl/Makefile.in @@ -172,6 +172,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -232,10 +233,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -309,6 +312,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in index a8c7af61c..808023eb2 100644 --- a/init/systemd/Makefile.in +++ b/init/systemd/Makefile.in @@ -172,6 +172,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -232,10 +233,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -309,6 +312,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/man/Makefile.in b/man/Makefile.in index 08aee19c0..501361003 100644 --- a/man/Makefile.in +++ b/man/Makefile.in @@ -178,6 +178,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -238,10 +239,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -315,6 +318,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index fe37dff83..39c3b2b79 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -23,8 +23,7 @@ as are empty lines which are not within a section. A line which contains .B include and a file name, separated by white space, -is replaced by the contents of that file, -preceded and followed by empty lines. +is replaced by the contents of that file. If the file name is not a full pathname, it is considered to be relative to the directory containing the including file. @@ -61,12 +60,9 @@ indicates what type of section follows, and .I name is an arbitrary name which distinguishes the section from others of the same type. -Names must start with a letter and may contain only -letters, digits, periods, underscores, and hyphens. All subsequent non-empty lines -which begin with white space are part of the section; -comments within a section must begin with white space too. -There may be only one section of a given type with a given name. +which begin with white space are part of the section. +Sections of the same type that share the same name are merged. .PP Lines within the section are generally of the form .PP @@ -75,24 +71,30 @@ Lines within the section are generally of the form (note the mandatory preceding white space). There can be white space on either side of the .BR = . -Parameter names follow the same syntax as section names, -and are specific to a section type. -Unless otherwise explicitly specified, -no parameter name may appear more than once in a section. +Parameter names are specific to a section type. .PP An empty .I value stands for the system default value (if any) of the parameter, -i.e. it is roughly equivalent to omitting the parameter line entirely. +i.e. it is roughly equivalent to omitting the parameter line entirely. This may +be useful to clear a setting inherited from a +.B %default +section or via +.B also +parameter (see below). A .I value -may contain white space only if the entire -.I value -is enclosed in double quotes (\fB"\fR); -a +may contain single spaces (additional white space is reduced to one space). +To preserve white space as written enclose the entire .I value -cannot itself contain a double quote, -nor may it be continued across more than one line. +in double quotes (\fB"\fR); in such values double quotes themselves may be +escaped by prefixing them with +.B \\\\ +characters. A double-quoted string may span multiple lines by ending them with +.B \\\\ +characters (following lines don't have to begin with white space, as that will +be preserved). Additionally, the following control characters may be encoded in +double-quoted strings: \\n, \\r, \\t, \\b, \\f. .PP Numeric values are specified to be either an ``integer'' (a sequence of digits) or a ``decimal number'' @@ -102,38 +104,24 @@ There is currently one parameter which is available in any type of section: .TP .B also -the value is a section name; -the parameters of that section are appended to this section, -as if they had been written as part of it. -The specified section must exist, must follow the current one, -and must have the same section type. -(Nesting is permitted, -and there may be more than one +the value is a section name; the parameters of that section are inherited by +the current section. Parameters in the current section always override inherited +parameters, even if an +.B also +follows after them. +The specified section must exist and must have the same section type; it doesn't +if it is defined before or after the current section. +Nesting is permitted, and there may be more than one +.B also +in a single section (parameters from referenced sections are inherited and +overridden in the order of these .B also -in a single section, -although it is forbidden to append the same section more than once.) +parameters). .PP A section with name .B %default -specifies defaults for sections of the same type. -For each parameter in it, -any section of that type which does not have a parameter of the same name -gets a copy of the one from the -.B %default -section. -There may be multiple -.B %default -sections of a given type, -but only one default may be supplied for any specific parameter name, -and all -.B %default -sections of a given type must precede all non-\c -.B %default -sections of that type. -.B %default -sections may not contain the -.B also -parameter. +specifies defaults for sections of the same type. All parameters in it, are +inherited by all other sections of that type. .PP Currently there are three types of sections: a @@ -446,19 +434,20 @@ This may help to surmount restrictive firewalls. In order to force the peer to encapsulate packets, NAT detection payloads are faked. .TP .BR fragmentation " = yes | force | " no -whether to use IKE fragmentation (proprietary IKEv1 extension). Acceptable -values are +whether to use IKE fragmentation (proprietary IKEv1 extension or IKEv2 +fragmentation as per RFC 7383). Acceptable values are .BR yes , .B force and .B no -(the default). Fragmented messages sent by a peer are always accepted +(the default). Fragmented IKE messages sent by a peer are always accepted irrespective of the value of this option. If set to .BR yes , and the peer supports it, larger IKE messages will be sent in fragments. If set to .B force -the initial IKE message will already be fragmented if required. +(only supported for IKEv1) the initial IKE message will already be fragmented +if required. .TP .BR ike " = " comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms @@ -583,6 +572,7 @@ for pre-shared key authentication, to (require the) use of the Extensible Authentication Protocol in IKEv2, and .B xauth for IKEv1 eXtended Authentication. + To require a trustchain public key strength for the remote side, specify the key type followed by the minimum strength in bits (for example .BR ecdsa-384 @@ -595,6 +585,20 @@ or a key strength definition (for example .BR pubkey-sha1-sha256 or .BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ). +Unless disabled in +.BR strongswan.conf (5) +such key types and hash algorithms are also applied as constraints against IKEv2 +signature authentication schemes used by the remote side. + +If both peers support RFC 7427 ("Signature Authentication in IKEv2") specific +hash algorithms to be used during IKEv2 authentication may be configured. +The syntax is the same as above. For example, with +.B pubkey-sha384-sha256 +a public key signature scheme with either SHA-384 or SHA-256 would get used for +authentication, in that order and depending on the hash algorithms supported by +the peer. If no specific hash algorithms are configured, the default is to +prefer an algorithm that matches or exceeds the strength of the signature key. + For .BR eap , an optional EAP method can be appended. Currently defined methods are @@ -613,7 +617,9 @@ Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific EAP methods are defined in the form .B eap-type-vendor .RB "(e.g. " eap-7-12345 ). -For +To specify signature and trust chain constraints for EAP-(T)TLS, append a colon +to the EAP method, followed by the key type/size and hash algorithm as discussed +above. For .B xauth, an XAuth authentication backend can be specified, such as .B xauth-generic @@ -750,11 +756,36 @@ defaults to .B left or the subject of the certificate configured with .BR leftcert . -Can be an IP address, a fully-qualified domain name, an email address, or -a keyid. If +If .B leftcert is configured the identity has to be confirmed by the certificate. +Can be an IP address, a fully-qualified domain name, an email address or a +Distinguished Name for which the ID type is determined automatically and the +string is converted to the appropriate encoding. To enforce a specific identity +type, a prefix may be used, followed by a colon (:). If the number sign (#) +follows the colon, the remaining data is interpreted as hex encoding, otherwise +the string is used as-is as the identification data. Note that this implies +that no conversion is performed for non-string identities. For example, +\fIipv4:10.0.0.1\fP does not create a valid ID_IPV4_ADDR IKE identity, as it +does not get converted to binary 0x0a000001. Instead, one could use +\fIipv4:#0a000001\fP to get a valid identity, but just using the implicit type +with automatic conversion is usually simpler. The same applies to the ASN1 +encoded types. The following prefixes are known: +.BR ipv4 , +.BR ipv6 , +.BR rfc822 , +.BR email , +.BR userfqdn , +.BR fqdn , +.BR dns , +.BR asn1dn , +.B asn1gn +and +.BR keyid . +Custom type prefixes may be specified by surrounding the numerical type value by +curly brackets. + For IKEv2 and .B rightid the prefix @@ -828,13 +859,15 @@ an address of the given address family will be requested explicitly. If an IP address is configured, it will be requested from the responder, which is free to respond with a different address. .TP -.BR rightsourceip " = %config | / | %poolname" +.BR rightsourceip " = %config | / | - | %poolname" Comma separated list of internal source IPs to use in a tunnel for the remote peer. If the value is .B %config on the responder side, the initiator must propose an address which is then echoed back. Also supported are address pools expressed as \fInetwork\fB/\fInetmask\fR +and +\fIfrom\fB-\fIto\fR or the use of an external IP address pool using %\fIpoolname\fR, where \fIpoolname\fR is the name of the IP address pool used for the lookup. .TP @@ -959,7 +992,9 @@ sets an XFRM mark in the inbound and outbound IPsec SAs and policies. If the mask is missing then a default mask of .B 0xffffffff -is assumed. +is assumed. The special value +.B %unique +assigns a unique value to each newly created IPsec SA. .TP .BR mark_in " = [/]" sets an XFRM mark in the inbound IPsec SA and diff --git a/scripts/Makefile.in b/scripts/Makefile.in index 811dc2919..d28783b4c 100644 --- a/scripts/Makefile.in +++ b/scripts/Makefile.in @@ -279,6 +279,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -339,10 +340,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -416,6 +419,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/scripts/dh_speed.c b/scripts/dh_speed.c index 8a782d80b..0643ea92a 100644 --- a/scripts/dh_speed.c +++ b/scripts/dh_speed.c @@ -15,6 +15,7 @@ #include #include +#include #include #include #include @@ -88,16 +89,16 @@ static void run_test(diffie_hellman_group_t group, int rounds) for (round = 0; round < rounds; round++) { - l[round]->get_my_public_value(l[round], &chunk); - r->set_other_public_value(r, chunk); + assert(l[round]->get_my_public_value(l[round], &chunk)); + assert(r->set_other_public_value(r, chunk)); chunk_free(&chunk); } - r->get_my_public_value(r, &chunk); + assert(r->get_my_public_value(r, &chunk)); start_timing(&timing); for (round = 0; round < rounds; round++) { - l[round]->set_other_public_value(l[round], chunk); + assert(l[round]->set_other_public_value(l[round], chunk)); } printf(" | S = B^a/s: %8.1f\n", rounds / end_timing(&timing)); chunk_free(&chunk); @@ -143,4 +144,3 @@ int main(int argc, char *argv[]) } return 0; } - diff --git a/src/Makefile.am b/src/Makefile.am index 38363d4f7..9608a3a13 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -69,7 +69,7 @@ if USE_STROKE endif if USE_UPDOWN - SUBDIRS += _updown _updown_espmark + SUBDIRS += _updown endif if USE_SCEPCLIENT diff --git a/src/Makefile.in b/src/Makefile.in index 2dd046042..7596e7e55 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -94,7 +94,7 @@ host_triplet = @host@ @USE_SYSTEMD_TRUE@am__append_15 = charon-systemd @USE_NM_TRUE@am__append_16 = charon-nm @USE_STROKE_TRUE@am__append_17 = stroke -@USE_UPDOWN_TRUE@am__append_18 = _updown _updown_espmark +@USE_UPDOWN_TRUE@am__append_18 = _updown @USE_SCEPCLIENT_TRUE@am__append_19 = scepclient @USE_PKI_TRUE@am__append_20 = pki @USE_SWANCTL_TRUE@am__append_21 = swanctl @@ -187,9 +187,9 @@ CTAGS = ctags DIST_SUBDIRS = . include libstrongswan libhydra libipsec libsimaka \ libtls libradius libtncif libtnccs libpttls libimcv libcharon \ starter ipsec _copyright charon charon-systemd charon-nm \ - stroke _updown _updown_espmark scepclient pki swanctl conftest \ - dumm libfast manager medsrv pool charon-tkm charon-cmd \ - charon-svc pt-tls-client checksum aikgen + stroke _updown scepclient pki swanctl conftest dumm libfast \ + manager medsrv pool charon-tkm charon-cmd charon-svc \ + pt-tls-client checksum aikgen DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -241,6 +241,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -301,10 +302,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -378,6 +381,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in index a17bbcc1a..2a4838c9a 100644 --- a/src/_copyright/Makefile.in +++ b/src/_copyright/Makefile.in @@ -195,6 +195,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -255,10 +256,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -332,6 +335,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/_updown/Makefile.am b/src/_updown/Makefile.am index b6a81f547..32fa0423a 100644 --- a/src/_updown/Makefile.am +++ b/src/_updown/Makefile.am @@ -1,6 +1,5 @@ ipsec_SCRIPTS = _updown CLEANFILES = _updown -dist_man8_MANS = _updown.8 EXTRA_DIST = _updown.in _updown : _updown.in diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in index a215a2548..fe31dff64 100644 --- a/src/_updown/Makefile.in +++ b/src/_updown/Makefile.in @@ -79,8 +79,7 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = src/_updown -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(dist_man8_MANS) +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/ltoptions.m4 \ @@ -125,7 +124,7 @@ am__uninstall_files_from_dir = { \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } -am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)" +am__installdirs = "$(DESTDIR)$(ipsecdir)" SCRIPTS = $(ipsec_SCRIPTS) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) @@ -146,9 +145,6 @@ am__can_run_installinfo = \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac -man8dir = $(mandir)/man8 -NROFF = nroff -MANS = $(dist_man8_MANS) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ @@ -176,6 +172,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -236,10 +233,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -313,6 +312,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -373,7 +374,6 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ ipsec_SCRIPTS = _updown CLEANFILES = _updown -dist_man8_MANS = _updown.8 EXTRA_DIST = _updown.in all: all-am @@ -449,47 +449,6 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(dist_man8_MANS) - @$(NORMAL_INSTALL) - @list1='$(dist_man8_MANS)'; \ - list2=''; \ - test -n "$(man8dir)" \ - && test -n "`echo $$list1$$list2`" \ - || exit 0; \ - echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ - { for i in $$list1; do echo "$$i"; done; \ - if test -n "$$list2"; then \ - for i in $$list2; do echo "$$i"; done \ - | sed -n '/\.8[a-z]*$$/p'; \ - fi; \ - } | while read p; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - echo "$$d$$p"; echo "$$p"; \ - done | \ - sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ - sed 'N;N;s,\n, ,g' | { \ - list=; while read file base inst; do \ - if test "$$base" = "$$inst"; then list="$$list $$file"; else \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ - fi; \ - done; \ - for i in $$list; do echo "$$i"; done | $(am__base_list) | \ - while read files; do \ - test -z "$$files" || { \ - echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ - $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ - done; } - -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \ - files=`{ for i in $$list; do echo "$$i"; done; \ - } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ - dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) tags TAGS: ctags CTAGS: @@ -529,9 +488,9 @@ distdir: $(DISTFILES) done check-am: all-am check: check-am -all-am: Makefile $(SCRIPTS) $(MANS) +all-am: Makefile $(SCRIPTS) installdirs: - for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \ + for dir in "$(DESTDIR)$(ipsecdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -585,7 +544,7 @@ info: info-am info-am: -install-data-am: install-ipsecSCRIPTS install-man +install-data-am: install-ipsecSCRIPTS install-dvi: install-dvi-am @@ -601,7 +560,7 @@ install-info: install-info-am install-info-am: -install-man: install-man8 +install-man: install-pdf: install-pdf-am @@ -629,9 +588,7 @@ ps: ps-am ps-am: -uninstall-am: uninstall-ipsecSCRIPTS uninstall-man - -uninstall-man: uninstall-man8 +uninstall-am: uninstall-ipsecSCRIPTS .MAKE: install-am install-strip @@ -641,13 +598,12 @@ uninstall-man: uninstall-man8 install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am \ - install-ipsecSCRIPTS install-man install-man8 install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ + install-ipsecSCRIPTS install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-generic \ mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \ - uninstall-am uninstall-ipsecSCRIPTS uninstall-man \ - uninstall-man8 + uninstall-am uninstall-ipsecSCRIPTS _updown : _updown.in diff --git a/src/_updown/_updown.8 b/src/_updown/_updown.8 deleted file mode 100644 index 8c88e5fb8..000000000 --- a/src/_updown/_updown.8 +++ /dev/null @@ -1,16 +0,0 @@ -.TH _UPDOWN 8 "27 Apr 2006" -.SH NAME -ipsec _updown \- route and firewall manipulation script -.SH SYNOPSIS -.I _updown -is invoked by pluto when it has brought up a new connection. This script -is used to insert the appropriate routing entries for IPsec operation. -It can also be used to insert and delete dynamic iptables firewall rules. -The interface to the script is documented in the pluto man page. -.SH "SEE ALSO" -ipsec(8), ipsec_pluto(8). -.SH HISTORY -Man page written for the Linux FreeS/WAN project -by Michael Richardson. Original program written by Henry Spencer. Extended -for the Linux strongSwan project by Andreas -Steffen. diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in index 532bd2437..4090fe074 100644 --- a/src/_updown/_updown.in +++ b/src/_updown/_updown.in @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -128,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -142,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=@routing_table@ -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=@routing_table_prio@ - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -178,120 +166,9 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" # use protocol specific options to set ports case "$PLUTO_MY_PROTOCOL" in @@ -334,59 +211,7 @@ fi PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -567,16 +392,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/src/_updown_espmark/Makefile.am b/src/_updown_espmark/Makefile.am deleted file mode 100644 index 456702690..000000000 --- a/src/_updown_espmark/Makefile.am +++ /dev/null @@ -1,2 +0,0 @@ -dist_ipsec_SCRIPTS = _updown_espmark -dist_man8_MANS = _updown_espmark.8 diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in deleted file mode 100644 index 51a0d9a13..000000000 --- a/src/_updown_espmark/Makefile.in +++ /dev/null @@ -1,652 +0,0 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994-2013 Free Software Foundation, Inc. - -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' -am__make_running_with_option = \ - case $${target_option-} in \ - ?) ;; \ - *) echo "am__make_running_with_option: internal error: invalid" \ - "target option '$${target_option-}' specified" >&2; \ - exit 1;; \ - esac; \ - has_opt=no; \ - sane_makeflags=$$MAKEFLAGS; \ - if $(am__is_gnu_make); then \ - sane_makeflags=$$MFLAGS; \ - else \ - case $$MAKEFLAGS in \ - *\\[\ \ ]*) \ - bs=\\; \ - sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ - | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ - esac; \ - fi; \ - skip_next=no; \ - strip_trailopt () \ - { \ - flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ - }; \ - for flg in $$sane_makeflags; do \ - test $$skip_next = yes && { skip_next=no; continue; }; \ - case $$flg in \ - *=*|--*) continue;; \ - -*I) strip_trailopt 'I'; skip_next=yes;; \ - -*I?*) strip_trailopt 'I';; \ - -*O) strip_trailopt 'O'; skip_next=yes;; \ - -*O?*) strip_trailopt 'O';; \ - -*l) strip_trailopt 'l'; skip_next=yes;; \ - -*l?*) strip_trailopt 'l';; \ - -[dEDm]) skip_next=yes;; \ - -[JT]) skip_next=yes;; \ - esac; \ - case $$flg in \ - *$$target_option*) has_opt=yes; break;; \ - esac; \ - done; \ - test $$has_opt = yes -am__make_dryrun = (target_option=n; $(am__make_running_with_option)) -am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) -pkgdatadir = $(datadir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkglibexecdir = $(libexecdir)/@PACKAGE@ -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -build_triplet = @build@ -host_triplet = @host@ -subdir = src/_updown_espmark -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(dist_ipsec_SCRIPTS) $(dist_man8_MANS) -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ - $(top_srcdir)/m4/config/ltoptions.m4 \ - $(top_srcdir)/m4/config/ltsugar.m4 \ - $(top_srcdir)/m4/config/ltversion.m4 \ - $(top_srcdir)/m4/config/lt~obsolete.m4 \ - $(top_srcdir)/m4/macros/split-package-version.m4 \ - $(top_srcdir)/m4/macros/with.m4 \ - $(top_srcdir)/m4/macros/enable-disable.m4 \ - $(top_srcdir)/m4/macros/add-plugin.m4 \ - $(top_srcdir)/configure.ac -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(install_sh) -d -CONFIG_HEADER = $(top_builddir)/config.h -CONFIG_CLEAN_FILES = -CONFIG_CLEAN_VPATH_FILES = -am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; -am__vpath_adj = case $$p in \ - $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ - *) f=$$p;; \ - esac; -am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; -am__install_max = 40 -am__nobase_strip_setup = \ - srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` -am__nobase_strip = \ - for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" -am__nobase_list = $(am__nobase_strip_setup); \ - for p in $$list; do echo "$$p $$p"; done | \ - sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ - $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ - if (++n[$$2] == $(am__install_max)) \ - { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ - END { for (dir in files) print dir, files[dir] }' -am__base_list = \ - sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ - sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -am__uninstall_files_from_dir = { \ - test -z "$$files" \ - || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ - || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ - $(am__cd) "$$dir" && rm -f $$files; }; \ - } -am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)" -SCRIPTS = $(dist_ipsec_SCRIPTS) -AM_V_P = $(am__v_P_@AM_V@) -am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) -am__v_P_0 = false -am__v_P_1 = : -AM_V_GEN = $(am__v_GEN_@AM_V@) -am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) -am__v_GEN_0 = @echo " GEN " $@; -am__v_GEN_1 = -AM_V_at = $(am__v_at_@AM_V@) -am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) -am__v_at_0 = @ -am__v_at_1 = -SOURCES = -DIST_SOURCES = -am__can_run_installinfo = \ - case $$AM_UPDATE_INFO_DIR in \ - n|no|NO) false;; \ - *) (install-info --version) >/dev/null 2>&1;; \ - esac -man8dir = $(mandir)/man8 -NROFF = nroff -MANS = $(dist_man8_MANS) -am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -ALLOCA = @ALLOCA@ -AMTAR = @AMTAR@ -AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -BFDLIB = @BFDLIB@ -BTLIB = @BTLIB@ -CC = @CC@ -CCDEPMODE = @CCDEPMODE@ -CFLAGS = @CFLAGS@ -COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ -COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DEFS = @DEFS@ -DEPDIR = @DEPDIR@ -DLLIB = @DLLIB@ -DLLTOOL = @DLLTOOL@ -DSYMUTIL = @DSYMUTIL@ -DUMPBIN = @DUMPBIN@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -FGREP = @FGREP@ -GEM = @GEM@ -GENHTML = @GENHTML@ -GPERF = @GPERF@ -GPRBUILD = @GPRBUILD@ -GREP = @GREP@ -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LCOV = @LCOV@ -LD = @LD@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIPO = @LIPO@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAKEINFO = @MAKEINFO@ -MANIFEST_TOOL = @MANIFEST_TOOL@ -MKDIR_P = @MKDIR_P@ -MYSQLCFLAG = @MYSQLCFLAG@ -MYSQLCONFIG = @MYSQLCONFIG@ -MYSQLLIB = @MYSQLLIB@ -NM = @NM@ -NMEDIT = @NMEDIT@ -OBJDUMP = @OBJDUMP@ -OBJEXT = @OBJEXT@ -OPENSSL_LIB = @OPENSSL_LIB@ -OTOOL = @OTOOL@ -OTOOL64 = @OTOOL64@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ -PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ -PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ -PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -PERL = @PERL@ -PKG_CONFIG = @PKG_CONFIG@ -PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ -PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ -PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ -PTHREADLIB = @PTHREADLIB@ -PYTHON = @PYTHON@ -PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ -PYTHON_PLATFORM = @PYTHON_PLATFORM@ -PYTHON_PREFIX = @PYTHON_PREFIX@ -PYTHON_VERSION = @PYTHON_VERSION@ -RANLIB = @RANLIB@ -RTLIB = @RTLIB@ -RUBY = @RUBY@ -RUBYGEMDIR = @RUBYGEMDIR@ -RUBYINCLUDE = @RUBYINCLUDE@ -RUBYLIB = @RUBYLIB@ -SED = @SED@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -SOCKLIB = @SOCKLIB@ -STRIP = @STRIP@ -UNWINDLIB = @UNWINDLIB@ -VERSION = @VERSION@ -YACC = @YACC@ -YFLAGS = @YFLAGS@ -abs_builddir = @abs_builddir@ -abs_srcdir = @abs_srcdir@ -abs_top_builddir = @abs_top_builddir@ -abs_top_srcdir = @abs_top_srcdir@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ -aikgen_plugins = @aikgen_plugins@ -am__include = @am__include@ -am__leading_dot = @am__leading_dot@ -am__quote = @am__quote@ -am__tar = @am__tar@ -am__untar = @am__untar@ -attest_plugins = @attest_plugins@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -builddir = @builddir@ -c_plugins = @c_plugins@ -charon_natt_port = @charon_natt_port@ -charon_plugins = @charon_plugins@ -charon_udp_port = @charon_udp_port@ -clearsilver_LIBS = @clearsilver_LIBS@ -cmd_plugins = @cmd_plugins@ -datadir = @datadir@ -datarootdir = @datarootdir@ -dbusservicedir = @dbusservicedir@ -dev_headers = @dev_headers@ -docdir = @docdir@ -dvidir = @dvidir@ -exec_prefix = @exec_prefix@ -fips_mode = @fips_mode@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ -h_plugins = @h_plugins@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -htmldir = @htmldir@ -imcvdir = @imcvdir@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -ipsec_script = @ipsec_script@ -ipsec_script_upper = @ipsec_script_upper@ -ipsecdir = @ipsecdir@ -ipsecgroup = @ipsecgroup@ -ipseclibdir = @ipseclibdir@ -ipsecuser = @ipsecuser@ -json_CFLAGS = @json_CFLAGS@ -json_LIBS = @json_LIBS@ -libdir = @libdir@ -libexecdir = @libexecdir@ -linux_headers = @linux_headers@ -localedir = @localedir@ -localstatedir = @localstatedir@ -maemo_CFLAGS = @maemo_CFLAGS@ -maemo_LIBS = @maemo_LIBS@ -manager_plugins = @manager_plugins@ -mandir = @mandir@ -medsrv_plugins = @medsrv_plugins@ -mkdir_p = @mkdir_p@ -nm_CFLAGS = @nm_CFLAGS@ -nm_LIBS = @nm_LIBS@ -nm_ca_dir = @nm_ca_dir@ -nm_plugins = @nm_plugins@ -oldincludedir = @oldincludedir@ -pcsclite_CFLAGS = @pcsclite_CFLAGS@ -pcsclite_LIBS = @pcsclite_LIBS@ -pdfdir = @pdfdir@ -piddir = @piddir@ -pkgpyexecdir = @pkgpyexecdir@ -pkgpythondir = @pkgpythondir@ -pki_plugins = @pki_plugins@ -plugindir = @plugindir@ -pool_plugins = @pool_plugins@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -psdir = @psdir@ -pyexecdir = @pyexecdir@ -pythondir = @pythondir@ -random_device = @random_device@ -resolv_conf = @resolv_conf@ -routing_table = @routing_table@ -routing_table_prio = @routing_table_prio@ -s_plugins = @s_plugins@ -sbindir = @sbindir@ -scepclient_plugins = @scepclient_plugins@ -scripts_plugins = @scripts_plugins@ -sharedstatedir = @sharedstatedir@ -soup_CFLAGS = @soup_CFLAGS@ -soup_LIBS = @soup_LIBS@ -srcdir = @srcdir@ -starter_plugins = @starter_plugins@ -strongswan_conf = @strongswan_conf@ -strongswan_options = @strongswan_options@ -swanctldir = @swanctldir@ -sysconfdir = @sysconfdir@ -systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ -systemd_daemon_LIBS = @systemd_daemon_LIBS@ -systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ -systemd_journal_LIBS = @systemd_journal_LIBS@ -systemdsystemunitdir = @systemdsystemunitdir@ -t_plugins = @t_plugins@ -target_alias = @target_alias@ -top_build_prefix = @top_build_prefix@ -top_builddir = @top_builddir@ -top_srcdir = @top_srcdir@ -urandom_device = @urandom_device@ -xml_CFLAGS = @xml_CFLAGS@ -xml_LIBS = @xml_LIBS@ -dist_ipsec_SCRIPTS = _updown_espmark -dist_man8_MANS = _updown_espmark.8 -all: all-am - -.SUFFIXES: -$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ - && { if test -f $@; then exit 0; else break; fi; }; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/_updown_espmark/Makefile'; \ - $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/_updown_espmark/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(am__aclocal_m4_deps): -install-dist_ipsecSCRIPTS: $(dist_ipsec_SCRIPTS) - @$(NORMAL_INSTALL) - @list='$(dist_ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || list=; \ - if test -n "$$list"; then \ - echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \ - fi; \ - for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \ - done | \ - sed -e 'p;s,.*/,,;n' \ - -e 'h;s|.*|.|' \ - -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \ - $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \ - { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ - if ($$2 == $$4) { files[d] = files[d] " " $$1; \ - if (++n[d] == $(am__install_max)) { \ - print "f", d, files[d]; n[d] = 0; files[d] = "" } } \ - else { print "f", d "/" $$4, $$1 } } \ - END { for (d in files) print "f", d, files[d] }' | \ - while read type dir files; do \ - if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ - test -z "$$files" || { \ - echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \ - $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \ - } \ - ; done - -uninstall-dist_ipsecSCRIPTS: - @$(NORMAL_UNINSTALL) - @list='$(dist_ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || exit 0; \ - files=`for p in $$list; do echo "$$p"; done | \ - sed -e 's,.*/,,;$(transform)'`; \ - dir='$(DESTDIR)$(ipsecdir)'; $(am__uninstall_files_from_dir) - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs -install-man8: $(dist_man8_MANS) - @$(NORMAL_INSTALL) - @list1='$(dist_man8_MANS)'; \ - list2=''; \ - test -n "$(man8dir)" \ - && test -n "`echo $$list1$$list2`" \ - || exit 0; \ - echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ - { for i in $$list1; do echo "$$i"; done; \ - if test -n "$$list2"; then \ - for i in $$list2; do echo "$$i"; done \ - | sed -n '/\.8[a-z]*$$/p'; \ - fi; \ - } | while read p; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - echo "$$d$$p"; echo "$$p"; \ - done | \ - sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ - sed 'N;N;s,\n, ,g' | { \ - list=; while read file base inst; do \ - if test "$$base" = "$$inst"; then list="$$list $$file"; else \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ - fi; \ - done; \ - for i in $$list; do echo "$$i"; done | $(am__base_list) | \ - while read files; do \ - test -z "$$files" || { \ - echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ - $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ - done; } - -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \ - files=`{ for i in $$list; do echo "$$i"; done; \ - } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ - dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) -tags TAGS: - -ctags CTAGS: - -cscope cscopelist: - - -distdir: $(DISTFILES) - @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - list='$(DISTFILES)'; \ - dist_files=`for file in $$list; do echo $$file; done | \ - sed -e "s|^$$srcdirstrip/||;t" \ - -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ - case $$dist_files in \ - */*) $(MKDIR_P) `echo "$$dist_files" | \ - sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ - sort -u` ;; \ - esac; \ - for file in $$dist_files; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - if test -d $$d/$$file; then \ - dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test -d "$(distdir)/$$file"; then \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ - else \ - test -f "$(distdir)/$$file" \ - || cp -p $$d/$$file "$(distdir)/$$file" \ - || exit 1; \ - fi; \ - done -check-am: all-am -check: check-am -all-am: Makefile $(SCRIPTS) $(MANS) -installdirs: - for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \ - test -z "$$dir" || $(MKDIR_P) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - if test -z '$(STRIP)'; then \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - install; \ - else \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ - fi -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) - -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-generic - -dvi: dvi-am - -dvi-am: - -html: html-am - -html-am: - -info: info-am - -info-am: - -install-data-am: install-dist_ipsecSCRIPTS install-man - -install-dvi: install-dvi-am - -install-dvi-am: - -install-exec-am: - -install-html: install-html-am - -install-html-am: - -install-info: install-info-am - -install-info-am: - -install-man: install-man8 - -install-pdf: install-pdf-am - -install-pdf-am: - -install-ps: install-ps-am - -install-ps-am: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-dist_ipsecSCRIPTS uninstall-man - -uninstall-man: uninstall-man8 - -.MAKE: install-am install-strip - -.PHONY: all all-am check check-am clean clean-generic clean-libtool \ - cscopelist-am ctags-am distclean distclean-generic \ - distclean-libtool distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am \ - install-dist_ipsecSCRIPTS install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags-am uninstall uninstall-am uninstall-dist_ipsecSCRIPTS \ - uninstall-man uninstall-man8 - - -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/src/_updown_espmark/_updown_espmark b/src/_updown_espmark/_updown_espmark deleted file mode 100644 index 864a91708..000000000 --- a/src/_updown_espmark/_updown_espmark +++ /dev/null @@ -1,438 +0,0 @@ -#! /bin/sh -# iproute2 version, default updown script -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005 Andreas Steffen -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - - - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# FreeS/WAN use yours instead of this default one. - -# things that this script gets (from ipsec_pluto(8) man page) -# -# -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_SOURCEIP -# if non-empty, then the source address for the route will be -# set to this IP address. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. -# -# PLUTO_XAUTH_ID -# is an optional user ID employed by the XAUTH protocol -# -# PLUTO_MARK_IN -# is an optional XFRM mark set on the inbound IPsec SA -# -# PLUTO_MARK_OUT -# is an optional XFRM mark set on the outbound IPsec SA -# -# PLUTO_UDP_ENC -# contains the remote UDP port in the case of ESP_IN_UDP -# encapsulation -# - -# logging of VPN connections -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn -# - -# check interface version -case "$PLUTO_VERSION" in -1.[0]) # Older Pluto?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - parms="$PLUTO_PEER_CLIENT" - - parms2= - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - parms3= - if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" - then - addsource - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# define ESP mark -ESP_MARK=50 - -# add the following static rule to the INPUT chain in the mangle table -# iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50 - -# NAT traversal via UDP encapsulation is supported with the rule -# iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50 - -# in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - CHECK_MARK="" -else - CHECK_MARK="-m mark --mark $ESP_MARK" -fi - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" -fi - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -# the big choice -case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; -up-host:*) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT - # - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - ;; -down-host:*) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - # connection to me going down - # If you are doing a custom version, firewall commands go here. - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT - # - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ - $CHECK_MARK -j ACCEPT - # - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ - $CHECK_MARK -j ACCEPT - # - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - ;; -up-client:ipfwadm) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ - -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK - ;; -down-client:ipfwadm) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ - -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK - ;; -# -# IPv6 -# -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; -up-host-v6:*) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host-v6:*) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client-v6:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-client-v6:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/src/_updown_espmark/_updown_espmark.8 b/src/_updown_espmark/_updown_espmark.8 deleted file mode 100644 index 34383cb8e..000000000 --- a/src/_updown_espmark/_updown_espmark.8 +++ /dev/null @@ -1,15 +0,0 @@ -.TH _UPDOWN_ESPMARK 8 "7 Apr 2005" -.SH NAME -ipsec _updown_espmark \- manages routes and firewall rules -.SH SYNOPSIS -.I _updown_espmark -is invoked by pluto when it has brought up a new connection. This script -is used to insert the appropriate routing and iptables firewall entries for -IPsec operation. The incoming ESP traffic must be marked by a static rule -in the mangle table. The default value for the mark is 50. -The interface to the script is documented in the pluto man page. -.SH "SEE ALSO" -ipsec(8), ipsec_pluto(8). -.SH HISTORY -Man page written for the Linux strongSwan project -by Andreas Steffen. Original program written by Henry Spencer. diff --git a/src/aikgen/Makefile.in b/src/aikgen/Makefile.in index 2bd5be64b..33ed13397 100644 --- a/src/aikgen/Makefile.in +++ b/src/aikgen/Makefile.in @@ -198,6 +198,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -258,10 +259,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -335,6 +338,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in index 9f67eec1f..64dea34c7 100644 --- a/src/charon-cmd/Makefile.in +++ b/src/charon-cmd/Makefile.in @@ -232,6 +232,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in index 69cbfe07e..82f6fbcb2 100644 --- a/src/charon-nm/Makefile.in +++ b/src/charon-nm/Makefile.in @@ -203,6 +203,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -263,10 +264,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -340,6 +343,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c index 613c2f6b5..601daca0a 100644 --- a/src/charon-nm/nm/nm_backend.c +++ b/src/charon-nm/nm/nm_backend.c @@ -18,7 +18,6 @@ #include "nm_creds.h" #include "nm_handler.h" -#include #include #include @@ -97,7 +96,8 @@ static void nm_backend_deinit() g_object_unref(this->plugin); } lib->credmgr->remove_set(lib->credmgr, &this->creds->set); - hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler); + charon->attributes->remove_handler(charon->attributes, + &this->handler->handler); this->creds->destroy(this->creds); this->handler->destroy(this->handler); free(this); @@ -130,7 +130,7 @@ static bool nm_backend_init() this->plugin = nm_strongswan_plugin_new(this->creds, this->handler); nm_backend = this; - hydra->attributes->add_handler(hydra->attributes, &this->handler->handler); + charon->attributes->add_handler(charon->attributes, &this->handler->handler); lib->credmgr->add_set(lib->credmgr, &this->creds->set); if (!this->plugin) { diff --git a/src/charon-nm/nm/nm_handler.c b/src/charon-nm/nm/nm_handler.c index 28aa04b31..bdc0667cf 100644 --- a/src/charon-nm/nm/nm_handler.c +++ b/src/charon-nm/nm/nm_handler.c @@ -41,7 +41,7 @@ struct private_nm_handler_t { }; METHOD(attribute_handler_t, handle, bool, - private_nm_handler_t *this, identification_t *server, + private_nm_handler_t *this, ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data) { linked_list_t *list; @@ -92,7 +92,7 @@ static bool enumerate_dns(enumerator_t *this, } METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*, - private_nm_handler_t *this, identification_t *server, linked_list_t *vips) + private_nm_handler_t *this, ike_sa_t *ike_sa, linked_list_t *vips) { if (vips->get_count(vips)) { @@ -185,4 +185,3 @@ nm_handler_t *nm_handler_create() return &this->public; } - diff --git a/src/charon-svc/Makefile.in b/src/charon-svc/Makefile.in index 3783ac9f0..1c0a4058d 100644 --- a/src/charon-svc/Makefile.in +++ b/src/charon-svc/Makefile.in @@ -197,6 +197,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -257,10 +258,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -334,6 +337,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/charon-systemd/Makefile.in b/src/charon-systemd/Makefile.in index 790c8ef8f..d6e1c471c 100644 --- a/src/charon-systemd/Makefile.in +++ b/src/charon-systemd/Makefile.in @@ -200,6 +200,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -260,10 +261,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -337,6 +340,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/charon-systemd/charon-systemd.c b/src/charon-systemd/charon-systemd.c index 4a2136fc9..e391a5397 100644 --- a/src/charon-systemd/charon-systemd.c +++ b/src/charon-systemd/charon-systemd.c @@ -39,6 +39,17 @@ #include #include +/** + * Default user and group + */ +#ifndef IPSEC_USER +#define IPSEC_USER NULL +#endif + +#ifndef IPSEC_GROUP +#define IPSEC_GROUP NULL +#endif + /** * hook in library for debugging messages */ @@ -268,18 +279,20 @@ static int run() */ static bool lookup_uid_gid() { -#ifdef IPSEC_USER - if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER)) + char *name; + + name = lib->settings->get_str(lib->settings, "%s.user", IPSEC_USER, + lib->ns); + if (name && !lib->caps->resolve_uid(lib->caps, name)) { return FALSE; } -#endif /* IPSEC_USER */ -#ifdef IPSEC_GROUP - if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP)) + name = lib->settings->get_str(lib->settings, "%s.group", IPSEC_GROUP, + lib->ns); + if (name && !lib->caps->resolve_gid(lib->caps, name)) { return FALSE; } -#endif /* IPSEC_GROUP */ return TRUE; } @@ -365,7 +378,8 @@ int main(int argc, char *argv[]) lib->plugins->add_static_features(lib->plugins, lib->ns, features, countof(features), TRUE, journal_reload, &journal); - if (!charon->initialize(charon, PLUGINS)) + if (!charon->initialize(charon, + lib->settings->get_str(lib->settings, "%s.load", PLUGINS, lib->ns))) { sd_notifyf(0, "STATUS=charon initialization failed"); return SS_RC_INITIALIZATION_FAILED; diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in index fe6606bc5..bff198ab8 100644 --- a/src/charon-tkm/Makefile.in +++ b/src/charon-tkm/Makefile.in @@ -142,6 +142,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -202,10 +203,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -279,6 +282,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c index a6770fc50..7c60f0ca8 100644 --- a/src/charon-tkm/src/charon-tkm.c +++ b/src/charon-tkm/src/charon-tkm.c @@ -276,6 +276,10 @@ int main(int argc, char *argv[]) goto deinit; } + /* the authorize hook currently does not support RFC 7427 signature auth */ + lib->settings->set_bool(lib->settings, "%s.signature_authentication", FALSE, + dmn_name); + /* make sure we log to the DAEMON facility by default */ lib->settings->set_int(lib->settings, "%s.syslog.daemon.default", lib->settings->get_int(lib->settings, "%s.syslog.daemon.default", 1, diff --git a/src/charon-tkm/src/ees/ees_callbacks.c b/src/charon-tkm/src/ees/ees_callbacks.c index 2d9653837..74c0d3618 100644 --- a/src/charon-tkm/src/ees/ees_callbacks.c +++ b/src/charon-tkm/src/ees/ees_callbacks.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Reto Buerki + * Copyright (C) 2012-2014 Reto Buerki * Copyright (C) 2012 Adrian-Ken Rueegsegger * Hochschule fuer Technik Rapperswil * @@ -19,11 +19,12 @@ #include #include +#include "tkm.h" #include "ees_callbacks.h" void charon_esa_acquire(result_type *res, const sp_id_type sp_id) { - DBG1(DBG_KNL, "ees: acquire received for reqid {%d}", sp_id); + DBG1(DBG_KNL, "ees: acquire received for reqid %u", sp_id); hydra->kernel_interface->acquire(hydra->kernel_interface, sp_id, NULL, NULL); *res = TKM_OK; @@ -33,8 +34,19 @@ void charon_esa_expire(result_type *res, const sp_id_type sp_id, const esp_spi_type spi_rem, const protocol_type protocol, const expiry_flag_type hard) { - DBG1(DBG_KNL, "ees: expire received for reqid {%d}", sp_id); - hydra->kernel_interface->expire(hydra->kernel_interface, sp_id, protocol, - spi_rem, hard != 0); + host_t *dst; + + dst = tkm->sad->get_dst_host(tkm->sad, sp_id, spi_rem, protocol); *res = TKM_OK; + if (dst == NULL) + { + DBG3(DBG_KNL, "ees: destination host not found for reqid %u, spi %x, " + "proto %u", sp_id, ntohl(spi_rem), protocol); + return; + } + + DBG1(DBG_KNL, "ees: expire received for reqid %u, spi %x, dst %H", sp_id, + ntohl(spi_rem), dst); + hydra->kernel_interface->expire(hydra->kernel_interface, protocol, + spi_rem, dst, hard != 0); } diff --git a/src/charon-tkm/src/tkm/tkm.c b/src/charon-tkm/src/tkm/tkm.c index 61eb6056c..333b699a0 100644 --- a/src/charon-tkm/src/tkm/tkm.c +++ b/src/charon-tkm/src/tkm/tkm.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Reto Buerki + * Copyright (C) 2012-2014 Reto Buerki * Copyright (C) 2012 Adrian-Ken Rueegsegger * Hochschule fuer Technik Rapperswil * @@ -95,6 +95,7 @@ bool tkm_init() .public = { .idmgr = tkm_id_manager_create(limits), .chunk_map = tkm_chunk_map_create(), + .sad = tkm_kernel_sad_create(), }, ); tkm = &this->public; @@ -114,6 +115,7 @@ void tkm_deinit() private_tkm_t *this = (private_tkm_t*)tkm; this->public.idmgr->destroy(this->public.idmgr); this->public.chunk_map->destroy(this->public.chunk_map); + this->public.sad->destroy(this->public.sad); ees_server_finalize(); diff --git a/src/charon-tkm/src/tkm/tkm.h b/src/charon-tkm/src/tkm/tkm.h index fb5acd117..4aed08602 100644 --- a/src/charon-tkm/src/tkm/tkm.h +++ b/src/charon-tkm/src/tkm/tkm.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Reto Buerki + * Copyright (C) 2012-2014 Reto Buerki * Copyright (C) 2012 Adrian-Ken Rueegsegger * Hochschule fuer Technik Rapperswil * @@ -72,6 +72,7 @@ #include "tkm_id_manager.h" #include "tkm_chunk_map.h" +#include "tkm_kernel_sad.h" typedef struct tkm_t tkm_t; @@ -90,6 +91,11 @@ struct tkm_t { */ tkm_chunk_map_t *chunk_map; + /** + * CHILD/ESP SA database. + */ + tkm_kernel_sad_t *sad; + }; /** diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c index 67db5e6d8..c4953b6aa 100644 --- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c @@ -41,7 +41,7 @@ struct private_tkm_diffie_hellman_t { /** * Diffie Hellman group number. */ - u_int16_t group; + diffie_hellman_group_t group; /** * Diffie Hellman public value. @@ -55,30 +55,29 @@ struct private_tkm_diffie_hellman_t { }; -METHOD(diffie_hellman_t, get_my_public_value, void, +METHOD(diffie_hellman_t, get_my_public_value, bool, private_tkm_diffie_hellman_t *this, chunk_t *value) { sequence_to_chunk(this->pubvalue.data, this->pubvalue.size, value); + return TRUE; } -METHOD(diffie_hellman_t, get_shared_secret, status_t, +METHOD(diffie_hellman_t, get_shared_secret, bool, private_tkm_diffie_hellman_t *this, chunk_t *secret) { *secret = chunk_empty; - return SUCCESS; + return TRUE; } -METHOD(diffie_hellman_t, set_other_public_value, void, +METHOD(diffie_hellman_t, set_other_public_value, bool, private_tkm_diffie_hellman_t *this, chunk_t value) { - // TODO: unvoid this function - dh_pubvalue_type othervalue; othervalue.size = value.len; memcpy(&othervalue.data, value.ptr, value.len); - ike_dh_generate_key(this->context_id, othervalue); + return ike_dh_generate_key(this->context_id, othervalue) == TKM_OK; } METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t, diff --git a/src/charon-tkm/src/tkm/tkm_encoder.c~ b/src/charon-tkm/src/tkm/tkm_encoder.c~ new file mode 100644 index 000000000..145615f14 --- /dev/null +++ b/src/charon-tkm/src/tkm/tkm_encoder.c~ @@ -0,0 +1,106 @@ +/* + * Copyright (C) 2013 Reto Buerki + * Copyright (C) 2013 Adrian-Ken Rueegsegger + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include +#include + +#include "tkm_encoder.h" + +/** + * Build the SHA1 hash of pubkey(info) ASN.1 data. + */ +static bool hash_pubkey(chunk_t pubkey, chunk_t *hash) +{ + hasher_t *hasher; + + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + if (!hasher || !hasher->allocate_hash(hasher, pubkey, hash)) + { + DBG1(DBG_LIB, "SHA1 hash algorithm not supported, " + "fingerprinting failed"); + DESTROY_IF(hasher); + chunk_free(&pubkey); + return FALSE; + } + hasher->destroy(hasher); + chunk_free(&pubkey); + return TRUE; +} + +/** + * Encode the public key blob into subjectPublicKeyInfo. + */ +static bool build_pub_info(chunk_t *encoding, va_list args) +{ + chunk_t blob; + + if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER, &blob, + CRED_PART_END)) + { + *encoding = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), + asn1_bitstring("c", blob, 0)); + return TRUE; + } + return FALSE; +} + +/** + * Build the fingerprint of the subjectPublicKeyInfo object. + */ +static bool build_info_sha1(chunk_t *encoding, va_list args) +{ + chunk_t pubkey; + + if (build_pub_info(&pubkey, args)) + { + return hash_pubkey(pubkey, encoding); + } + return FALSE; +} + +/** + * Build the fingerprint of the subjectPublicKey object. + */ +static bool build_sha1(chunk_t *encoding, va_list args) +{ + chunk_t blob; + + if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER, &blob, + CRED_PART_END)) + { + return hash_pubkey(chunk_clone(blob), encoding); + } + return FALSE; +} + +/** + * See header. + */ +bool tkm_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, + va_list args) +{ + switch (type) + { + case KEYID_PUBKEY_INFO_SHA1: + return build_info_sha1(encoding, args); + case KEYID_PUBKEY_SHA1: + return build_sha1(encoding, args); + default: + return FALSE; + } +} diff --git a/src/charon-tkm/src/tkm/tkm_id_manager.c b/src/charon-tkm/src/tkm/tkm_id_manager.c index 0fadf1acf..e6d571b83 100644 --- a/src/charon-tkm/src/tkm/tkm_id_manager.c +++ b/src/charon-tkm/src/tkm/tkm_id_manager.c @@ -24,7 +24,7 @@ ENUM_BEGIN(tkm_context_kind_names, TKM_CTX_NONCE, TKM_CTX_ESA, "NONCE_CONTEXT", "DH_CONTEXT", - "CC_CONTEXT" + "CC_CONTEXT", "ISA_CONTEXT", "AE_CONTEXT", "ESA_CONTEXT"); diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c index dbeea93f2..734b1ec55 100644 --- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c +++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Reto Buerki + * Copyright (C) 2012-2014 Reto Buerki * Copyright (C) 2012 Adrian-Ken Rueegsegger * Hochschule fuer Technik Rapperswil * @@ -26,7 +26,6 @@ #include "tkm_utils.h" #include "tkm_types.h" #include "tkm_keymat.h" -#include "tkm_kernel_sad.h" #include "tkm_kernel_ipsec.h" /** From linux/in.h */ @@ -51,16 +50,11 @@ struct private_tkm_kernel_ipsec_t { */ rng_t *rng; - /** - * CHILD/ESP SA database. - */ - tkm_kernel_sad_t *sad; - }; METHOD(kernel_ipsec_t, get_spi, status_t, private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst, - u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) + u_int8_t protocol, u_int32_t *spi) { bool result; @@ -74,7 +68,6 @@ METHOD(kernel_ipsec_t, get_spi, status_t, } } - DBG1(DBG_KNL, "getting SPI for reqid {%u}", reqid); result = this->rng->get_bytes(this->rng, sizeof(u_int32_t), (u_int8_t *)spi); return result ? SUCCESS : FAILED; @@ -82,7 +75,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t, METHOD(kernel_ipsec_t, get_cpi, status_t, private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t reqid, u_int16_t *cpi) + u_int16_t *cpi) { return NOT_SUPPORTED; } @@ -93,11 +86,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t, u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window, - bool _initiator, bool encap, bool esn, bool inbound, - traffic_selector_t* src_ts, traffic_selector_t* dst_ts) + bool initiator, bool encap, bool esn, bool inbound, bool update, + linked_list_t* src_ts, linked_list_t* dst_ts) { esa_info_t esa; - bool initiator; esp_spi_type spi_loc, spi_rem; host_t *local, *peer; chunk_t *nonce_loc, *nonce_rem; @@ -120,9 +112,6 @@ METHOD(kernel_ipsec_t, add_sa, status_t, return SUCCESS; } - /* Initiator if encr_r is passed as enc_key to the inbound add_sa call */ - /* TODO: does the new _initiator parameter have the same meaning? */ - initiator = esa.is_encr_r && inbound; if (initiator) { spi_loc = spi; @@ -143,7 +132,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } esa_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ESA); - if (!this->sad->insert(this->sad, esa_id, peer, local, spi_loc, protocol)) + if (!tkm->sad->insert(tkm->sad, reqid, esa_id, local, peer, spi_rem, + protocol)) { DBG1(DBG_KNL, "unable to add entry (%llu) to SAD", esa_id); goto sad_failure; @@ -207,7 +197,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, return SUCCESS; failure: - this->sad->remove(this->sad, esa_id); + tkm->sad->remove(tkm->sad, esa_id); sad_failure: tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ESA, esa_id); chunk_free(&esa.nonce_i); @@ -229,7 +219,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, { esa_id_type esa_id; - esa_id = this->sad->get_esa_id(this->sad, src, dst, spi, protocol); + esa_id = tkm->sad->get_esa_id(tkm->sad, src, dst, spi, protocol); if (esa_id) { DBG1(DBG_KNL, "deleting child SA (esa: %llu, spi: %x)", esa_id, @@ -239,7 +229,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, DBG1(DBG_KNL, "child SA (%llu) deletion failed", esa_id); return FAILED; } - this->sad->remove(this->sad, esa_id); + tkm->sad->remove(tkm->sad, esa_id); tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ESA, esa_id); } return SUCCESS; @@ -350,7 +340,6 @@ METHOD(kernel_ipsec_t, destroy, void, private_tkm_kernel_ipsec_t *this) { DESTROY_IF(this->rng); - DESTROY_IF(this->sad); free(this); } @@ -380,15 +369,7 @@ tkm_kernel_ipsec_t *tkm_kernel_ipsec_create() .destroy = _destroy, }, }, - .sad = tkm_kernel_sad_create(), ); - if (!this->sad) - { - DBG1(DBG_KNL, "unable to create SAD"); - destroy(this); - return NULL; - } - return &this->public; } diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.c b/src/charon-tkm/src/tkm/tkm_kernel_sad.c index 360a47bdc..3394b58af 100644 --- a/src/charon-tkm/src/tkm/tkm_kernel_sad.c +++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Reto Buerki + * Copyright (C) 2012-2014 Reto Buerki * Copyright (C) 2012 Adrian-Ken Rueegsegger * Hochschule fuer Technik Rapperswil * @@ -56,6 +56,11 @@ struct sad_entry_t { */ esa_id_type esa_id; + /** + * Reqid. + */ + u_int32_t reqid; + /** * Source address of CHILD SA. */ @@ -108,6 +113,19 @@ static bool sad_entry_match(sad_entry_t * const entry, const host_t * const src, entry->spi == *spi && entry->proto == *proto; } +/** + * Find a list entry with given reqid, spi and proto values. + */ +static bool sad_entry_match_dst(sad_entry_t * const entry, + const u_int32_t * const reqid, + const u_int32_t * const spi, + const u_int8_t * const proto) +{ + return entry->reqid == *reqid && + entry->spi == *spi && + entry->proto == *proto; +} + /** * Compare two SAD entries for equality. */ @@ -119,6 +137,7 @@ static bool sad_entry_equal(sad_entry_t * const left, sad_entry_t * const right) return FALSE; } return left->esa_id == right->esa_id && + left->reqid == right->reqid && left->src->ip_equals(left->src, right->src) && left->dst->ip_equals(left->dst, right->dst) && left->spi == right->spi && left->proto == right->proto; @@ -126,14 +145,15 @@ static bool sad_entry_equal(sad_entry_t * const left, sad_entry_t * const right) METHOD(tkm_kernel_sad_t, insert, bool, private_tkm_kernel_sad_t * const this, const esa_id_type esa_id, - const host_t * const src, const host_t * const dst, const u_int32_t spi, - const u_int8_t proto) + const u_int32_t reqid, const host_t * const src, const host_t * const dst, + const u_int32_t spi, const u_int8_t proto) { status_t result; sad_entry_t *new_entry; INIT(new_entry, .esa_id = esa_id, + .reqid = reqid, .src = (host_t *)src, .dst = (host_t *)dst, .spi = spi, @@ -146,8 +166,9 @@ METHOD(tkm_kernel_sad_t, insert, bool, new_entry); if (result == NOT_FOUND) { - DBG3(DBG_KNL, "inserting SAD entry (esa: %llu, src: %H, dst: %H, " - "spi: %x, proto: %u)", esa_id, src, dst, ntohl(spi), proto); + DBG3(DBG_KNL, "inserting SAD entry (esa: %llu, reqid: %u, src: %H, " + "dst: %H, spi: %x, proto: %u)", esa_id, reqid, src, dst, + ntohl(spi), proto); new_entry->src = src->clone((host_t *)src); new_entry->dst = dst->clone((host_t *)dst); this->data->insert_last(this->data, new_entry); @@ -176,18 +197,44 @@ METHOD(tkm_kernel_sad_t, get_esa_id, esa_id_type, if (res == SUCCESS && entry) { id = entry->esa_id; - DBG3(DBG_KNL, "getting ESA id of SAD entry (esa: %llu, src: %H, " - "dst: %H, spi: %x, proto: %u)", id, src, dst, ntohl(spi), - proto); + DBG3(DBG_KNL, "returning ESA id %llu of SAD entry (src: %H, dst: %H, " + "spi: %x, proto: %u)", id, src, dst, ntohl(spi), proto); } else { - DBG3(DBG_KNL, "no SAD entry found"); + DBG3(DBG_KNL, "no SAD entry found for src %H, dst %H, spi %x, proto %u", + src, dst, ntohl(spi), proto); } this->mutex->unlock(this->mutex); return id; } +METHOD(tkm_kernel_sad_t, get_dst_host, host_t *, + private_tkm_kernel_sad_t * const this, const u_int32_t reqid, + const u_int32_t spi, const u_int8_t proto) +{ + host_t *dst = NULL; + sad_entry_t *entry = NULL; + + this->mutex->lock(this->mutex); + const status_t res = this->data->find_first(this->data, + (linked_list_match_t)sad_entry_match_dst, + (void**)&entry, &reqid, &spi, &proto); + if (res == SUCCESS && entry) + { + dst = entry->dst; + DBG3(DBG_KNL, "returning destination host %H of SAD entry (reqid: %u," + " spi: %x, proto: %u)", dst, reqid, ntohl(spi), proto); + } + else + { + DBG3(DBG_KNL, "no SAD entry found for reqid %u, spi %x, proto: %u", + reqid, ntohl(spi), proto); + } + this->mutex->unlock(this->mutex); + return dst; +} + METHOD(tkm_kernel_sad_t, _remove, bool, private_tkm_kernel_sad_t * const this, const esa_id_type esa_id) { @@ -242,6 +289,7 @@ tkm_kernel_sad_t *tkm_kernel_sad_create() .public = { .insert = _insert, .get_esa_id = _get_esa_id, + .get_dst_host = _get_dst_host, .remove = __remove, .destroy = _destroy, }, diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.h b/src/charon-tkm/src/tkm/tkm_kernel_sad.h index 0194cd3bc..38b19dd01 100644 --- a/src/charon-tkm/src/tkm/tkm_kernel_sad.h +++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Reto Buerki + * Copyright (C) 2012-2014 Reto Buerki * Copyright (C) 2012 Adrian-Ken Rueegsegger * Hochschule fuer Technik Rapperswil * @@ -37,6 +37,7 @@ struct tkm_kernel_sad_t { * Insert new SAD entry with specified parameters. * * @param esa_id ESP SA context identifier + * @param reqid reqid of the SA * @param src source address of CHILD SA * @param dst destination address of CHILD SA * @param spi SPI of CHILD SA @@ -44,8 +45,9 @@ struct tkm_kernel_sad_t { * @return TRUE if entry was inserted, FALSE otherwise */ bool (*insert)(tkm_kernel_sad_t * const this, const esa_id_type esa_id, - const host_t * const src, const host_t * const dst, - const u_int32_t spi, const u_int8_t proto); + const u_int32_t reqid, const host_t * const src, + const host_t * const dst, const u_int32_t spi, + const u_int8_t proto); /** * Get ESA id for entry with given parameters. @@ -60,6 +62,17 @@ struct tkm_kernel_sad_t { const host_t * const src, const host_t * const dst, const u_int32_t spi, const u_int8_t proto); + /** + * Get destination host for entry with given parameters. + * + * @param reqid reqid of CHILD SA + * @param spi SPI of CHILD SA + * @param proto protocol of CHILD SA (ESP/AH) + * @return destination host of entry if found, NULL otherwise + */ + host_t * (*get_dst_host)(tkm_kernel_sad_t * const this, + const u_int32_t reqid, const u_int32_t spi, const u_int8_t proto); + /** * Remove entry with given ESA id from SAD. * diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c index 772fac8b0..80721fafe 100644 --- a/src/charon-tkm/src/tkm/tkm_keymat.c +++ b/src/charon-tkm/src/tkm/tkm_keymat.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2015 Tobias Brunner * Copyrigth (C) 2012 Reto Buerki * Copyright (C) 2012 Adrian-Ken Rueegsegger * Hochschule fuer Technik Rapperswil @@ -17,6 +18,7 @@ #include #include #include +#include #include "tkm.h" #include "tkm_types.h" @@ -71,6 +73,10 @@ struct private_tkm_keymat_t { */ chunk_t other_init_msg; + /** + * Set of hash algorithms supported by peer for signature authentication + */ + hash_algorithm_set_t *hash_algorithms; }; /** @@ -417,6 +423,26 @@ METHOD(keymat_v2_t, get_psk_sig, bool, return FALSE; } +METHOD(keymat_v2_t, hash_algorithm_supported, bool, + private_tkm_keymat_t *this, hash_algorithm_t hash) +{ + if (!this->hash_algorithms) + { + return FALSE; + } + return this->hash_algorithms->contains(this->hash_algorithms, hash); +} + +METHOD(keymat_v2_t, add_hash_algorithm, void, + private_tkm_keymat_t *this, hash_algorithm_t hash) +{ + if (!this->hash_algorithms) + { + this->hash_algorithms = hash_algorithm_set_create(); + } + this->hash_algorithms->add(this->hash_algorithms, hash); +} + METHOD(keymat_t, destroy, void, private_tkm_keymat_t *this) { @@ -435,6 +461,7 @@ METHOD(keymat_t, destroy, void, tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_AE, this->ae_ctx_id); } + DESTROY_IF(this->hash_algorithms); DESTROY_IF(this->aead_in); DESTROY_IF(this->aead_out); chunk_free(&this->auth_payload); @@ -488,6 +515,8 @@ tkm_keymat_t *tkm_keymat_create(bool initiator) .get_skd = _get_skd, .get_auth_octets = _get_auth_octets, .get_psk_sig = _get_psk_sig, + .add_hash_algorithm = _add_hash_algorithm, + .hash_algorithm_supported = _hash_algorithm_supported, }, .get_isa_id = _get_isa_id, .set_auth_payload = _set_auth_payload, diff --git a/src/charon-tkm/src/tkm/tkm_listener.c b/src/charon-tkm/src/tkm/tkm_listener.c index b2692a586..bb1218266 100644 --- a/src/charon-tkm/src/tkm/tkm_listener.c +++ b/src/charon-tkm/src/tkm/tkm_listener.c @@ -240,6 +240,8 @@ METHOD(listener_t, authorize, bool, return TRUE; } + *success = FALSE; + keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa); isa_id = keymat->get_isa_id(keymat); DBG1(DBG_IKE, "TKM authorize listener called for ISA context %llu", isa_id); @@ -248,28 +250,26 @@ METHOD(listener_t, authorize, bool, if (!cc_id) { DBG1(DBG_IKE, "unable to acquire CC context id"); - *success = FALSE; return TRUE; } if (!build_cert_chain(ike_sa, cc_id)) { DBG1(DBG_IKE, "unable to build certificate chain"); - *success = FALSE; - return TRUE; + goto cc_reset; } auth = keymat->get_auth_payload(keymat); if (!auth->ptr) { DBG1(DBG_IKE, "no AUTHENTICATION data available"); - *success = FALSE; + goto cc_reset; } other_init_msg = keymat->get_peer_init_msg(keymat); if (!other_init_msg->ptr) { DBG1(DBG_IKE, "no peer init message available"); - *success = FALSE; + goto cc_reset; } chunk_to_sequence(auth, &signature, sizeof(signature_type)); @@ -279,7 +279,7 @@ METHOD(listener_t, authorize, bool, { DBG1(DBG_IKE, "TKM based authentication failed" " for ISA context %llu", isa_id); - *success = FALSE; + goto cc_reset; } else { @@ -288,7 +288,13 @@ METHOD(listener_t, authorize, bool, *success = TRUE; } - return TRUE; +cc_reset: + if (ike_cc_reset(cc_id) != TKM_OK) + { + DBG1(DBG_IKE, "unable to reset CC context %llu", cc_id); + } + tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_CC, cc_id); + return TRUE; /* stay registered */ } METHOD(listener_t, message, bool, diff --git a/src/charon-tkm/tests/diffie_hellman_tests.c b/src/charon-tkm/tests/diffie_hellman_tests.c index 89658a770..5ef6f41ab 100644 --- a/src/charon-tkm/tests/diffie_hellman_tests.c +++ b/src/charon-tkm/tests/diffie_hellman_tests.c @@ -40,7 +40,7 @@ START_TEST(test_dh_get_my_pubvalue) fail_if(!dh, "Unable to create DH"); chunk_t value; - dh->dh.get_my_public_value(&dh->dh, &value); + ck_assert(dh->dh.get_my_public_value(&dh->dh, &value)); dh->dh.destroy(&dh->dh); fail_if(value.ptr == NULL, "Pubvalue is NULL"); diff --git a/src/charon-tkm/tests/kernel_sad_tests.c b/src/charon-tkm/tests/kernel_sad_tests.c index 6f0b396d3..b9ab3cb5e 100644 --- a/src/charon-tkm/tests/kernel_sad_tests.c +++ b/src/charon-tkm/tests/kernel_sad_tests.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Reto Buerki + * Copyright (C) 2012-2014 Reto Buerki * Copyright (C) 2012 Adrian-Ken Rueegsegger * Hochschule fuer Technik Rapperswil * @@ -34,7 +34,7 @@ START_TEST(test_insert) host_t *addr = host_create_from_string("127.0.0.1", 1024); tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); - fail_unless(sad->insert(sad, 1, addr, addr, 42, 50), + fail_unless(sad->insert(sad, 1, 2, addr, addr, 42, 50), "Error inserting SAD entry"); sad->destroy(sad); @@ -47,9 +47,9 @@ START_TEST(test_insert_duplicate) host_t *addr = host_create_from_string("127.0.0.1", 1024); tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); - fail_unless(sad->insert(sad, 1, addr, addr, 42, 50), + fail_unless(sad->insert(sad, 1, 2, addr, addr, 42, 50), "Error inserting SAD entry"); - fail_if(sad->insert(sad, 1, addr, addr, 42, 50), + fail_if(sad->insert(sad, 1, 2, addr, addr, 42, 50), "Expected error inserting duplicate entry"); sad->destroy(sad); @@ -61,7 +61,7 @@ START_TEST(test_get_esa_id) { host_t *addr = host_create_from_string("127.0.0.1", 1024); tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); - fail_unless(sad->insert(sad, 23, addr, addr, 42, 50), + fail_unless(sad->insert(sad, 23, 54, addr, addr, 42, 50), "Error inserting SAD entry"); fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23, "Error getting esa id"); @@ -81,11 +81,34 @@ START_TEST(test_get_esa_id_nonexistent) } END_TEST +START_TEST(test_get_dst_host) +{ + host_t *addr = host_create_from_string("127.0.0.1", 1024); + tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); + fail_unless(sad->insert(sad, 23, 54, addr, addr, 42, 50), + "Error inserting SAD entry"); + + host_t *dst = sad->get_dst_host(sad, 54, 42, 50); + fail_unless(addr->equals(addr, dst), "Error getting dst host"); + sad->destroy(sad); + addr->destroy(addr); +} +END_TEST + +START_TEST(test_get_dst_host_nonexistent) +{ + tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); + fail_unless(sad->get_dst_host(sad, 1, 12, 50) == NULL, + "Got dst for nonexistent SAD entry"); + sad->destroy(sad); +} +END_TEST + START_TEST(test_remove) { host_t *addr = host_create_from_string("127.0.0.1", 1024); tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); - fail_unless(sad->insert(sad, 23, addr, addr, 42, 50), + fail_unless(sad->insert(sad, 23, 54, addr, addr, 42, 50), "Error inserting SAD entry"); fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23, "Error getting esa id"); @@ -128,6 +151,11 @@ Suite *make_kernel_sad_tests() tcase_add_test(tc, test_get_esa_id_nonexistent); suite_add_tcase(s, tc); + tc = tcase_create("get_dst_host"); + tcase_add_test(tc, test_get_dst_host); + tcase_add_test(tc, test_get_dst_host_nonexistent); + suite_add_tcase(s, tc); + tc = tcase_create("remove"); tcase_add_test(tc, test_remove); tcase_add_test(tc, test_remove_nonexistent); diff --git a/src/charon-tkm/tests/keymat_tests.c b/src/charon-tkm/tests/keymat_tests.c index 1982671d3..889965a78 100644 --- a/src/charon-tkm/tests/keymat_tests.c +++ b/src/charon-tkm/tests/keymat_tests.c @@ -53,8 +53,8 @@ START_TEST(test_derive_ike_keys) /* Use the same pubvalue for both sides */ chunk_t pubvalue; - dh->dh.get_my_public_value(&dh->dh, &pubvalue); - dh->dh.set_other_public_value(&dh->dh, pubvalue); + ck_assert(dh->dh.get_my_public_value(&dh->dh, &pubvalue)); + ck_assert(dh->dh.set_other_public_value(&dh->dh, pubvalue)); fail_unless(keymat->keymat_v2.derive_ike_keys(&keymat->keymat_v2, proposal, &dh->dh, nonce, nonce, ike_sa_id, PRF_UNDEFINED, chunk_empty), diff --git a/src/charon-tkm/tests/tests.c b/src/charon-tkm/tests/tests.c index 80894a133..669f4d500 100644 --- a/src/charon-tkm/tests/tests.c +++ b/src/charon-tkm/tests/tests.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2013 Tobias Brunner - * Copyright (C) 2012 Reto Buerki + * Copyright (C) 2012-2014 Reto Buerki * Copyright (C) 2012 Adrian-Ken Rueegsegger * Hochschule fuer Technik Rapperswil * @@ -53,7 +53,7 @@ static bool test_runner_init(bool init) libhydra_init(); libcharon_init(); lib->settings->set_int(lib->settings, - "test_runner.filelog.stdout.default", 0); + "test-runner.filelog.stdout.default", 0); charon->load_loggers(charon, NULL, FALSE); /* Register TKM specific plugins */ diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in index f4dcf4fb0..e1cc5c202 100644 --- a/src/charon/Makefile.in +++ b/src/charon/Makefile.in @@ -199,6 +199,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -259,10 +260,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -336,6 +339,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in index 86e7ca6dd..4e4134625 100644 --- a/src/checksum/Makefile.in +++ b/src/checksum/Makefile.in @@ -266,6 +266,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -326,10 +327,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -403,6 +406,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in index e3c2e4335..78438d8f5 100644 --- a/src/conftest/Makefile.in +++ b/src/conftest/Makefile.in @@ -213,6 +213,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -273,10 +274,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -350,6 +353,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/conftest/actions.c b/src/conftest/actions.c index 7532e95cf..474672ca1 100644 --- a/src/conftest/actions.c +++ b/src/conftest/actions.c @@ -117,19 +117,20 @@ static job_requeue_t rekey_child(char *config) enumerator_t *enumerator, *children; ike_sa_t *ike_sa; child_sa_t *child_sa; - u_int32_t reqid = 0, spi = 0; - protocol_id_t proto = PROTO_ESP; + u_int32_t spi, proto; + host_t *dst = NULL; enumerator = charon->controller->create_ike_sa_enumerator( charon->controller, TRUE); while (enumerator->enumerate(enumerator, &ike_sa)) { children = ike_sa->create_child_sa_enumerator(ike_sa); - while (children->enumerate(children, (void**)&child_sa)) + while (children->enumerate(children, &child_sa)) { if (streq(config, child_sa->get_name(child_sa))) { - reqid = child_sa->get_reqid(child_sa); + dst = ike_sa->get_my_host(ike_sa); + dst = dst->clone(dst); proto = child_sa->get_protocol(child_sa); spi = child_sa->get_spi(child_sa, TRUE); break; @@ -138,11 +139,12 @@ static job_requeue_t rekey_child(char *config) children->destroy(children); } enumerator->destroy(enumerator); - if (reqid) + if (dst) { DBG1(DBG_CFG, "starting rekey of CHILD_SA '%s'", config); lib->processor->queue_job(lib->processor, - (job_t*)rekey_child_sa_job_create(reqid, proto, spi)); + (job_t*)rekey_child_sa_job_create(proto, spi, dst)); + dst->destroy(dst); } else { @@ -236,7 +238,7 @@ static job_requeue_t close_child(char *config) { if (streq(config, child_sa->get_name(child_sa))) { - id = child_sa->get_reqid(child_sa); + id = child_sa->get_unique_id(child_sa); break; } } diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in index 56ac3447f..2ecf61194 100644 --- a/src/dumm/Makefile.in +++ b/src/dumm/Makefile.in @@ -234,6 +234,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -294,10 +295,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -371,6 +374,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/dumm/ext/dumm.c b/src/dumm/ext/dumm.c index d791c089d..df7ec4703 100644 --- a/src/dumm/ext/dumm.c +++ b/src/dumm/ext/dumm.c @@ -629,7 +629,7 @@ static VALUE iface_each_addr(int argc, VALUE *argv, VALUE self) linked_list_t *list; iface_t *iface; host_t *addr; - char buf[64]; + char buf[64], *fmt = "%H"; if (!rb_block_given_p()) { @@ -645,7 +645,7 @@ static VALUE iface_each_addr(int argc, VALUE *argv, VALUE self) enumerator->destroy(enumerator); while (list->remove_first(list, (void**)&addr) == SUCCESS) { - snprintf(buf, sizeof(buf), "%H", addr); + snprintf(buf, sizeof(buf), fmt, addr); addr->destroy(addr); rb_yield(rb_str_new2(buf)); } diff --git a/src/include/Makefile.in b/src/include/Makefile.in index 042c46cab..64be6ac4f 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -142,6 +142,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -202,10 +203,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -279,6 +282,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in index 526c7c46e..d4dafcb0c 100644 --- a/src/ipsec/Makefile.in +++ b/src/ipsec/Makefile.in @@ -176,6 +176,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -236,10 +237,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -313,6 +316,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8 index 9ba9bd842..d2d0c2edd 100644 --- a/src/ipsec/_ipsec.8 +++ b/src/ipsec/_ipsec.8 @@ -1,4 +1,4 @@ -.TH IPSEC 8 "2013-10-29" "5.2.1" "strongSwan" +.TH IPSEC 8 "2013-10-29" "5.3.0" "strongSwan" . .SH NAME . @@ -210,15 +210,18 @@ flushes and rereads all secrets defined in \fIipsec.secrets\fP. . .TP .B "rereadcacerts" -reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP -directory and adds them to the list of Certification Authority (CA) -certificates. +removes previously loaded CA certificates, reads all certificate files +contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list +of Certification Authority (CA) certificates. This does not affect certificates +explicitly defined in a +.BR ipsec.conf (5) +ca section, which may be separately updated using the \fBupdate\fP command. . .TP .B "rereadaacerts" -reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP -directory and adds them to the list of Authorization Authority (AA) -certificates. +removes previously loaded AA certificates, reads all certificate files +contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list +of Authorization Authority (AA) certificates. . .TP .B "rereadocspcerts" diff --git a/src/ipsec/_ipsec.8.in b/src/ipsec/_ipsec.8.in index 210d74ef8..0aef8c031 100644 --- a/src/ipsec/_ipsec.8.in +++ b/src/ipsec/_ipsec.8.in @@ -210,15 +210,18 @@ flushes and rereads all secrets defined in \fIipsec.secrets\fP. . .TP .B "rereadcacerts" -reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP -directory and adds them to the list of Certification Authority (CA) -certificates. +removes previously loaded CA certificates, reads all certificate files +contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list +of Certification Authority (CA) certificates. This does not affect certificates +explicitly defined in a +.BR ipsec.conf (5) +ca section, which may be separately updated using the \fBupdate\fP command. . .TP .B "rereadaacerts" -reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP -directory and adds them to the list of Authorization Authority (AA) -certificates. +removes previously loaded AA certificates, reads all certificate files +contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list +of Authorization Authority (AA) certificates. . .TP .B "rereadocspcerts" diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk index 4212ee87a..5eef6fdc6 100644 --- a/src/libcharon/Android.mk +++ b/src/libcharon/Android.mk @@ -3,6 +3,10 @@ include $(CLEAR_VARS) # copy-n-paste from Makefile.am libcharon_la_SOURCES := \ +attributes/attributes.c attributes/attributes.h \ +attributes/attribute_provider.h attributes/attribute_handler.h \ +attributes/attribute_manager.c attributes/attribute_manager.h \ +attributes/mem_pool.c attributes/mem_pool.h \ bus/bus.c bus/bus.h \ bus/listeners/listener.h \ bus/listeners/logger.h \ @@ -62,6 +66,7 @@ processing/jobs/start_action_job.c processing/jobs/start_action_job.h \ processing/jobs/roam_job.c processing/jobs/roam_job.h \ processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \ processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \ +processing/jobs/initiate_tasks_job.c processing/jobs/initiate_tasks_job.h \ sa/eap/eap_method.c sa/eap/eap_method.h sa/eap/eap_inner_method.h \ sa/eap/eap_manager.c sa/eap/eap_manager.h \ sa/xauth/xauth_method.c sa/xauth/xauth_method.h \ @@ -72,6 +77,7 @@ sa/ike_sa.c sa/ike_sa.h \ sa/ike_sa_id.c sa/ike_sa_id.h \ sa/keymat.h sa/keymat.c \ sa/ike_sa_manager.c sa/ike_sa_manager.h \ +sa/child_sa_manager.c sa/child_sa_manager.h \ sa/task_manager.h sa/task_manager.c \ sa/shunt_manager.c sa/shunt_manager.h \ sa/trap_manager.c sa/trap_manager.h \ @@ -97,6 +103,7 @@ sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \ sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \ sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \ sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \ +sa/ikev2/tasks/ike_reauth_complete.c sa/ikev2/tasks/ike_reauth_complete.h \ sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \ sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h @@ -238,4 +245,3 @@ LOCAL_PRELINK_MODULE := false LOCAL_SHARED_LIBRARIES += libstrongswan libhydra include $(BUILD_SHARED_LIBRARY) - diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index e98f5e137..cd81a5eee 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -1,6 +1,10 @@ ipseclib_LTLIBRARIES = libcharon.la libcharon_la_SOURCES = \ +attributes/attributes.c attributes/attributes.h \ +attributes/attribute_provider.h attributes/attribute_handler.h \ +attributes/attribute_manager.c attributes/attribute_manager.h \ +attributes/mem_pool.c attributes/mem_pool.h \ bus/bus.c bus/bus.h \ bus/listeners/listener.h \ bus/listeners/logger.h \ @@ -60,6 +64,7 @@ processing/jobs/start_action_job.c processing/jobs/start_action_job.h \ processing/jobs/roam_job.c processing/jobs/roam_job.h \ processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \ processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \ +processing/jobs/initiate_tasks_job.c processing/jobs/initiate_tasks_job.h \ sa/eap/eap_method.c sa/eap/eap_method.h sa/eap/eap_inner_method.h \ sa/eap/eap_manager.c sa/eap/eap_manager.h \ sa/xauth/xauth_method.c sa/xauth/xauth_method.h \ @@ -70,6 +75,7 @@ sa/ike_sa.c sa/ike_sa.h \ sa/ike_sa_id.c sa/ike_sa_id.h \ sa/keymat.h sa/keymat.c \ sa/ike_sa_manager.c sa/ike_sa_manager.h \ +sa/child_sa_manager.c sa/child_sa_manager.h \ sa/task_manager.h sa/task_manager.c \ sa/shunt_manager.c sa/shunt_manager.h \ sa/trap_manager.c sa/trap_manager.h \ @@ -96,6 +102,7 @@ sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \ sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \ sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \ sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \ +sa/ikev2/tasks/ike_reauth_complete.c sa/ikev2/tasks/ike_reauth_complete.h \ sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \ sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h endif @@ -203,6 +210,20 @@ if MONOLITHIC endif endif +if USE_CONNMARK + SUBDIRS += plugins/connmark +if MONOLITHIC + libcharon_la_LIBADD += plugins/connmark/libstrongswan-connmark.la +endif +endif + +if USE_FORECAST + SUBDIRS += plugins/forecast +if MONOLITHIC + libcharon_la_LIBADD += plugins/forecast/libstrongswan-forecast.la +endif +endif + if USE_FARP SUBDIRS += plugins/farp if MONOLITHIC @@ -595,13 +616,6 @@ if MONOLITHIC endif endif -if USE_UNIT_TESTS - SUBDIRS += plugins/unit_tester -if MONOLITHIC - libcharon_la_LIBADD += plugins/unit_tester/libstrongswan-unit-tester.la -endif -endif - if USE_XAUTH_GENERIC SUBDIRS += plugins/xauth_generic if MONOLITHIC @@ -629,3 +643,29 @@ if MONOLITHIC libcharon_la_LIBADD += plugins/xauth_noauth/libstrongswan-xauth-noauth.la endif endif + +if USE_RESOLVE + SUBDIRS += plugins/resolve +if MONOLITHIC + libcharon_la_LIBADD += plugins/resolve/libstrongswan-resolve.la +endif +endif + +if USE_ATTR + SUBDIRS += plugins/attr +if MONOLITHIC + libcharon_la_LIBADD += plugins/attr/libstrongswan-attr.la +endif +endif + +if USE_ATTR_SQL + SUBDIRS += plugins/attr_sql +if MONOLITHIC + libcharon_la_LIBADD += plugins/attr_sql/libstrongswan-attr-sql.la +endif +endif + +if MONOLITHIC + SUBDIRS += . +endif +SUBDIRS += tests diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in index 4d89794b5..3d425e0b4 100644 --- a/src/libcharon/Makefile.in +++ b/src/libcharon/Makefile.in @@ -98,6 +98,7 @@ host_triplet = @host@ @USE_IKEV2_TRUE@sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \ @USE_IKEV2_TRUE@sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \ @USE_IKEV2_TRUE@sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \ +@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_reauth_complete.c sa/ikev2/tasks/ike_reauth_complete.h \ @USE_IKEV2_TRUE@sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \ @USE_IKEV2_TRUE@sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h @@ -146,124 +147,132 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE@am__append_11 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la @USE_SOCKET_WIN_TRUE@am__append_12 = plugins/socket_win @MONOLITHIC_TRUE@@USE_SOCKET_WIN_TRUE@am__append_13 = plugins/socket_win/libstrongswan-socket-win.la -@USE_FARP_TRUE@am__append_14 = plugins/farp -@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_15 = plugins/farp/libstrongswan-farp.la -@USE_STROKE_TRUE@am__append_16 = plugins/stroke -@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_17 = plugins/stroke/libstrongswan-stroke.la -@USE_VICI_TRUE@am__append_18 = plugins/vici -@MONOLITHIC_TRUE@@USE_VICI_TRUE@am__append_19 = plugins/vici/libstrongswan-vici.la -@USE_SMP_TRUE@am__append_20 = plugins/smp -@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_21 = plugins/smp/libstrongswan-smp.la -@USE_SQL_TRUE@am__append_22 = plugins/sql -@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_23 = plugins/sql/libstrongswan-sql.la -@USE_DNSCERT_TRUE@am__append_24 = plugins/dnscert -@MONOLITHIC_TRUE@@USE_DNSCERT_TRUE@am__append_25 = plugins/dnscert/libstrongswan-dnscert.la -@USE_IPSECKEY_TRUE@am__append_26 = plugins/ipseckey -@MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE@am__append_27 = plugins/ipseckey/libstrongswan-ipseckey.la -@USE_UPDOWN_TRUE@am__append_28 = plugins/updown -@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_29 = plugins/updown/libstrongswan-updown.la -@USE_EXT_AUTH_TRUE@am__append_30 = plugins/ext_auth -@MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE@am__append_31 = plugins/ext_auth/libstrongswan-ext-auth.la -@USE_EAP_IDENTITY_TRUE@am__append_32 = plugins/eap_identity -@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_33 = plugins/eap_identity/libstrongswan-eap-identity.la -@USE_EAP_SIM_TRUE@am__append_34 = plugins/eap_sim -@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_35 = plugins/eap_sim/libstrongswan-eap-sim.la -@USE_EAP_SIM_FILE_TRUE@am__append_36 = plugins/eap_sim_file -@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_37 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la -@USE_EAP_SIM_PCSC_TRUE@am__append_38 = plugins/eap_sim_pcsc -@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_39 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la -@USE_EAP_SIMAKA_SQL_TRUE@am__append_40 = plugins/eap_simaka_sql -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_41 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la -@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_42 = plugins/eap_simaka_pseudonym -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_43 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la -@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_44 = plugins/eap_simaka_reauth -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_45 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la -@USE_EAP_AKA_TRUE@am__append_46 = plugins/eap_aka -@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_47 = plugins/eap_aka/libstrongswan-eap-aka.la -@USE_EAP_AKA_3GPP2_TRUE@am__append_48 = plugins/eap_aka_3gpp2 -@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_49 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la -@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_50 = $(top_builddir)/src/libsimaka/libsimaka.la -@USE_EAP_MD5_TRUE@am__append_51 = plugins/eap_md5 -@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_52 = plugins/eap_md5/libstrongswan-eap-md5.la -@USE_EAP_GTC_TRUE@am__append_53 = plugins/eap_gtc -@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_54 = plugins/eap_gtc/libstrongswan-eap-gtc.la -@USE_EAP_MSCHAPV2_TRUE@am__append_55 = plugins/eap_mschapv2 -@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_56 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la -@USE_EAP_DYNAMIC_TRUE@am__append_57 = plugins/eap_dynamic -@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_58 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la -@USE_EAP_RADIUS_TRUE@am__append_59 = plugins/eap_radius -@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_60 = plugins/eap_radius/libstrongswan-eap-radius.la -@USE_EAP_TLS_TRUE@am__append_61 = plugins/eap_tls -@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_62 = plugins/eap_tls/libstrongswan-eap-tls.la -@USE_EAP_TTLS_TRUE@am__append_63 = plugins/eap_ttls -@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_64 = plugins/eap_ttls/libstrongswan-eap-ttls.la -@USE_EAP_PEAP_TRUE@am__append_65 = plugins/eap_peap -@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_66 = plugins/eap_peap/libstrongswan-eap-peap.la -@USE_EAP_TNC_TRUE@am__append_67 = plugins/eap_tnc -@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_68 = plugins/eap_tnc/libstrongswan-eap-tnc.la -@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_69 = $(top_builddir)/src/libtls/libtls.la -@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_70 = $(top_builddir)/src/libradius/libradius.la -@USE_TNC_IFMAP_TRUE@am__append_71 = plugins/tnc_ifmap -@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_72 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la -@USE_TNC_PDP_TRUE@am__append_73 = plugins/tnc_pdp -@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_74 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la -@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_75 = $(top_builddir)/src/libtnccs/libtnccs.la -@USE_MEDSRV_TRUE@am__append_76 = plugins/medsrv -@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_77 = plugins/medsrv/libstrongswan-medsrv.la -@USE_MEDCLI_TRUE@am__append_78 = plugins/medcli -@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_79 = plugins/medcli/libstrongswan-medcli.la -@USE_DHCP_TRUE@am__append_80 = plugins/dhcp -@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_81 = plugins/dhcp/libstrongswan-dhcp.la -@USE_OSX_ATTR_TRUE@am__append_82 = plugins/osx_attr -@MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_83 = plugins/osx_attr/libstrongswan-osx-attr.la -@USE_ANDROID_DNS_TRUE@am__append_84 = plugins/android_dns -@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_85 = plugins/android_dns/libstrongswan-android-dns.la -@USE_ANDROID_LOG_TRUE@am__append_86 = plugins/android_log -@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_87 = plugins/android_log/libstrongswan-android-log.la -@USE_MAEMO_TRUE@am__append_88 = plugins/maemo -@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_89 = plugins/maemo/libstrongswan-maemo.la -@USE_HA_TRUE@am__append_90 = plugins/ha -@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_91 = plugins/ha/libstrongswan-ha.la -@USE_KERNEL_LIBIPSEC_TRUE@am__append_92 = plugins/kernel_libipsec -@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_93 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la -@USE_KERNEL_WFP_TRUE@am__append_94 = plugins/kernel_wfp -@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_95 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la -@USE_KERNEL_IPH_TRUE@am__append_96 = plugins/kernel_iph -@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_97 = plugins/kernel_iph/libstrongswan-kernel-iph.la -@USE_WHITELIST_TRUE@am__append_98 = plugins/whitelist -@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_99 = plugins/whitelist/libstrongswan-whitelist.la -@USE_LOOKIP_TRUE@am__append_100 = plugins/lookip -@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_101 = plugins/lookip/libstrongswan-lookip.la -@USE_ERROR_NOTIFY_TRUE@am__append_102 = plugins/error_notify -@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_103 = plugins/error_notify/libstrongswan-error-notify.la -@USE_CERTEXPIRE_TRUE@am__append_104 = plugins/certexpire -@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_105 = plugins/certexpire/libstrongswan-certexpire.la -@USE_SYSTIME_FIX_TRUE@am__append_106 = plugins/systime_fix -@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_107 = plugins/systime_fix/libstrongswan-systime-fix.la -@USE_LED_TRUE@am__append_108 = plugins/led -@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_109 = plugins/led/libstrongswan-led.la -@USE_DUPLICHECK_TRUE@am__append_110 = plugins/duplicheck -@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_111 = plugins/duplicheck/libstrongswan-duplicheck.la -@USE_COUPLING_TRUE@am__append_112 = plugins/coupling -@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_113 = plugins/coupling/libstrongswan-coupling.la -@USE_RADATTR_TRUE@am__append_114 = plugins/radattr -@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_115 = plugins/radattr/libstrongswan-radattr.la -@USE_UCI_TRUE@am__append_116 = plugins/uci -@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_117 = plugins/uci/libstrongswan-uci.la -@USE_ADDRBLOCK_TRUE@am__append_118 = plugins/addrblock -@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_119 = plugins/addrblock/libstrongswan-addrblock.la -@USE_UNITY_TRUE@am__append_120 = plugins/unity -@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_121 = plugins/unity/libstrongswan-unity.la -@USE_UNIT_TESTS_TRUE@am__append_122 = plugins/unit_tester -@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_123 = plugins/unit_tester/libstrongswan-unit-tester.la -@USE_XAUTH_GENERIC_TRUE@am__append_124 = plugins/xauth_generic -@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_125 = plugins/xauth_generic/libstrongswan-xauth-generic.la -@USE_XAUTH_EAP_TRUE@am__append_126 = plugins/xauth_eap -@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_127 = plugins/xauth_eap/libstrongswan-xauth-eap.la -@USE_XAUTH_PAM_TRUE@am__append_128 = plugins/xauth_pam -@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_129 = plugins/xauth_pam/libstrongswan-xauth-pam.la -@USE_XAUTH_NOAUTH_TRUE@am__append_130 = plugins/xauth_noauth -@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_131 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la +@USE_CONNMARK_TRUE@am__append_14 = plugins/connmark +@MONOLITHIC_TRUE@@USE_CONNMARK_TRUE@am__append_15 = plugins/connmark/libstrongswan-connmark.la +@USE_FORECAST_TRUE@am__append_16 = plugins/forecast +@MONOLITHIC_TRUE@@USE_FORECAST_TRUE@am__append_17 = plugins/forecast/libstrongswan-forecast.la +@USE_FARP_TRUE@am__append_18 = plugins/farp +@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_19 = plugins/farp/libstrongswan-farp.la +@USE_STROKE_TRUE@am__append_20 = plugins/stroke +@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_21 = plugins/stroke/libstrongswan-stroke.la +@USE_VICI_TRUE@am__append_22 = plugins/vici +@MONOLITHIC_TRUE@@USE_VICI_TRUE@am__append_23 = plugins/vici/libstrongswan-vici.la +@USE_SMP_TRUE@am__append_24 = plugins/smp +@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_25 = plugins/smp/libstrongswan-smp.la +@USE_SQL_TRUE@am__append_26 = plugins/sql +@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_27 = plugins/sql/libstrongswan-sql.la +@USE_DNSCERT_TRUE@am__append_28 = plugins/dnscert +@MONOLITHIC_TRUE@@USE_DNSCERT_TRUE@am__append_29 = plugins/dnscert/libstrongswan-dnscert.la +@USE_IPSECKEY_TRUE@am__append_30 = plugins/ipseckey +@MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE@am__append_31 = plugins/ipseckey/libstrongswan-ipseckey.la +@USE_UPDOWN_TRUE@am__append_32 = plugins/updown +@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_33 = plugins/updown/libstrongswan-updown.la +@USE_EXT_AUTH_TRUE@am__append_34 = plugins/ext_auth +@MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE@am__append_35 = plugins/ext_auth/libstrongswan-ext-auth.la +@USE_EAP_IDENTITY_TRUE@am__append_36 = plugins/eap_identity +@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_37 = plugins/eap_identity/libstrongswan-eap-identity.la +@USE_EAP_SIM_TRUE@am__append_38 = plugins/eap_sim +@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_39 = plugins/eap_sim/libstrongswan-eap-sim.la +@USE_EAP_SIM_FILE_TRUE@am__append_40 = plugins/eap_sim_file +@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_41 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la +@USE_EAP_SIM_PCSC_TRUE@am__append_42 = plugins/eap_sim_pcsc +@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_43 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la +@USE_EAP_SIMAKA_SQL_TRUE@am__append_44 = plugins/eap_simaka_sql +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_45 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la +@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_46 = plugins/eap_simaka_pseudonym +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_47 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la +@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_48 = plugins/eap_simaka_reauth +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_49 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la +@USE_EAP_AKA_TRUE@am__append_50 = plugins/eap_aka +@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_51 = plugins/eap_aka/libstrongswan-eap-aka.la +@USE_EAP_AKA_3GPP2_TRUE@am__append_52 = plugins/eap_aka_3gpp2 +@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_53 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la +@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_54 = $(top_builddir)/src/libsimaka/libsimaka.la +@USE_EAP_MD5_TRUE@am__append_55 = plugins/eap_md5 +@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_56 = plugins/eap_md5/libstrongswan-eap-md5.la +@USE_EAP_GTC_TRUE@am__append_57 = plugins/eap_gtc +@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_58 = plugins/eap_gtc/libstrongswan-eap-gtc.la +@USE_EAP_MSCHAPV2_TRUE@am__append_59 = plugins/eap_mschapv2 +@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_60 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la +@USE_EAP_DYNAMIC_TRUE@am__append_61 = plugins/eap_dynamic +@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_62 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la +@USE_EAP_RADIUS_TRUE@am__append_63 = plugins/eap_radius +@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_64 = plugins/eap_radius/libstrongswan-eap-radius.la +@USE_EAP_TLS_TRUE@am__append_65 = plugins/eap_tls +@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_66 = plugins/eap_tls/libstrongswan-eap-tls.la +@USE_EAP_TTLS_TRUE@am__append_67 = plugins/eap_ttls +@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_68 = plugins/eap_ttls/libstrongswan-eap-ttls.la +@USE_EAP_PEAP_TRUE@am__append_69 = plugins/eap_peap +@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_70 = plugins/eap_peap/libstrongswan-eap-peap.la +@USE_EAP_TNC_TRUE@am__append_71 = plugins/eap_tnc +@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_72 = plugins/eap_tnc/libstrongswan-eap-tnc.la +@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_73 = $(top_builddir)/src/libtls/libtls.la +@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_74 = $(top_builddir)/src/libradius/libradius.la +@USE_TNC_IFMAP_TRUE@am__append_75 = plugins/tnc_ifmap +@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_76 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la +@USE_TNC_PDP_TRUE@am__append_77 = plugins/tnc_pdp +@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_78 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la +@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_79 = $(top_builddir)/src/libtnccs/libtnccs.la +@USE_MEDSRV_TRUE@am__append_80 = plugins/medsrv +@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_81 = plugins/medsrv/libstrongswan-medsrv.la +@USE_MEDCLI_TRUE@am__append_82 = plugins/medcli +@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_83 = plugins/medcli/libstrongswan-medcli.la +@USE_DHCP_TRUE@am__append_84 = plugins/dhcp +@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_85 = plugins/dhcp/libstrongswan-dhcp.la +@USE_OSX_ATTR_TRUE@am__append_86 = plugins/osx_attr +@MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_87 = plugins/osx_attr/libstrongswan-osx-attr.la +@USE_ANDROID_DNS_TRUE@am__append_88 = plugins/android_dns +@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_89 = plugins/android_dns/libstrongswan-android-dns.la +@USE_ANDROID_LOG_TRUE@am__append_90 = plugins/android_log +@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_91 = plugins/android_log/libstrongswan-android-log.la +@USE_MAEMO_TRUE@am__append_92 = plugins/maemo +@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_93 = plugins/maemo/libstrongswan-maemo.la +@USE_HA_TRUE@am__append_94 = plugins/ha +@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_95 = plugins/ha/libstrongswan-ha.la +@USE_KERNEL_LIBIPSEC_TRUE@am__append_96 = plugins/kernel_libipsec +@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_97 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la +@USE_KERNEL_WFP_TRUE@am__append_98 = plugins/kernel_wfp +@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_99 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la +@USE_KERNEL_IPH_TRUE@am__append_100 = plugins/kernel_iph +@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_101 = plugins/kernel_iph/libstrongswan-kernel-iph.la +@USE_WHITELIST_TRUE@am__append_102 = plugins/whitelist +@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_103 = plugins/whitelist/libstrongswan-whitelist.la +@USE_LOOKIP_TRUE@am__append_104 = plugins/lookip +@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_105 = plugins/lookip/libstrongswan-lookip.la +@USE_ERROR_NOTIFY_TRUE@am__append_106 = plugins/error_notify +@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_107 = plugins/error_notify/libstrongswan-error-notify.la +@USE_CERTEXPIRE_TRUE@am__append_108 = plugins/certexpire +@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_109 = plugins/certexpire/libstrongswan-certexpire.la +@USE_SYSTIME_FIX_TRUE@am__append_110 = plugins/systime_fix +@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_111 = plugins/systime_fix/libstrongswan-systime-fix.la +@USE_LED_TRUE@am__append_112 = plugins/led +@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_113 = plugins/led/libstrongswan-led.la +@USE_DUPLICHECK_TRUE@am__append_114 = plugins/duplicheck +@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_115 = plugins/duplicheck/libstrongswan-duplicheck.la +@USE_COUPLING_TRUE@am__append_116 = plugins/coupling +@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_117 = plugins/coupling/libstrongswan-coupling.la +@USE_RADATTR_TRUE@am__append_118 = plugins/radattr +@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_119 = plugins/radattr/libstrongswan-radattr.la +@USE_UCI_TRUE@am__append_120 = plugins/uci +@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_121 = plugins/uci/libstrongswan-uci.la +@USE_ADDRBLOCK_TRUE@am__append_122 = plugins/addrblock +@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_123 = plugins/addrblock/libstrongswan-addrblock.la +@USE_UNITY_TRUE@am__append_124 = plugins/unity +@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_125 = plugins/unity/libstrongswan-unity.la +@USE_XAUTH_GENERIC_TRUE@am__append_126 = plugins/xauth_generic +@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_127 = plugins/xauth_generic/libstrongswan-xauth-generic.la +@USE_XAUTH_EAP_TRUE@am__append_128 = plugins/xauth_eap +@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_129 = plugins/xauth_eap/libstrongswan-xauth-eap.la +@USE_XAUTH_PAM_TRUE@am__append_130 = plugins/xauth_pam +@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_131 = plugins/xauth_pam/libstrongswan-xauth-pam.la +@USE_XAUTH_NOAUTH_TRUE@am__append_132 = plugins/xauth_noauth +@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_133 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la +@USE_RESOLVE_TRUE@am__append_134 = plugins/resolve +@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_135 = plugins/resolve/libstrongswan-resolve.la +@USE_ATTR_TRUE@am__append_136 = plugins/attr +@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_137 = plugins/attr/libstrongswan-attr.la +@USE_ATTR_SQL_TRUE@am__append_138 = plugins/attr_sql +@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_139 = plugins/attr_sql/libstrongswan-attr-sql.la subdir = src/libcharon DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp @@ -325,12 +334,12 @@ libcharon_la_DEPENDENCIES = \ $(am__append_29) $(am__append_31) $(am__append_33) \ $(am__append_35) $(am__append_37) $(am__append_39) \ $(am__append_41) $(am__append_43) $(am__append_45) \ - $(am__append_47) $(am__append_49) $(am__append_50) \ - $(am__append_52) $(am__append_54) $(am__append_56) \ + $(am__append_47) $(am__append_49) $(am__append_51) \ + $(am__append_53) $(am__append_54) $(am__append_56) \ $(am__append_58) $(am__append_60) $(am__append_62) \ $(am__append_64) $(am__append_66) $(am__append_68) \ - $(am__append_69) $(am__append_70) $(am__append_72) \ - $(am__append_74) $(am__append_75) $(am__append_77) \ + $(am__append_70) $(am__append_72) $(am__append_73) \ + $(am__append_74) $(am__append_76) $(am__append_78) \ $(am__append_79) $(am__append_81) $(am__append_83) \ $(am__append_85) $(am__append_87) $(am__append_89) \ $(am__append_91) $(am__append_93) $(am__append_95) \ @@ -339,8 +348,14 @@ libcharon_la_DEPENDENCIES = \ $(am__append_109) $(am__append_111) $(am__append_113) \ $(am__append_115) $(am__append_117) $(am__append_119) \ $(am__append_121) $(am__append_123) $(am__append_125) \ - $(am__append_127) $(am__append_129) $(am__append_131) -am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ + $(am__append_127) $(am__append_129) $(am__append_131) \ + $(am__append_133) $(am__append_135) $(am__append_137) \ + $(am__append_139) +am__libcharon_la_SOURCES_DIST = attributes/attributes.c \ + attributes/attributes.h attributes/attribute_provider.h \ + attributes/attribute_handler.h attributes/attribute_manager.c \ + attributes/attribute_manager.h attributes/mem_pool.c \ + attributes/mem_pool.h bus/bus.c bus/bus.h \ bus/listeners/listener.h bus/listeners/logger.h \ bus/listeners/file_logger.c bus/listeners/file_logger.h \ config/backend_manager.c config/backend_manager.h \ @@ -421,7 +436,9 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ processing/jobs/roam_job.h processing/jobs/update_sa_job.c \ processing/jobs/update_sa_job.h \ processing/jobs/inactivity_job.c \ - processing/jobs/inactivity_job.h sa/eap/eap_method.c \ + processing/jobs/inactivity_job.h \ + processing/jobs/initiate_tasks_job.c \ + processing/jobs/initiate_tasks_job.h sa/eap/eap_method.c \ sa/eap/eap_method.h sa/eap/eap_inner_method.h \ sa/eap/eap_manager.c sa/eap/eap_manager.h \ sa/xauth/xauth_method.c sa/xauth/xauth_method.h \ @@ -429,7 +446,8 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ sa/authenticator.c sa/authenticator.h sa/child_sa.c \ sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_id.c \ sa/ike_sa_id.h sa/keymat.h sa/keymat.c sa/ike_sa_manager.c \ - sa/ike_sa_manager.h sa/task_manager.h sa/task_manager.c \ + sa/ike_sa_manager.h sa/child_sa_manager.c \ + sa/child_sa_manager.h sa/task_manager.h sa/task_manager.c \ sa/shunt_manager.c sa/shunt_manager.h sa/trap_manager.c \ sa/trap_manager.h sa/task.c sa/task.h sa/ikev2/keymat_v2.c \ sa/ikev2/keymat_v2.h sa/ikev2/task_manager_v2.c \ @@ -454,6 +472,8 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \ sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \ sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \ + sa/ikev2/tasks/ike_reauth_complete.c \ + sa/ikev2/tasks/ike_reauth_complete.h \ sa/ikev2/tasks/ike_auth_lifetime.c \ sa/ikev2/tasks/ike_auth_lifetime.h sa/ikev2/tasks/ike_vendor.c \ sa/ikev2/tasks/ike_vendor.h sa/ikev1/keymat_v1.c \ @@ -514,6 +534,7 @@ am__dirstamp = $(am__leading_dot)dirstamp @USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_mobike.lo \ @USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_rekey.lo \ @USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_reauth.lo \ +@USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_reauth_complete.lo \ @USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_auth_lifetime.lo \ @USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_vendor.lo @USE_IKEV1_TRUE@am__objects_2 = sa/ikev1/keymat_v1.lo \ @@ -543,7 +564,9 @@ am__dirstamp = $(am__leading_dot)dirstamp @USE_ME_TRUE@ sa/ikev2/connect_manager.lo \ @USE_ME_TRUE@ sa/ikev2/mediation_manager.lo \ @USE_ME_TRUE@ sa/ikev2/tasks/ike_me.lo -am_libcharon_la_OBJECTS = bus/bus.lo bus/listeners/file_logger.lo \ +am_libcharon_la_OBJECTS = attributes/attributes.lo \ + attributes/attribute_manager.lo attributes/mem_pool.lo \ + bus/bus.lo bus/listeners/file_logger.lo \ config/backend_manager.lo config/child_cfg.lo \ config/ike_cfg.lo config/peer_cfg.lo config/proposal.lo \ control/controller.lo daemon.lo encoding/generator.lo \ @@ -587,13 +610,14 @@ am_libcharon_la_OBJECTS = bus/bus.lo bus/listeners/file_logger.lo \ processing/jobs/send_keepalive_job.lo \ processing/jobs/start_action_job.lo \ processing/jobs/roam_job.lo processing/jobs/update_sa_job.lo \ - processing/jobs/inactivity_job.lo sa/eap/eap_method.lo \ + processing/jobs/inactivity_job.lo \ + processing/jobs/initiate_tasks_job.lo sa/eap/eap_method.lo \ sa/eap/eap_manager.lo sa/xauth/xauth_method.lo \ sa/xauth/xauth_manager.lo sa/authenticator.lo sa/child_sa.lo \ sa/ike_sa.lo sa/ike_sa_id.lo sa/keymat.lo sa/ike_sa_manager.lo \ - sa/task_manager.lo sa/shunt_manager.lo sa/trap_manager.lo \ - sa/task.lo $(am__objects_1) $(am__objects_2) $(am__objects_3) \ - $(am__objects_4) + sa/child_sa_manager.lo sa/task_manager.lo sa/shunt_manager.lo \ + sa/trap_manager.lo sa/task.lo $(am__objects_1) \ + $(am__objects_2) $(am__objects_3) $(am__objects_4) libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -676,11 +700,11 @@ am__define_uniq_tagged_files = \ ETAGS = etags CTAGS = ctags DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \ - plugins/socket_dynamic plugins/socket_win plugins/farp \ - plugins/stroke plugins/vici plugins/smp plugins/sql \ - plugins/dnscert plugins/ipseckey plugins/updown \ - plugins/ext_auth plugins/eap_identity plugins/eap_sim \ - plugins/eap_sim_file plugins/eap_sim_pcsc \ + plugins/socket_dynamic plugins/socket_win plugins/connmark \ + plugins/forecast plugins/farp plugins/stroke plugins/vici \ + plugins/smp plugins/sql plugins/dnscert plugins/ipseckey \ + plugins/updown plugins/ext_auth plugins/eap_identity \ + plugins/eap_sim plugins/eap_sim_file plugins/eap_sim_pcsc \ plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \ plugins/eap_simaka_reauth plugins/eap_aka \ plugins/eap_aka_3gpp2 plugins/eap_md5 plugins/eap_gtc \ @@ -694,8 +718,9 @@ DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \ plugins/error_notify plugins/certexpire plugins/systime_fix \ plugins/led plugins/duplicheck plugins/coupling \ plugins/radattr plugins/uci plugins/addrblock plugins/unity \ - plugins/unit_tester plugins/xauth_generic plugins/xauth_eap \ - plugins/xauth_pam plugins/xauth_noauth + plugins/xauth_generic plugins/xauth_eap plugins/xauth_pam \ + plugins/xauth_noauth plugins/resolve plugins/attr \ + plugins/attr_sql tests DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -747,6 +772,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -807,10 +833,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -884,6 +912,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -943,16 +973,20 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ ipseclib_LTLIBRARIES = libcharon.la -libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \ - bus/listeners/logger.h bus/listeners/file_logger.c \ - bus/listeners/file_logger.h config/backend_manager.c \ - config/backend_manager.h config/backend.h config/child_cfg.c \ - config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \ - config/peer_cfg.c config/peer_cfg.h config/proposal.c \ - config/proposal.h control/controller.c control/controller.h \ - daemon.c daemon.h encoding/generator.c encoding/generator.h \ - encoding/message.c encoding/message.h encoding/parser.c \ - encoding/parser.h encoding/payloads/auth_payload.c \ +libcharon_la_SOURCES = attributes/attributes.c attributes/attributes.h \ + attributes/attribute_provider.h attributes/attribute_handler.h \ + attributes/attribute_manager.c attributes/attribute_manager.h \ + attributes/mem_pool.c attributes/mem_pool.h bus/bus.c \ + bus/bus.h bus/listeners/listener.h bus/listeners/logger.h \ + bus/listeners/file_logger.c bus/listeners/file_logger.h \ + config/backend_manager.c config/backend_manager.h \ + config/backend.h config/child_cfg.c config/child_cfg.h \ + config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \ + config/peer_cfg.h config/proposal.c config/proposal.h \ + control/controller.c control/controller.h daemon.c daemon.h \ + encoding/generator.c encoding/generator.h encoding/message.c \ + encoding/message.h encoding/parser.c encoding/parser.h \ + encoding/payloads/auth_payload.c \ encoding/payloads/auth_payload.h \ encoding/payloads/cert_payload.c \ encoding/payloads/cert_payload.h \ @@ -1023,7 +1057,9 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \ processing/jobs/roam_job.h processing/jobs/update_sa_job.c \ processing/jobs/update_sa_job.h \ processing/jobs/inactivity_job.c \ - processing/jobs/inactivity_job.h sa/eap/eap_method.c \ + processing/jobs/inactivity_job.h \ + processing/jobs/initiate_tasks_job.c \ + processing/jobs/initiate_tasks_job.h sa/eap/eap_method.c \ sa/eap/eap_method.h sa/eap/eap_inner_method.h \ sa/eap/eap_manager.c sa/eap/eap_manager.h \ sa/xauth/xauth_method.c sa/xauth/xauth_method.h \ @@ -1031,7 +1067,8 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \ sa/authenticator.c sa/authenticator.h sa/child_sa.c \ sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_id.c \ sa/ike_sa_id.h sa/keymat.h sa/keymat.c sa/ike_sa_manager.c \ - sa/ike_sa_manager.h sa/task_manager.h sa/task_manager.c \ + sa/ike_sa_manager.h sa/child_sa_manager.c \ + sa/child_sa_manager.h sa/task_manager.h sa/task_manager.c \ sa/shunt_manager.c sa/shunt_manager.h sa/trap_manager.c \ sa/trap_manager.h sa/task.c sa/task.h $(am__append_1) \ $(am__append_2) $(am__append_3) $(am__append_5) @@ -1057,12 +1094,12 @@ libcharon_la_LIBADD = \ $(am__append_33) $(am__append_35) $(am__append_37) \ $(am__append_39) $(am__append_41) $(am__append_43) \ $(am__append_45) $(am__append_47) $(am__append_49) \ - $(am__append_50) $(am__append_52) $(am__append_54) \ + $(am__append_51) $(am__append_53) $(am__append_54) \ $(am__append_56) $(am__append_58) $(am__append_60) \ $(am__append_62) $(am__append_64) $(am__append_66) \ - $(am__append_68) $(am__append_69) $(am__append_70) \ - $(am__append_72) $(am__append_74) $(am__append_75) \ - $(am__append_77) $(am__append_79) $(am__append_81) \ + $(am__append_68) $(am__append_70) $(am__append_72) \ + $(am__append_73) $(am__append_74) $(am__append_76) \ + $(am__append_78) $(am__append_79) $(am__append_81) \ $(am__append_83) $(am__append_85) $(am__append_87) \ $(am__append_89) $(am__append_91) $(am__append_93) \ $(am__append_95) $(am__append_97) $(am__append_99) \ @@ -1071,7 +1108,8 @@ libcharon_la_LIBADD = \ $(am__append_113) $(am__append_115) $(am__append_117) \ $(am__append_119) $(am__append_121) $(am__append_123) \ $(am__append_125) $(am__append_127) $(am__append_129) \ - $(am__append_131) + $(am__append_131) $(am__append_133) $(am__append_135) \ + $(am__append_137) $(am__append_139) EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_6) $(am__append_8) \ @MONOLITHIC_FALSE@ $(am__append_10) $(am__append_12) \ @@ -1084,13 +1122,13 @@ EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@ $(am__append_38) $(am__append_40) \ @MONOLITHIC_FALSE@ $(am__append_42) $(am__append_44) \ @MONOLITHIC_FALSE@ $(am__append_46) $(am__append_48) \ -@MONOLITHIC_FALSE@ $(am__append_51) $(am__append_53) \ +@MONOLITHIC_FALSE@ $(am__append_50) $(am__append_52) \ @MONOLITHIC_FALSE@ $(am__append_55) $(am__append_57) \ @MONOLITHIC_FALSE@ $(am__append_59) $(am__append_61) \ @MONOLITHIC_FALSE@ $(am__append_63) $(am__append_65) \ -@MONOLITHIC_FALSE@ $(am__append_67) $(am__append_71) \ -@MONOLITHIC_FALSE@ $(am__append_73) $(am__append_76) \ -@MONOLITHIC_FALSE@ $(am__append_78) $(am__append_80) \ +@MONOLITHIC_FALSE@ $(am__append_67) $(am__append_69) \ +@MONOLITHIC_FALSE@ $(am__append_71) $(am__append_75) \ +@MONOLITHIC_FALSE@ $(am__append_77) $(am__append_80) \ @MONOLITHIC_FALSE@ $(am__append_82) $(am__append_84) \ @MONOLITHIC_FALSE@ $(am__append_86) $(am__append_88) \ @MONOLITHIC_FALSE@ $(am__append_90) $(am__append_92) \ @@ -1103,7 +1141,9 @@ EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@ $(am__append_118) $(am__append_120) \ @MONOLITHIC_FALSE@ $(am__append_122) $(am__append_124) \ @MONOLITHIC_FALSE@ $(am__append_126) $(am__append_128) \ -@MONOLITHIC_FALSE@ $(am__append_130) +@MONOLITHIC_FALSE@ $(am__append_130) $(am__append_132) \ +@MONOLITHIC_FALSE@ $(am__append_134) $(am__append_136) \ +@MONOLITHIC_FALSE@ $(am__append_138) tests # build optional plugins ######################## @@ -1118,13 +1158,13 @@ EXTRA_DIST = Android.mk @MONOLITHIC_TRUE@ $(am__append_38) $(am__append_40) \ @MONOLITHIC_TRUE@ $(am__append_42) $(am__append_44) \ @MONOLITHIC_TRUE@ $(am__append_46) $(am__append_48) \ -@MONOLITHIC_TRUE@ $(am__append_51) $(am__append_53) \ +@MONOLITHIC_TRUE@ $(am__append_50) $(am__append_52) \ @MONOLITHIC_TRUE@ $(am__append_55) $(am__append_57) \ @MONOLITHIC_TRUE@ $(am__append_59) $(am__append_61) \ @MONOLITHIC_TRUE@ $(am__append_63) $(am__append_65) \ -@MONOLITHIC_TRUE@ $(am__append_67) $(am__append_71) \ -@MONOLITHIC_TRUE@ $(am__append_73) $(am__append_76) \ -@MONOLITHIC_TRUE@ $(am__append_78) $(am__append_80) \ +@MONOLITHIC_TRUE@ $(am__append_67) $(am__append_69) \ +@MONOLITHIC_TRUE@ $(am__append_71) $(am__append_75) \ +@MONOLITHIC_TRUE@ $(am__append_77) $(am__append_80) \ @MONOLITHIC_TRUE@ $(am__append_82) $(am__append_84) \ @MONOLITHIC_TRUE@ $(am__append_86) $(am__append_88) \ @MONOLITHIC_TRUE@ $(am__append_90) $(am__append_92) \ @@ -1137,7 +1177,9 @@ EXTRA_DIST = Android.mk @MONOLITHIC_TRUE@ $(am__append_118) $(am__append_120) \ @MONOLITHIC_TRUE@ $(am__append_122) $(am__append_124) \ @MONOLITHIC_TRUE@ $(am__append_126) $(am__append_128) \ -@MONOLITHIC_TRUE@ $(am__append_130) +@MONOLITHIC_TRUE@ $(am__append_130) $(am__append_132) \ +@MONOLITHIC_TRUE@ $(am__append_134) $(am__append_136) \ +@MONOLITHIC_TRUE@ $(am__append_138) . tests all: all-recursive .SUFFIXES: @@ -1207,6 +1249,18 @@ clean-ipseclibLTLIBRARIES: echo rm -f $${locs}; \ rm -f $${locs}; \ } +attributes/$(am__dirstamp): + @$(MKDIR_P) attributes + @: > attributes/$(am__dirstamp) +attributes/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) attributes/$(DEPDIR) + @: > attributes/$(DEPDIR)/$(am__dirstamp) +attributes/attributes.lo: attributes/$(am__dirstamp) \ + attributes/$(DEPDIR)/$(am__dirstamp) +attributes/attribute_manager.lo: attributes/$(am__dirstamp) \ + attributes/$(DEPDIR)/$(am__dirstamp) +attributes/mem_pool.lo: attributes/$(am__dirstamp) \ + attributes/$(DEPDIR)/$(am__dirstamp) bus/$(am__dirstamp): @$(MKDIR_P) bus @: > bus/$(am__dirstamp) @@ -1389,6 +1443,9 @@ processing/jobs/update_sa_job.lo: processing/jobs/$(am__dirstamp) \ processing/jobs/$(DEPDIR)/$(am__dirstamp) processing/jobs/inactivity_job.lo: processing/jobs/$(am__dirstamp) \ processing/jobs/$(DEPDIR)/$(am__dirstamp) +processing/jobs/initiate_tasks_job.lo: \ + processing/jobs/$(am__dirstamp) \ + processing/jobs/$(DEPDIR)/$(am__dirstamp) sa/eap/$(am__dirstamp): @$(MKDIR_P) sa/eap @: > sa/eap/$(am__dirstamp) @@ -1421,6 +1478,8 @@ sa/ike_sa.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp) sa/ike_sa_id.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp) sa/keymat.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp) sa/ike_sa_manager.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp) +sa/child_sa_manager.lo: sa/$(am__dirstamp) \ + sa/$(DEPDIR)/$(am__dirstamp) sa/task_manager.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp) sa/shunt_manager.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp) sa/trap_manager.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp) @@ -1484,6 +1543,8 @@ sa/ikev2/tasks/ike_rekey.lo: sa/ikev2/tasks/$(am__dirstamp) \ sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp) sa/ikev2/tasks/ike_reauth.lo: sa/ikev2/tasks/$(am__dirstamp) \ sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp) +sa/ikev2/tasks/ike_reauth_complete.lo: sa/ikev2/tasks/$(am__dirstamp) \ + sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp) sa/ikev2/tasks/ike_auth_lifetime.lo: sa/ikev2/tasks/$(am__dirstamp) \ sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp) sa/ikev2/tasks/ike_vendor.lo: sa/ikev2/tasks/$(am__dirstamp) \ @@ -1574,6 +1635,8 @@ libcharon.la: $(libcharon_la_OBJECTS) $(libcharon_la_DEPENDENCIES) $(EXTRA_libch mostlyclean-compile: -rm -f *.$(OBJEXT) + -rm -f attributes/*.$(OBJEXT) + -rm -f attributes/*.lo -rm -f bus/*.$(OBJEXT) -rm -f bus/*.lo -rm -f bus/listeners/*.$(OBJEXT) @@ -1615,6 +1678,9 @@ distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/daemon.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@attributes/$(DEPDIR)/attribute_manager.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@attributes/$(DEPDIR)/attributes.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@attributes/$(DEPDIR)/mem_pool.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@bus/$(DEPDIR)/bus.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@bus/listeners/$(DEPDIR)/file_logger.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@bus/listeners/$(DEPDIR)/sys_logger.Plo@am__quote@ @@ -1665,6 +1731,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/dpd_timeout_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/inactivity_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/initiate_mediation_job.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/initiate_tasks_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/mediation_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/migrate_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/process_message_job.Plo@am__quote@ @@ -1679,6 +1746,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/update_sa_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/authenticator.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/child_sa.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/child_sa_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/ike_sa.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/ike_sa_id.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/ike_sa_manager.Plo@am__quote@ @@ -1730,6 +1798,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_mobike.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_natd.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_reauth.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_reauth_complete.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_rekey.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_vendor.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@sa/xauth/$(DEPDIR)/xauth_manager.Plo@am__quote@ @@ -1764,6 +1833,7 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs + -rm -rf attributes/.libs attributes/_libs -rm -rf bus/.libs bus/_libs -rm -rf bus/listeners/.libs bus/listeners/_libs -rm -rf config/.libs config/_libs @@ -1971,6 +2041,8 @@ clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + -rm -f attributes/$(DEPDIR)/$(am__dirstamp) + -rm -f attributes/$(am__dirstamp) -rm -f bus/$(DEPDIR)/$(am__dirstamp) -rm -f bus/$(am__dirstamp) -rm -f bus/listeners/$(DEPDIR)/$(am__dirstamp) @@ -2017,7 +2089,7 @@ clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-recursive - -rm -rf ./$(DEPDIR) bus/$(DEPDIR) bus/listeners/$(DEPDIR) config/$(DEPDIR) control/$(DEPDIR) encoding/$(DEPDIR) encoding/payloads/$(DEPDIR) kernel/$(DEPDIR) network/$(DEPDIR) processing/jobs/$(DEPDIR) sa/$(DEPDIR) sa/eap/$(DEPDIR) sa/ikev1/$(DEPDIR) sa/ikev1/authenticators/$(DEPDIR) sa/ikev1/tasks/$(DEPDIR) sa/ikev2/$(DEPDIR) sa/ikev2/authenticators/$(DEPDIR) sa/ikev2/tasks/$(DEPDIR) sa/xauth/$(DEPDIR) + -rm -rf ./$(DEPDIR) attributes/$(DEPDIR) bus/$(DEPDIR) bus/listeners/$(DEPDIR) config/$(DEPDIR) control/$(DEPDIR) encoding/$(DEPDIR) encoding/payloads/$(DEPDIR) kernel/$(DEPDIR) network/$(DEPDIR) processing/jobs/$(DEPDIR) sa/$(DEPDIR) sa/eap/$(DEPDIR) sa/ikev1/$(DEPDIR) sa/ikev1/authenticators/$(DEPDIR) sa/ikev1/tasks/$(DEPDIR) sa/ikev2/$(DEPDIR) sa/ikev2/authenticators/$(DEPDIR) sa/ikev2/tasks/$(DEPDIR) sa/xauth/$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -2063,7 +2135,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive - -rm -rf ./$(DEPDIR) bus/$(DEPDIR) bus/listeners/$(DEPDIR) config/$(DEPDIR) control/$(DEPDIR) encoding/$(DEPDIR) encoding/payloads/$(DEPDIR) kernel/$(DEPDIR) network/$(DEPDIR) processing/jobs/$(DEPDIR) sa/$(DEPDIR) sa/eap/$(DEPDIR) sa/ikev1/$(DEPDIR) sa/ikev1/authenticators/$(DEPDIR) sa/ikev1/tasks/$(DEPDIR) sa/ikev2/$(DEPDIR) sa/ikev2/authenticators/$(DEPDIR) sa/ikev2/tasks/$(DEPDIR) sa/xauth/$(DEPDIR) + -rm -rf ./$(DEPDIR) attributes/$(DEPDIR) bus/$(DEPDIR) bus/listeners/$(DEPDIR) config/$(DEPDIR) control/$(DEPDIR) encoding/$(DEPDIR) encoding/payloads/$(DEPDIR) kernel/$(DEPDIR) network/$(DEPDIR) processing/jobs/$(DEPDIR) sa/$(DEPDIR) sa/eap/$(DEPDIR) sa/ikev1/$(DEPDIR) sa/ikev1/authenticators/$(DEPDIR) sa/ikev1/tasks/$(DEPDIR) sa/ikev2/$(DEPDIR) sa/ikev2/authenticators/$(DEPDIR) sa/ikev2/tasks/$(DEPDIR) sa/xauth/$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic diff --git a/src/libcharon/attributes/attribute_handler.h b/src/libcharon/attributes/attribute_handler.h new file mode 100644 index 000000000..3c14323a3 --- /dev/null +++ b/src/libcharon/attributes/attribute_handler.h @@ -0,0 +1,76 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup attribute_handler attribute_handler + * @{ @ingroup attributes + */ + +#ifndef ATTRIBUTE_HANDLER_H_ +#define ATTRIBUTE_HANDLER_H_ + +typedef struct attribute_handler_t attribute_handler_t; + +#include +#include +#include + +#include "attributes.h" + +/** + * Interface to handle configuration payload attributes. + */ +struct attribute_handler_t { + + /** + * Handle a configuration attribute. + * + * After receiving a configuration attriubte, it is passed to each + * attribute handler until it is handled. + * + * @param ike_sa IKE_SA under which attribute is received + * @param type type of configuration attribute to handle + * @param data associated attribute data + * @return TRUE if attribute handled + */ + bool (*handle)(attribute_handler_t *this, ike_sa_t *ike_sa, + configuration_attribute_type_t type, chunk_t data); + + /** + * Release an attribute handled during handle(). + * + * A handler that handle()d an attribute gets a call to release() when the + * connection gets closed. Depending on the implementation, this is required + * to remove the attribute. + * + * @param ike_sa IKE_SA which releases attribute + * @param type type of configuration attribute to release + * @param data associated attribute data + */ + void (*release)(attribute_handler_t *this, ike_sa_t *ike_sa, + configuration_attribute_type_t type, chunk_t data); + + /** + * Enumerate attributes to request from a server. + * + * @param ike_sa IKE_SA to request attributes for + * @param vips list of virtual IPs (host_t*) we are requesting + * @return enumerator (configuration_attribute_type_t, chunk_t) + */ + enumerator_t* (*create_attribute_enumerator)(attribute_handler_t *this, + ike_sa_t *ike_sa, linked_list_t *vips); +}; + +#endif /** ATTRIBUTE_HANDLER_H_ @}*/ diff --git a/src/libcharon/attributes/attribute_manager.c b/src/libcharon/attributes/attribute_manager.c new file mode 100644 index 000000000..2ab7ed118 --- /dev/null +++ b/src/libcharon/attributes/attribute_manager.c @@ -0,0 +1,347 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "attribute_manager.h" + +#include +#include +#include + +typedef struct private_attribute_manager_t private_attribute_manager_t; + +/** + * private data of attribute_manager + */ +struct private_attribute_manager_t { + + /** + * public functions + */ + attribute_manager_t public; + + /** + * list of registered providers + */ + linked_list_t *providers; + + /** + * list of registered handlers + */ + linked_list_t *handlers; + + /** + * rwlock provider list + */ + rwlock_t *lock; +}; + +/** + * Data to pass to enumerator filters + */ +typedef struct { + /** attribute group pools */ + linked_list_t *pools; + /** associated IKE_SA */ + ike_sa_t *ike_sa; + /** requesting/assigned virtual IPs */ + linked_list_t *vips; +} enum_data_t; + +METHOD(attribute_manager_t, acquire_address, host_t*, + private_attribute_manager_t *this, linked_list_t *pools, + ike_sa_t *ike_sa, host_t *requested) +{ + enumerator_t *enumerator; + attribute_provider_t *current; + host_t *host = NULL; + + this->lock->read_lock(this->lock); + enumerator = this->providers->create_enumerator(this->providers); + while (enumerator->enumerate(enumerator, ¤t)) + { + host = current->acquire_address(current, pools, ike_sa, requested); + if (host) + { + break; + } + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + + return host; +} + +METHOD(attribute_manager_t, release_address, bool, + private_attribute_manager_t *this, linked_list_t *pools, host_t *address, + ike_sa_t *ike_sa) +{ + enumerator_t *enumerator; + attribute_provider_t *current; + bool found = FALSE; + + this->lock->read_lock(this->lock); + enumerator = this->providers->create_enumerator(this->providers); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (current->release_address(current, pools, address, ike_sa)) + { + found = TRUE; + break; + } + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + + return found; +} + +/** + * inner enumerator constructor for responder attributes + */ +static enumerator_t *responder_enum_create(attribute_provider_t *provider, + enum_data_t *data) +{ + return provider->create_attribute_enumerator(provider, data->pools, + data->ike_sa, data->vips); +} + +METHOD(attribute_manager_t, create_responder_enumerator, enumerator_t*, + private_attribute_manager_t *this, linked_list_t *pools, + ike_sa_t *ike_sa, linked_list_t *vips) +{ + enum_data_t *data; + + INIT(data, + .pools = pools, + .ike_sa = ike_sa, + .vips = vips, + ); + this->lock->read_lock(this->lock); + return enumerator_create_cleaner( + enumerator_create_nested( + this->providers->create_enumerator(this->providers), + (void*)responder_enum_create, data, free), + (void*)this->lock->unlock, this->lock); +} + +METHOD(attribute_manager_t, add_provider, void, + private_attribute_manager_t *this, attribute_provider_t *provider) +{ + this->lock->write_lock(this->lock); + this->providers->insert_last(this->providers, provider); + this->lock->unlock(this->lock); +} + +METHOD(attribute_manager_t, remove_provider, void, + private_attribute_manager_t *this, attribute_provider_t *provider) +{ + this->lock->write_lock(this->lock); + this->providers->remove(this->providers, provider, NULL); + this->lock->unlock(this->lock); +} + +METHOD(attribute_manager_t, handle, attribute_handler_t*, + private_attribute_manager_t *this, ike_sa_t *ike_sa, + attribute_handler_t *handler, configuration_attribute_type_t type, + chunk_t data) +{ + enumerator_t *enumerator; + attribute_handler_t *current, *handled = NULL; + + this->lock->read_lock(this->lock); + + /* try to find the passed handler */ + enumerator = this->handlers->create_enumerator(this->handlers); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (current == handler && current->handle(current, ike_sa, type, data)) + { + handled = current; + break; + } + } + enumerator->destroy(enumerator); + if (!handled) + { /* handler requesting this attribute not found, try any other */ + enumerator = this->handlers->create_enumerator(this->handlers); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (current->handle(current, ike_sa, type, data)) + { + handled = current; + break; + } + } + enumerator->destroy(enumerator); + } + this->lock->unlock(this->lock); + + if (!handled) + { + DBG1(DBG_CFG, "handling %N attribute failed", + configuration_attribute_type_names, type); + } + return handled; +} + +METHOD(attribute_manager_t, release, void, + private_attribute_manager_t *this, attribute_handler_t *handler, + ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data) +{ + enumerator_t *enumerator; + attribute_handler_t *current; + + this->lock->read_lock(this->lock); + enumerator = this->handlers->create_enumerator(this->handlers); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (current == handler) + { + current->release(current, ike_sa, type, data); + break; + } + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); +} + +/** + * Enumerator implementation to enumerate nested initiator attributes + */ +typedef struct { + /** implements enumerator_t */ + enumerator_t public; + /** back ref */ + private_attribute_manager_t *this; + /** currently processing handler */ + attribute_handler_t *handler; + /** outer enumerator over handlers */ + enumerator_t *outer; + /** inner enumerator over current handlers attributes */ + enumerator_t *inner; + /** IKE_SA to request attributes for */ + ike_sa_t *ike_sa; + /** virtual IPs we are requesting along with attriubutes */ + linked_list_t *vips; +} initiator_enumerator_t; + +/** + * Enumerator implementation for initiator attributes + */ +static bool initiator_enumerate(initiator_enumerator_t *this, + attribute_handler_t **handler, + configuration_attribute_type_t *type, + chunk_t *value) +{ + /* enumerate inner attributes using outer handler enumerator */ + while (!this->inner || !this->inner->enumerate(this->inner, type, value)) + { + if (!this->outer->enumerate(this->outer, &this->handler)) + { + return FALSE; + } + DESTROY_IF(this->inner); + this->inner = this->handler->create_attribute_enumerator(this->handler, + this->ike_sa, this->vips); + } + /* inject the handler as additional attribute */ + *handler = this->handler; + return TRUE; +} + +/** + * Cleanup function of initiator attribute enumerator + */ +static void initiator_destroy(initiator_enumerator_t *this) +{ + this->this->lock->unlock(this->this->lock); + this->outer->destroy(this->outer); + DESTROY_IF(this->inner); + free(this); +} + +METHOD(attribute_manager_t, create_initiator_enumerator, enumerator_t*, + private_attribute_manager_t *this, ike_sa_t *ike_sa, linked_list_t *vips) +{ + initiator_enumerator_t *enumerator; + + this->lock->read_lock(this->lock); + + INIT(enumerator, + .public = { + .enumerate = (void*)initiator_enumerate, + .destroy = (void*)initiator_destroy, + }, + .this = this, + .ike_sa = ike_sa, + .vips = vips, + .outer = this->handlers->create_enumerator(this->handlers), + ); + return &enumerator->public; +} + +METHOD(attribute_manager_t, add_handler, void, + private_attribute_manager_t *this, attribute_handler_t *handler) +{ + this->lock->write_lock(this->lock); + this->handlers->insert_last(this->handlers, handler); + this->lock->unlock(this->lock); +} + +METHOD(attribute_manager_t, remove_handler, void, + private_attribute_manager_t *this, attribute_handler_t *handler) +{ + this->lock->write_lock(this->lock); + this->handlers->remove(this->handlers, handler, NULL); + this->lock->unlock(this->lock); +} + +METHOD(attribute_manager_t, destroy, void, + private_attribute_manager_t *this) +{ + this->providers->destroy(this->providers); + this->handlers->destroy(this->handlers); + this->lock->destroy(this->lock); + free(this); +} + +/* + * see header file + */ +attribute_manager_t *attribute_manager_create() +{ + private_attribute_manager_t *this; + + INIT(this, + .public = { + .acquire_address = _acquire_address, + .release_address = _release_address, + .create_responder_enumerator = _create_responder_enumerator, + .add_provider = _add_provider, + .remove_provider = _remove_provider, + .handle = _handle, + .release = _release, + .create_initiator_enumerator = _create_initiator_enumerator, + .add_handler = _add_handler, + .remove_handler = _remove_handler, + .destroy = _destroy, + }, + .providers = linked_list_create(), + .handlers = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); + + return &this->public; +} diff --git a/src/libcharon/attributes/attribute_manager.h b/src/libcharon/attributes/attribute_manager.h new file mode 100644 index 000000000..6db664968 --- /dev/null +++ b/src/libcharon/attributes/attribute_manager.h @@ -0,0 +1,154 @@ +/* + * Copyright (C) 2008-2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup attribute_manager attribute_manager + * @{ @ingroup attributes + */ + +#ifndef ATTRIBUTE_MANAGER_H_ +#define ATTRIBUTE_MANAGER_H_ + +#include "attribute_provider.h" +#include "attribute_handler.h" + +#include + +typedef struct attribute_manager_t attribute_manager_t; + +/** + * The attribute manager hands out attributes or handles them. + * + * The attribute manager manages both, attribute providers and attribute + * handlers. Attribute providers are responsible to hand out attributes if + * a connecting peer requests them. Handlers handle such attributes if they + * are received on the requesting peer. + */ +struct attribute_manager_t { + + /** + * Acquire a virtual IP address to assign to a peer. + * + * @param pools list of pool names (char*) to acquire from + * @param ike_sa associated IKE_SA for which an address is requested + * @param requested IP in configuration request + * @return allocated address, NULL to serve none + */ + host_t* (*acquire_address)(attribute_manager_t *this, + linked_list_t *pool, ike_sa_t *ike_sa, + host_t *requested); + + /** + * Release a previously acquired address. + * + * @param pools list of pool names (char*) to release to + * @param address address to release + * @param ike_sa associated IKE_SA for which an address is released + * @return TRUE if address released to pool + */ + bool (*release_address)(attribute_manager_t *this, + linked_list_t *pools, host_t *address, + ike_sa_t *ike_sa); + + /** + * Create an enumerator over attributes to hand out to a peer. + * + * @param pool list of pools names (char*) to query attributes from + * @param ike_sa associated IKE_SA for which attributes are requested + * @param vip list of virtual IPs (host_t*) to assign to peer + * @return enumerator (configuration_attribute_type_t, chunk_t) + */ + enumerator_t* (*create_responder_enumerator)(attribute_manager_t *this, + linked_list_t *pool, ike_sa_t *ike_sa, + linked_list_t *vips); + + /** + * Register an attribute provider to the manager. + * + * @param provider attribute provider to register + */ + void (*add_provider)(attribute_manager_t *this, + attribute_provider_t *provider); + /** + * Unregister an attribute provider from the manager. + * + * @param provider attribute provider to unregister + */ + void (*remove_provider)(attribute_manager_t *this, + attribute_provider_t *provider); + + /** + * Handle a configuration attribute by passing them to the handlers. + * + * @param ike_sa associated IKE_SA to handle an attribute for + * @param handler handler we requested the attribute for, if any + * @param type type of configuration attribute + * @param data associated attribute data + * @return handler which handled this attribute, NULL if none + */ + attribute_handler_t* (*handle)(attribute_manager_t *this, + ike_sa_t *ike_sa, attribute_handler_t *handler, + configuration_attribute_type_t type, chunk_t data); + + /** + * Release an attribute previously handle()d by a handler. + * + * @param ike_sa associated IKE_SA to release an attribute for + * @param server server from which the attribute was received + * @param type type of attribute to release + * @param data associated attribute data + */ + void (*release)(attribute_manager_t *this, attribute_handler_t *handler, + ike_sa_t *ike_sa, configuration_attribute_type_t type, + chunk_t data); + + /** + * Create an enumerator over attributes to request from server. + * + * @param ike_sa associated IKE_SA to request attributes for + * @param vip list of virtual IPs (host_t*) going to request + * @return enumerator (attribute_handler_t, ca_type_t, chunk_t) + */ + enumerator_t* (*create_initiator_enumerator)(attribute_manager_t *this, + ike_sa_t *ike_sa, linked_list_t *vips); + + /** + * Register an attribute handler to the manager. + * + * @param handler attribute handler to register + */ + void (*add_handler)(attribute_manager_t *this, + attribute_handler_t *handler); + + /** + * Unregister an attribute handler from the manager. + * + * @param handler attribute handler to unregister + */ + void (*remove_handler)(attribute_manager_t *this, + attribute_handler_t *handler); + + /** + * Destroy a attribute_manager instance. + */ + void (*destroy)(attribute_manager_t *this); +}; + +/** + * Create a attribute_manager instance. + */ +attribute_manager_t *attribute_manager_create(); + +#endif /** ATTRIBUTE_MANAGER_H_ @}*/ diff --git a/src/libcharon/attributes/attribute_provider.h b/src/libcharon/attributes/attribute_provider.h new file mode 100644 index 000000000..57453c2a0 --- /dev/null +++ b/src/libcharon/attributes/attribute_provider.h @@ -0,0 +1,71 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup attribute_provider attribute_provider + * @{ @ingroup attributes + */ + +#ifndef ATTRIBUTE_PROVIDER_H_ +#define ATTRIBUTE_PROVIDER_H_ + +#include +#include +#include + +typedef struct attribute_provider_t attribute_provider_t; + +/** + * Interface to provide attributes to peers through attribute manager. + */ +struct attribute_provider_t { + + /** + * Acquire a virtual IP address to assign to a peer. + * + * @param pools list of pool names (char*) to acquire from + * @param ike_sa associated IKE_SA to assign address over + * @param requested IP in configuration request + * @return allocated address, NULL to serve none + */ + host_t* (*acquire_address)(attribute_provider_t *this, + linked_list_t *pools, ike_sa_t *ike_sa, + host_t *requested); + /** + * Release a previously acquired address. + * + * @param pools list of pool names (char*) to release to + * @param address address to release + * @param ike_sa IKE_SA to release address for + * @return TRUE if the address has been released by the provider + */ + bool (*release_address)(attribute_provider_t *this, + linked_list_t *pools, host_t *address, + ike_sa_t *ike_sa); + + /** + * Create an enumerator over attributes to hand out to a peer. + * + * @param pool list of pools names (char*) to query attributes from + * @param ike_sa IKE_SA to request attributes for + * @param vip list of virtual IPs (host_t*) to assign to peer + * @return enumerator (configuration_attribute_type_t, chunk_t) + */ + enumerator_t* (*create_attribute_enumerator)(attribute_provider_t *this, + linked_list_t *pools, ike_sa_t *ike_sa, + linked_list_t *vips); +}; + +#endif /** ATTRIBUTE_PROVIDER_H_ @}*/ diff --git a/src/libcharon/attributes/attributes.c b/src/libcharon/attributes/attributes.c new file mode 100644 index 000000000..9fabcf4e4 --- /dev/null +++ b/src/libcharon/attributes/attributes.c @@ -0,0 +1,114 @@ +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + + +#include "attributes.h" + +ENUM_BEGIN(configuration_attribute_type_names, INTERNAL_IP4_ADDRESS, HOME_AGENT_ADDRESS, + "INTERNAL_IP4_ADDRESS", + "INTERNAL_IP4_NETMASK", + "INTERNAL_IP4_DNS", + "INTERNAL_IP4_NBNS", + "INTERNAL_ADDRESS_EXPIRY", + "INTERNAL_IP4_DHCP", + "APPLICATION_VERSION", + "INTERNAL_IP6_ADDRESS", + "INTERNAL_IP6_NETMASK", + "INTERNAL_IP6_DNS", + "INTERNAL_IP6_NBNS", + "INTERNAL_IP6_DHCP", + "INTERNAL_IP4_SUBNET", + "SUPPORTED_ATTRIBUTES", + "INTERNAL_IP6_SUBNET", + "MIP6_HOME_PREFIX", + "INTERNAL_IP6_LINK", + "INTERNAL_IP6_PREFIX", + "HOME_AGENT_ADDRESS"); +ENUM_NEXT(configuration_attribute_type_names, XAUTH_TYPE, XAUTH_ANSWER, HOME_AGENT_ADDRESS, + "XAUTH_TYPE", + "XAUTH_USER_NAME", + "XAUTH_USER_PASSWORD", + "XAUTH_PASSCODE", + "XAUTH_MESSAGE", + "XAUTH_CHALLENGE", + "XAUTH_DOMAIN", + "XAUTH_STATUS", + "XAUTH_NEXT_PIN", + "XAUTH_ANSWER"); +ENUM_NEXT(configuration_attribute_type_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, XAUTH_ANSWER, + "INTERNAL_IP4_SERVER", + "INTERNAL_IP6_SERVER"); +ENUM_NEXT(configuration_attribute_type_names, UNITY_BANNER, UNITY_DDNS_HOSTNAME, INTERNAL_IP6_SERVER, + "UNITY_BANNER", + "UNITY_SAVE_PASSWD", + "UNITY_DEF_DOMAIN", + "UNITY_SPLITDNS_NAME", + "UNITY_SPLIT_INCLUDE", + "UNITY_NATT_PORT", + "UNITY_LOCAL_LAN", + "UNITY_PFS", + "UNITY_FW_TYPE", + "UNITY_BACKUP_SERVERS", + "UNITY_DDNS_HOSTNAME"); +ENUM_END(configuration_attribute_type_names, UNITY_DDNS_HOSTNAME); + +ENUM_BEGIN(configuration_attribute_type_short_names, INTERNAL_IP4_ADDRESS, HOME_AGENT_ADDRESS, + "ADDR", + "MASK", + "DNS", + "NBNS", + "EXP", + "DHCP", + "VER", + "ADDR6", + "MASK6", + "DNS6", + "NBNS6", + "DHCP6", + "SUBNET", + "SUP", + "SUBNET6", + "MIP6HPFX", + "LINK6", + "PFX6", + "HOA"); +ENUM_NEXT(configuration_attribute_type_short_names, XAUTH_TYPE, XAUTH_ANSWER, HOME_AGENT_ADDRESS, + "X_TYPE", + "X_USER", + "X_PWD", + "X_CODE", + "X_MSG", + "X_CHALL", + "X_DOMAIN", + "X_STATUS", + "X_PIN", + "X_ANSWER"); +ENUM_NEXT(configuration_attribute_type_short_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, XAUTH_ANSWER, + "SRV", + "SRV6"); +ENUM_NEXT(configuration_attribute_type_short_names, UNITY_BANNER, UNITY_DDNS_HOSTNAME, INTERNAL_IP6_SERVER, + "U_BANNER", + "U_SAVEPWD", + "U_DEFDOM", + "U_SPLITDNS", + "U_SPLITINC", + "U_NATTPORT", + "U_LOCALLAN", + "U_PFS", + "U_FWTYPE", + "U_BKPSRV", + "U_DDNSHOST"); +ENUM_END(configuration_attribute_type_short_names, UNITY_DDNS_HOSTNAME); diff --git a/src/libcharon/attributes/attributes.h b/src/libcharon/attributes/attributes.h new file mode 100644 index 000000000..5d1e9f9ba --- /dev/null +++ b/src/libcharon/attributes/attributes.h @@ -0,0 +1,91 @@ +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup attributes_g attributes + * @{ @ingroup attributes + */ + +#ifndef ATTRIBUTES_H_ +#define ATTRIBUTES_H_ + +typedef enum configuration_attribute_type_t configuration_attribute_type_t; + +#include + +/** + * Type of the attribute, as in IKEv2 RFC 3.15.1 or IKEv1 ModeConfig. + */ +enum configuration_attribute_type_t { + INTERNAL_IP4_ADDRESS = 1, + INTERNAL_IP4_NETMASK = 2, + INTERNAL_IP4_DNS = 3, + INTERNAL_IP4_NBNS = 4, + INTERNAL_ADDRESS_EXPIRY = 5, + INTERNAL_IP4_DHCP = 6, + APPLICATION_VERSION = 7, + INTERNAL_IP6_ADDRESS = 8, + INTERNAL_IP6_NETMASK = 9, + INTERNAL_IP6_DNS = 10, + INTERNAL_IP6_NBNS = 11, + INTERNAL_IP6_DHCP = 12, + INTERNAL_IP4_SUBNET = 13, + SUPPORTED_ATTRIBUTES = 14, + INTERNAL_IP6_SUBNET = 15, + MIP6_HOME_PREFIX = 16, + INTERNAL_IP6_LINK = 17, + INTERNAL_IP6_PREFIX = 18, + HOME_AGENT_ADDRESS = 19, + /* XAUTH attributes */ + XAUTH_TYPE = 16520, + XAUTH_USER_NAME = 16521, + XAUTH_USER_PASSWORD = 16522, + XAUTH_PASSCODE = 16523, + XAUTH_MESSAGE = 16524, + XAUTH_CHALLENGE = 16525, + XAUTH_DOMAIN = 16526, + XAUTH_STATUS = 16527, + XAUTH_NEXT_PIN = 16528, + XAUTH_ANSWER = 16529, + /* proprietary Microsoft attributes */ + INTERNAL_IP4_SERVER = 23456, + INTERNAL_IP6_SERVER = 23457, + /* proprietary Cisco Unity attributes */ + UNITY_BANNER = 28672, + UNITY_SAVE_PASSWD = 28673, + UNITY_DEF_DOMAIN = 28674, + UNITY_SPLITDNS_NAME = 28675, + UNITY_SPLIT_INCLUDE = 28676, + UNITY_NATT_PORT = 28677, + UNITY_LOCAL_LAN = 28678, + UNITY_PFS = 28679, + UNITY_FW_TYPE = 28680, + UNITY_BACKUP_SERVERS = 28681, + UNITY_DDNS_HOSTNAME = 28682 +}; + +/** + * enum names for configuration_attribute_type_t. + */ +extern enum_name_t *configuration_attribute_type_names; + +/** + * Short enum names for configuration_attribute_type_t. + */ +extern enum_name_t *configuration_attribute_type_short_names; + + +#endif /** ATTRIBUTES_H_ @}*/ diff --git a/src/libcharon/attributes/mem_pool.c b/src/libcharon/attributes/mem_pool.c new file mode 100644 index 000000000..279668249 --- /dev/null +++ b/src/libcharon/attributes/mem_pool.c @@ -0,0 +1,735 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Copyright (C) 2008-2010 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "mem_pool.h" + +#include +#include +#include +#include +#include +#include + +#define POOL_LIMIT (sizeof(u_int)*8 - 1) + +typedef struct private_mem_pool_t private_mem_pool_t; + +/** + * private data of mem_pool_t + */ +struct private_mem_pool_t { + /** + * public interface + */ + mem_pool_t public; + + /** + * name of the pool + */ + char *name; + + /** + * base address of the pool + */ + host_t *base; + + /** + * whether base is the network id of the subnet on which the pool is based + */ + bool base_is_network_id; + + /** + * size of the pool + */ + u_int size; + + /** + * next unused address + */ + u_int unused; + + /** + * lease hashtable [identity => entry] + */ + hashtable_t *leases; + + /** + * lock to safely access the pool + */ + mutex_t *mutex; +}; + +/** + * A unique lease address offset, with a hash of the peer host address + */ +typedef struct { + /** lease, as offset */ + u_int offset; + /** hash of remote address, to allow duplicates */ + u_int hash; +} unique_lease_t; + +/** + * Lease entry. + */ +typedef struct { + /* identitiy reference */ + identification_t *id; + /* array of online leases, as unique_lease_t */ + array_t *online; + /* array of offline leases, as u_int offset */ + array_t *offline; +} entry_t; + +/** + * Create a new entry + */ +static entry_t* entry_create(identification_t *id) +{ + entry_t *entry; + + INIT(entry, + .id = id->clone(id), + .online = array_create(sizeof(unique_lease_t), 0), + .offline = array_create(sizeof(u_int), 0), + ); + return entry; +} + +/** + * Destroy an entry + */ +static void entry_destroy(entry_t *this) +{ + this->id->destroy(this->id); + array_destroy(this->online); + array_destroy(this->offline); + free(this); +} + +/** + * hashtable hash function for identities + */ +static u_int id_hash(identification_t *id) +{ + return chunk_hash(id->get_encoding(id)); +} + +/** + * hashtable equals function for identities + */ +static bool id_equals(identification_t *a, identification_t *b) +{ + return a->equals(a, b); +} + +/** + * convert a pool offset to an address + */ +static host_t* offset2host(private_mem_pool_t *pool, int offset) +{ + chunk_t addr; + host_t *host; + u_int32_t *pos; + + offset--; + if (offset > pool->size) + { + return NULL; + } + + addr = chunk_clone(pool->base->get_address(pool->base)); + if (pool->base->get_family(pool->base) == AF_INET6) + { + pos = (u_int32_t*)(addr.ptr + 12); + } + else + { + pos = (u_int32_t*)addr.ptr; + } + *pos = htonl(offset + ntohl(*pos)); + host = host_create_from_chunk(pool->base->get_family(pool->base), addr, 0); + free(addr.ptr); + return host; +} + +/** + * convert a host to a pool offset + */ +static int host2offset(private_mem_pool_t *pool, host_t *addr) +{ + chunk_t host, base; + u_int32_t hosti, basei; + + if (addr->get_family(addr) != pool->base->get_family(pool->base)) + { + return -1; + } + host = addr->get_address(addr); + base = pool->base->get_address(pool->base); + if (addr->get_family(addr) == AF_INET6) + { + /* only look at last /32 block */ + if (!memeq(host.ptr, base.ptr, 12)) + { + return -1; + } + host = chunk_skip(host, 12); + base = chunk_skip(base, 12); + } + hosti = ntohl(*(u_int32_t*)(host.ptr)); + basei = ntohl(*(u_int32_t*)(base.ptr)); + if (hosti > basei + pool->size) + { + return -1; + } + return hosti - basei + 1; +} + +METHOD(mem_pool_t, get_name, const char*, + private_mem_pool_t *this) +{ + return this->name; +} + +METHOD(mem_pool_t, get_base, host_t*, + private_mem_pool_t *this) +{ + return this->base; +} + +METHOD(mem_pool_t, get_size, u_int, + private_mem_pool_t *this) +{ + return this->size; +} + +METHOD(mem_pool_t, get_online, u_int, + private_mem_pool_t *this) +{ + enumerator_t *enumerator; + entry_t *entry; + u_int count = 0; + + this->mutex->lock(this->mutex); + enumerator = this->leases->create_enumerator(this->leases); + while (enumerator->enumerate(enumerator, NULL, &entry)) + { + count += array_count(entry->online); + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); + + return count; +} + +METHOD(mem_pool_t, get_offline, u_int, + private_mem_pool_t *this) +{ + enumerator_t *enumerator; + entry_t *entry; + u_int count = 0; + + this->mutex->lock(this->mutex); + enumerator = this->leases->create_enumerator(this->leases); + while (enumerator->enumerate(enumerator, NULL, &entry)) + { + count += array_count(entry->offline); + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); + + return count; +} + +/** + * Create a unique hash for a remote address + */ +static u_int hash_addr(host_t *addr) +{ + if (addr) + { + return chunk_hash_inc(addr->get_address(addr), addr->get_port(addr)); + } + return 0; +} + +/** + * Get an existing lease for id + */ +static int get_existing(private_mem_pool_t *this, identification_t *id, + host_t *requested, host_t *peer) +{ + enumerator_t *enumerator; + unique_lease_t *lease, reassign; + u_int *current; + entry_t *entry; + int offset = 0; + + entry = this->leases->get(this->leases, id); + if (!entry) + { + return 0; + } + + /* check for a valid offline lease, refresh */ + enumerator = array_create_enumerator(entry->offline); + if (enumerator->enumerate(enumerator, ¤t)) + { + reassign.offset = offset = *current; + reassign.hash = hash_addr(peer); + array_insert(entry->online, ARRAY_TAIL, &reassign); + array_remove_at(entry->offline, enumerator); + } + enumerator->destroy(enumerator); + if (offset) + { + DBG1(DBG_CFG, "reassigning offline lease to '%Y'", id); + return offset; + } + if (!peer) + { + return 0; + } + /* check for a valid online lease to reassign */ + enumerator = array_create_enumerator(entry->online); + while (enumerator->enumerate(enumerator, &lease)) + { + if (lease->offset == host2offset(this, requested) && + lease->hash == hash_addr(peer)) + { + offset = lease->offset; + /* add an additional "online" entry */ + array_insert(entry->online, ARRAY_TAIL, lease); + break; + } + } + enumerator->destroy(enumerator); + if (offset) + { + DBG1(DBG_CFG, "reassigning online lease to '%Y'", id); + } + return offset; +} + +/** + * Get a new lease for id + */ +static int get_new(private_mem_pool_t *this, identification_t *id, host_t *peer) +{ + entry_t *entry; + unique_lease_t lease = {}; + + if (this->unused < this->size) + { + entry = this->leases->get(this->leases, id); + if (!entry) + { + entry = entry_create(id); + this->leases->put(this->leases, entry->id, entry); + } + /* assigning offset, starting by 1 */ + lease.offset = ++this->unused + (this->base_is_network_id ? 1 : 0); + lease.hash = hash_addr(peer); + array_insert(entry->online, ARRAY_TAIL, &lease); + DBG1(DBG_CFG, "assigning new lease to '%Y'", id); + } + return lease.offset; +} + +/** + * Get a reassigned lease for id in case the pool is full + */ +static int get_reassigned(private_mem_pool_t *this, identification_t *id, + host_t *peer) +{ + enumerator_t *enumerator; + entry_t *entry; + u_int current; + unique_lease_t lease = {}; + + enumerator = this->leases->create_enumerator(this->leases); + while (enumerator->enumerate(enumerator, NULL, &entry)) + { + if (array_remove(entry->offline, ARRAY_HEAD, ¤t)) + { + lease.offset = current; + DBG1(DBG_CFG, "reassigning existing offline lease by '%Y' " + "to '%Y'", entry->id, id); + } + if (!array_count(entry->online) && !array_count(entry->offline)) + { + this->leases->remove_at(this->leases, enumerator); + entry_destroy(entry); + } + if (lease.offset) + { + break; + } + } + enumerator->destroy(enumerator); + + if (lease.offset) + { + entry = this->leases->get(this->leases, id); + if (!entry) + { + entry = entry_create(id); + this->leases->put(this->leases, entry->id, entry); + } + lease.hash = hash_addr(peer); + array_insert(entry->online, ARRAY_TAIL, &lease); + } + return lease.offset; +} + +METHOD(mem_pool_t, acquire_address, host_t*, + private_mem_pool_t *this, identification_t *id, host_t *requested, + mem_pool_op_t operation, host_t *peer) +{ + int offset = 0; + + /* if the pool is empty (e.g. in the %config case) we simply return the + * requested address */ + if (this->size == 0) + { + return requested->clone(requested); + } + + if (requested->get_family(requested) != + this->base->get_family(this->base)) + { + return NULL; + } + + this->mutex->lock(this->mutex); + switch (operation) + { + case MEM_POOL_EXISTING: + offset = get_existing(this, id, requested, peer); + break; + case MEM_POOL_NEW: + offset = get_new(this, id, peer); + break; + case MEM_POOL_REASSIGN: + offset = get_reassigned(this, id, peer); + if (!offset) + { + DBG1(DBG_CFG, "pool '%s' is full, unable to assign address", + this->name); + } + break; + default: + break; + } + this->mutex->unlock(this->mutex); + + if (offset) + { + return offset2host(this, offset); + } + return NULL; +} + +METHOD(mem_pool_t, release_address, bool, + private_mem_pool_t *this, host_t *address, identification_t *id) +{ + enumerator_t *enumerator; + bool found = FALSE, more = FALSE; + entry_t *entry; + u_int offset; + unique_lease_t *current; + + if (this->size != 0) + { + this->mutex->lock(this->mutex); + entry = this->leases->get(this->leases, id); + if (entry) + { + offset = host2offset(this, address); + + enumerator = array_create_enumerator(entry->online); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (current->offset == offset) + { + if (!found) + { /* remove the first entry only */ + array_remove_at(entry->online, enumerator); + found = TRUE; + } + else + { /* but check for more entries */ + more = TRUE; + break; + } + } + } + enumerator->destroy(enumerator); + + if (found && !more) + { + /* no tunnels are online anymore for this lease, make offline */ + array_insert(entry->offline, ARRAY_TAIL, &offset); + DBG1(DBG_CFG, "lease %H by '%Y' went offline", address, id); + } + } + this->mutex->unlock(this->mutex); + } + return found; +} + +/** + * lease enumerator + */ +typedef struct { + /** implemented enumerator interface */ + enumerator_t public; + /** hash-table enumerator */ + enumerator_t *entries; + /** online enumerator */ + enumerator_t *online; + /** offline enumerator */ + enumerator_t *offline; + /** enumerated pool */ + private_mem_pool_t *pool; + /** currently enumerated entry */ + entry_t *entry; + /** currently enumerated lease address */ + host_t *addr; +} lease_enumerator_t; + +METHOD(enumerator_t, lease_enumerate, bool, + lease_enumerator_t *this, identification_t **id, host_t **addr, bool *online) +{ + u_int *offset; + unique_lease_t *lease; + + DESTROY_IF(this->addr); + this->addr = NULL; + + while (TRUE) + { + if (this->entry) + { + if (this->online->enumerate(this->online, &lease)) + { + *id = this->entry->id; + *addr = this->addr = offset2host(this->pool, lease->offset); + *online = TRUE; + return TRUE; + } + if (this->offline->enumerate(this->offline, &offset)) + { + *id = this->entry->id; + *addr = this->addr = offset2host(this->pool, *offset); + *online = FALSE; + return TRUE; + } + this->online->destroy(this->online); + this->offline->destroy(this->offline); + this->online = this->offline = NULL; + } + if (!this->entries->enumerate(this->entries, NULL, &this->entry)) + { + return FALSE; + } + this->online = array_create_enumerator(this->entry->online); + this->offline = array_create_enumerator(this->entry->offline); + } +} + +METHOD(enumerator_t, lease_enumerator_destroy, void, + lease_enumerator_t *this) +{ + DESTROY_IF(this->addr); + DESTROY_IF(this->online); + DESTROY_IF(this->offline); + this->entries->destroy(this->entries); + this->pool->mutex->unlock(this->pool->mutex); + free(this); +} + +METHOD(mem_pool_t, create_lease_enumerator, enumerator_t*, + private_mem_pool_t *this) +{ + lease_enumerator_t *enumerator; + + this->mutex->lock(this->mutex); + INIT(enumerator, + .public = { + .enumerate = (void*)_lease_enumerate, + .destroy = _lease_enumerator_destroy, + }, + .pool = this, + .entries = this->leases->create_enumerator(this->leases), + ); + return &enumerator->public; +} + +METHOD(mem_pool_t, destroy, void, + private_mem_pool_t *this) +{ + enumerator_t *enumerator; + entry_t *entry; + + enumerator = this->leases->create_enumerator(this->leases); + while (enumerator->enumerate(enumerator, NULL, &entry)) + { + entry_destroy(entry); + } + enumerator->destroy(enumerator); + + this->leases->destroy(this->leases); + this->mutex->destroy(this->mutex); + DESTROY_IF(this->base); + free(this->name); + free(this); +} + +/** + * Generic constructor + */ +static private_mem_pool_t *create_generic(char *name) +{ + private_mem_pool_t *this; + + INIT(this, + .public = { + .get_name = _get_name, + .get_base = _get_base, + .get_size = _get_size, + .get_online = _get_online, + .get_offline = _get_offline, + .acquire_address = _acquire_address, + .release_address = _release_address, + .create_lease_enumerator = _create_lease_enumerator, + .destroy = _destroy, + }, + .name = strdup(name), + .leases = hashtable_create((hashtable_hash_t)id_hash, + (hashtable_equals_t)id_equals, 16), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + ); + + return this; +} + +/** + * Check if the given host is the network ID of a subnet, that is, if hostbits + * are zero. Since we limit pools to 2^31 addresses we only have to check the + * last 4 bytes. + */ +static u_int network_id_diff(host_t *host, int hostbits) +{ + u_int32_t last; + chunk_t addr; + + if (!hostbits) + { + return 0; + } + addr = host->get_address(host); + last = untoh32(addr.ptr + addr.len - sizeof(last)); + hostbits = sizeof(last) * 8 - hostbits; + return (last << hostbits) >> hostbits; +} + +/** + * Described in header + */ +mem_pool_t *mem_pool_create(char *name, host_t *base, int bits) +{ + private_mem_pool_t *this; + u_int diff; + int addr_bits; + + this = create_generic(name); + if (base) + { + addr_bits = base->get_family(base) == AF_INET ? 32 : 128; + bits = max(0, min(bits, addr_bits)); + /* net bits -> host bits */ + bits = addr_bits - bits; + if (bits > POOL_LIMIT) + { + bits = POOL_LIMIT; + DBG1(DBG_CFG, "virtual IP pool too large, limiting to %H/%d", + base, addr_bits - bits); + } + this->size = 1 << bits; + this->base = base->clone(base); + + if (this->size > 2) + { + /* if base is the network id we later skip the first address, + * otherwise adjust the size to represent the actual number + * of assignable addresses */ + diff = network_id_diff(base, bits); + if (!diff) + { + this->base_is_network_id = TRUE; + this->size--; + } + else + { + this->size -= diff; + } + /* skip the last address (broadcast) of the subnet */ + this->size--; + } + else if (network_id_diff(base, bits)) + { /* only serve the second address of the subnet */ + this->size--; + } + } + return &this->public; +} + +/** + * Described in header + */ +mem_pool_t *mem_pool_create_range(char *name, host_t *from, host_t *to) +{ + private_mem_pool_t *this; + chunk_t fromaddr, toaddr; + u_int32_t diff; + + fromaddr = from->get_address(from); + toaddr = to->get_address(to); + + if (from->get_family(from) != to->get_family(to) || + fromaddr.len != toaddr.len || fromaddr.len < sizeof(diff) || + memcmp(fromaddr.ptr, toaddr.ptr, toaddr.len) > 0) + { + DBG1(DBG_CFG, "invalid IP address range: %H-%H", from, to); + return NULL; + } + if (fromaddr.len > sizeof(diff) && + !chunk_equals(chunk_create(fromaddr.ptr, fromaddr.len - sizeof(diff)), + chunk_create(toaddr.ptr, toaddr.len - sizeof(diff)))) + { + DBG1(DBG_CFG, "IP address range too large: %H-%H", from, to); + return NULL; + } + this = create_generic(name); + this->base = from->clone(from); + diff = untoh32(toaddr.ptr + toaddr.len - sizeof(diff)) - + untoh32(fromaddr.ptr + fromaddr.len - sizeof(diff)); + this->size = diff + 1; + + return &this->public; +} diff --git a/src/libcharon/attributes/mem_pool.h b/src/libcharon/attributes/mem_pool.h new file mode 100644 index 000000000..3ee1dd37d --- /dev/null +++ b/src/libcharon/attributes/mem_pool.h @@ -0,0 +1,154 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup mem_pool mem_pool + * @{ @ingroup attributes + */ + +#ifndef MEM_POOL_H +#define MEM_POOL_H + +typedef struct mem_pool_t mem_pool_t; +typedef enum mem_pool_op_t mem_pool_op_t; + +#include +#include + +/** + * In-memory IP pool acquire operation. + */ +enum mem_pool_op_t { + /** Check for an exsiting lease */ + MEM_POOL_EXISTING, + /** Get a new lease */ + MEM_POOL_NEW, + /** Replace an existing offline lease of another ID */ + MEM_POOL_REASSIGN, +}; + +/** + * An in-memory IP address pool. + */ +struct mem_pool_t { + + /** + * Get the name of this pool. + * + * @return the name of this pool + */ + const char* (*get_name)(mem_pool_t *this); + + /** + * Get the base (first) address of this pool. + * + * @return base address, internal host + */ + host_t* (*get_base)(mem_pool_t *this); + + /** + * Get the size (i.e. number of addresses) of this pool. + * + * @return the size of this pool + */ + u_int (*get_size)(mem_pool_t *this); + + /** + * Get the number of online leases. + * + * @return the number of offline leases + */ + u_int (*get_online)(mem_pool_t *this); + + /** + * Get the number of offline leases. + * + * @return the number of online leases + */ + u_int (*get_offline)(mem_pool_t *this); + + /** + * Acquire an address for the given id from this pool. + * + * This call is usually invoked several times: The first time to find an + * existing lease (MEM_POOL_EXISTING), if none found a second time to + * acquire a new lease (MEM_POOL_NEW), and if the pool is full once again + * to assign an existing offline lease (MEM_POOL_REASSIGN). + * + * If the same identity requests a virtual IP that is already assigned to + * it, the peer address and port is used to check if it is the same client + * instance that is connecting. If this is true, the request is considered + * a request for a reauthentication attempt, and the same virtual IP gets + * assigned to the peer. + * + * @param id the id to acquire an address for + * @param requested acquire this address, if possible + * @param operation acquire operation to perform, see above + * @param peer optional remote IKE address and port + * @return the acquired address + */ + host_t* (*acquire_address)(mem_pool_t *this, identification_t *id, + host_t *requested, mem_pool_op_t operation, + host_t *peer); + + /** + * Release a previously acquired address. + * + * @param address the address to release + * @param id the id the address was assigned to + * @return TRUE, if the lease was found + */ + bool (*release_address)(mem_pool_t *this, host_t *address, + identification_t *id); + + /** + * Create an enumerator over the leases of this pool. + * + * Enumerator enumerates over + * identification_t *id, host_t *address, bool online + * + * @return enumerator + */ + enumerator_t* (*create_lease_enumerator)(mem_pool_t *this); + + /** + * Destroy a mem_pool_t instance. + */ + void (*destroy)(mem_pool_t *this); +}; + +/** + * Create an in-memory IP address pool. + * + * An empty pool just returns the requested address. + * + * @param name name of this pool + * @param base base address of this pool, NULL to create an empty pool + * @param bits number of non-network bits in base, as in CIDR notation + * @return memory pool instance + */ +mem_pool_t *mem_pool_create(char *name, host_t *base, int bits); + +/** + * Create an in-memory IP address from a range. + * + * @param name name of this pool + * @param from start of ranged pool + * @param to end of ranged pool + * @return memory pool instance, NULL if range invalid + */ +mem_pool_t *mem_pool_create_range(char *name, host_t *from, host_t *to); + +#endif /** MEM_POOL_H_ @} */ diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c index cb59f976b..7938f46cc 100644 --- a/src/libcharon/bus/bus.c +++ b/src/libcharon/bus/bus.c @@ -755,6 +755,33 @@ METHOD(bus_t, ike_rekey, void, this->mutex->unlock(this->mutex); } +METHOD(bus_t, ike_update, void, + private_bus_t *this, ike_sa_t *ike_sa, bool local, host_t *new) +{ + enumerator_t *enumerator; + entry_t *entry; + bool keep; + + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->calling || !entry->listener->ike_update) + { + continue; + } + entry->calling++; + keep = entry->listener->ike_update(entry->listener, ike_sa, local, new); + entry->calling--; + if (!keep) + { + unregister_listener(this, entry, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + METHOD(bus_t, ike_reestablish_pre, void, private_bus_t *this, ike_sa_t *old, ike_sa_t *new) { @@ -1006,6 +1033,7 @@ bus_t *bus_create() .child_keys = _child_keys, .ike_updown = _ike_updown, .ike_rekey = _ike_rekey, + .ike_update = _ike_update, .ike_reestablish_pre = _ike_reestablish_pre, .ike_reestablish_post = _ike_reestablish_post, .child_updown = _child_updown, diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h index e1d221ca5..051c429f9 100644 --- a/src/libcharon/bus/bus.h +++ b/src/libcharon/bus/bus.h @@ -381,6 +381,15 @@ struct bus_t { */ void (*ike_rekey)(bus_t *this, ike_sa_t *old, ike_sa_t *new); + /** + * IKE_SA peer endpoint update hook. + * + * @param ike_sa updated IKE_SA, having old endpoints set + * @param local TRUE if local endpoint gets updated, FALSE for remote + * @param new new endpoint address and port + */ + void (*ike_update)(bus_t *this, ike_sa_t *ike_sa, bool local, host_t *new); + /** * IKE_SA reestablishing hook (before resolving hosts). * diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h index 0910cb361..3447d8f99 100644 --- a/src/libcharon/bus/listeners/listener.h +++ b/src/libcharon/bus/listeners/listener.h @@ -127,6 +127,17 @@ struct listener_t { */ bool (*ike_rekey)(listener_t *this, ike_sa_t *old, ike_sa_t *new); + /** + * Hook called for IKE_SA peer endpoint updates. + * + * @param ike_sa updated IKE_SA, having old endpoints set + * @param local TRUE if local endpoint gets updated, FALSE for remote + * @param new new endpoint address and port + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*ike_update)(listener_t *this, ike_sa_t *ike_sa, + bool local, host_t *new); + /** * Hook called when an initiator reestablishes an IKE_SA. * diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c index 42a3e9057..9464ceb5d 100644 --- a/src/libcharon/config/ike_cfg.c +++ b/src/libcharon/config/ike_cfg.c @@ -459,25 +459,10 @@ static traffic_selector_t* make_range(char *str) { traffic_selector_t *ts; ts_type_t type; - char *pos; host_t *from, *to; - pos = strchr(str, '-'); - if (!pos) - { - return NULL; - } - to = host_create_from_string(pos + 1, 0); - if (!to) - { - return NULL; - } - str = strndup(str, pos - str); - from = host_create_from_string_and_family(str, to->get_family(to), 0); - free(str); - if (!from) + if (!host_create_from_range(str, &from, &to)) { - to->destroy(to); return NULL; } if (to->get_family(to) == AF_INET) diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c index 50d3c6f66..e59dcd9ec 100644 --- a/src/libcharon/config/proposal.c +++ b/src/libcharon/config/proposal.c @@ -399,10 +399,12 @@ static const struct { pseudo_random_function_t prf; } integ_prf_map[] = { {AUTH_HMAC_SHA1_96, PRF_HMAC_SHA1 }, + {AUTH_HMAC_SHA1_160, PRF_HMAC_SHA1 }, {AUTH_HMAC_SHA2_256_128, PRF_HMAC_SHA2_256 }, {AUTH_HMAC_SHA2_384_192, PRF_HMAC_SHA2_384 }, {AUTH_HMAC_SHA2_512_256, PRF_HMAC_SHA2_512 }, {AUTH_HMAC_MD5_96, PRF_HMAC_MD5 }, + {AUTH_HMAC_MD5_128, PRF_HMAC_MD5 }, {AUTH_AES_XCBC_96, PRF_AES128_XCBC }, {AUTH_CAMELLIA_XCBC_96, PRF_CAMELLIA128_XCBC }, {AUTH_AES_CMAC_96, PRF_AES128_CMAC }, diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c index 25667e532..fd8349e2f 100644 --- a/src/libcharon/control/controller.c +++ b/src/libcharon/control/controller.c @@ -303,6 +303,18 @@ METHOD(listener_t, child_state_change, bool, /* proper delete */ this->status = SUCCESS; break; + case CHILD_RETRYING: + /* retrying with a different DH group; survive another + * initiation round */ + this->status = NEED_MORE; + return TRUE; + case CHILD_CREATED: + if (this->status == NEED_MORE) + { + this->status = FAILED; + return TRUE; + } + break; default: break; } @@ -437,7 +449,7 @@ METHOD(job_t, terminate_ike_execute, job_requeue_t, ike_sa_t *ike_sa; ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, - unique_id, FALSE); + unique_id); if (!ike_sa) { DBG1(DBG_IKE, "unable to terminate IKE_SA: ID %d not found", unique_id); @@ -522,17 +534,15 @@ METHOD(job_t, terminate_child_execute, job_requeue_t, interface_job_t *job) { interface_listener_t *listener = &job->listener; - u_int32_t reqid = listener->id; - enumerator_t *enumerator; + u_int32_t id = listener->id; child_sa_t *child_sa; ike_sa_t *ike_sa; - ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, - reqid, TRUE); + ike_sa = charon->child_sa_manager->checkout_by_id(charon->child_sa_manager, + id, &child_sa); if (!ike_sa) { - DBG1(DBG_IKE, "unable to terminate, CHILD_SA with ID %d not found", - reqid); + DBG1(DBG_IKE, "unable to terminate, CHILD_SA with ID %d not found", id); listener->status = NOT_FOUND; /* release listener */ listener_done(listener); @@ -542,22 +552,10 @@ METHOD(job_t, terminate_child_execute, job_requeue_t, listener->ike_sa = ike_sa; listener->lock->unlock(listener->lock); - enumerator = ike_sa->create_child_sa_enumerator(ike_sa); - while (enumerator->enumerate(enumerator, (void**)&child_sa)) - { - if (child_sa->get_state(child_sa) != CHILD_ROUTED && - child_sa->get_reqid(child_sa) == reqid) - { - break; - } - child_sa = NULL; - } - enumerator->destroy(enumerator); - - if (!child_sa) + if (child_sa->get_state(child_sa) == CHILD_ROUTED) { DBG1(DBG_IKE, "unable to terminate, established " - "CHILD_SA with ID %d not found", reqid); + "CHILD_SA with ID %d not found", id); charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); listener->status = NOT_FOUND; /* release listener */ @@ -584,7 +582,7 @@ METHOD(job_t, terminate_child_execute, job_requeue_t, } METHOD(controller_t, terminate_child, status_t, - controller_t *this, u_int32_t reqid, + controller_t *this, u_int32_t unique_id, controller_cb_t callback, void *param, u_int timeout) { interface_job_t *job; @@ -605,7 +603,7 @@ METHOD(controller_t, terminate_child, status_t, .param = param, }, .status = FAILED, - .id = reqid, + .id = unique_id, .lock = spinlock_create(), }, .public = { diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h index 222285cde..02f4ebb2b 100644 --- a/src/libcharon/control/controller.h +++ b/src/libcharon/control/controller.h @@ -118,7 +118,7 @@ struct controller_t { * If a callback is provided the function is synchronous and thus blocks * until the CHILD_SA is properly deleted, or the call timed out. * - * @param reqid reqid of the CHILD_SA to terminate + * @param unique_id CHILD_SA unique ID to terminate * @param cb logging callback * @param param parameter to include in each call of cb * @param timeout timeout in ms to wait for callbacks, 0 to disable @@ -128,7 +128,7 @@ struct controller_t { * - NEED_MORE, if callback returned FALSE * - OUT_OF_RES if timed out */ - status_t (*terminate_child)(controller_t *this, u_int32_t reqid, + status_t (*terminate_child)(controller_t *this, u_int32_t unique_id, controller_cb_t callback, void *param, u_int timeout); diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c index 3ae7c4e6f..b1b8f57f0 100644 --- a/src/libcharon/daemon.c +++ b/src/libcharon/daemon.c @@ -474,12 +474,15 @@ static void destroy(private_daemon_t *this) DESTROY_IF(this->public.connect_manager); DESTROY_IF(this->public.mediation_manager); #endif /* ME */ - /* make sure the cache is clear before unloading plugins */ + /* make sure the cache and scheduler are clear before unloading plugins */ lib->credmgr->flush_cache(lib->credmgr, CERT_ANY); + lib->scheduler->flush(lib->scheduler); lib->plugins->unload(lib->plugins); + DESTROY_IF(this->public.attributes); DESTROY_IF(this->kernel_handler); DESTROY_IF(this->public.traps); DESTROY_IF(this->public.shunts); + DESTROY_IF(this->public.child_sa_manager); DESTROY_IF(this->public.ike_sa_manager); DESTROY_IF(this->public.controller); DESTROY_IF(this->public.eap); @@ -606,6 +609,7 @@ METHOD(daemon_t, initialize, bool, { return FALSE; } + this->public.child_sa_manager = child_sa_manager_create(); /* Queue start_action job */ lib->processor->queue_job(lib->processor, (job_t*)start_action_job_create()); @@ -642,6 +646,7 @@ private_daemon_t *daemon_create() .ref = 1, ); charon = &this->public; + this->public.attributes = attribute_manager_create(); this->public.controller = controller_create(); this->public.eap = eap_manager_create(); this->public.xauth = xauth_manager_create(); diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h index 36242bb04..d16bf1ddb 100644 --- a/src/libcharon/daemon.h +++ b/src/libcharon/daemon.h @@ -19,6 +19,9 @@ /** * @defgroup libcharon libcharon * + * @defgroup attributes attributes + * @ingroup libcharon + * * @defgroup bus bus * @ingroup libcharon * @@ -152,12 +155,14 @@ typedef struct daemon_t daemon_t; +#include #include #include #include #include #include #include +#include #include #include #include @@ -214,6 +219,11 @@ struct daemon_t { */ ike_sa_manager_t *ike_sa_manager; + /** + * A child_sa_manager_t instance. + */ + child_sa_manager_t *child_sa_manager; + /** * Manager for triggering policies, called traps */ @@ -239,6 +249,11 @@ struct daemon_t { */ receiver_t *receiver; + /** + * Manager for IKE configuration attributes + */ + attribute_manager_t *attributes; + /** * The signaling bus. */ diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c index cb6c97f25..0a596ffb0 100644 --- a/src/libcharon/encoding/message.c +++ b/src/libcharon/encoding/message.c @@ -180,6 +180,7 @@ static payload_order_t ike_sa_init_r_order[] = { */ static payload_rule_t ike_auth_i_rules[] = { /* payload type min max encr suff */ + {PLV2_FRAGMENT, 0, 1, TRUE, TRUE}, {PLV2_NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE}, {PLV2_EAP, 0, 1, TRUE, TRUE}, {PLV2_AUTH, 0, 1, TRUE, TRUE}, @@ -227,6 +228,7 @@ static payload_order_t ike_auth_i_order[] = { {PLV2_NOTIFY, NO_ADDITIONAL_ADDRESSES}, {PLV2_NOTIFY, 0}, {PLV2_VENDOR_ID, 0}, + {PLV2_FRAGMENT, 0}, }; /** @@ -234,6 +236,7 @@ static payload_order_t ike_auth_i_order[] = { */ static payload_rule_t ike_auth_r_rules[] = { /* payload type min max encr suff */ + {PLV2_FRAGMENT, 0, 1, TRUE, TRUE}, {PLV2_NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE}, {PLV2_EAP, 0, 1, TRUE, TRUE}, {PLV2_AUTH, 0, 1, TRUE, TRUE}, @@ -270,6 +273,7 @@ static payload_order_t ike_auth_r_order[] = { {PLV2_NOTIFY, NO_ADDITIONAL_ADDRESSES}, {PLV2_NOTIFY, 0}, {PLV2_VENDOR_ID, 0}, + {PLV2_FRAGMENT, 0}, }; /** @@ -277,6 +281,7 @@ static payload_order_t ike_auth_r_order[] = { */ static payload_rule_t informational_i_rules[] = { /* payload type min max encr suff */ + {PLV2_FRAGMENT, 0, 1, TRUE, TRUE}, {PLV2_NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE}, {PLV2_CONFIGURATION, 0, 1, TRUE, FALSE}, {PLV2_DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE}, @@ -295,6 +300,7 @@ static payload_order_t informational_i_order[] = { {PLV2_NOTIFY, 0}, {PLV2_DELETE, 0}, {PLV2_CONFIGURATION, 0}, + {PLV2_FRAGMENT, 0}, }; /** @@ -302,6 +308,7 @@ static payload_order_t informational_i_order[] = { */ static payload_rule_t informational_r_rules[] = { /* payload type min max encr suff */ + {PLV2_FRAGMENT, 0, 1, TRUE, TRUE}, {PLV2_NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE}, {PLV2_CONFIGURATION, 0, 1, TRUE, FALSE}, {PLV2_DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE}, @@ -320,6 +327,7 @@ static payload_order_t informational_r_order[] = { {PLV2_NOTIFY, 0}, {PLV2_DELETE, 0}, {PLV2_CONFIGURATION, 0}, + {PLV2_FRAGMENT, 0}, }; /** @@ -327,6 +335,7 @@ static payload_order_t informational_r_order[] = { */ static payload_rule_t create_child_sa_i_rules[] = { /* payload type min max encr suff */ + {PLV2_FRAGMENT, 0, 1, TRUE, TRUE}, {PLV2_NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE}, {PLV2_SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE}, {PLV2_NONCE, 1, 1, TRUE, FALSE}, @@ -353,6 +362,7 @@ static payload_order_t create_child_sa_i_order[] = { {PLV2_TS_INITIATOR, 0}, {PLV2_TS_RESPONDER, 0}, {PLV2_NOTIFY, 0}, + {PLV2_FRAGMENT, 0}, }; /** @@ -360,6 +370,7 @@ static payload_order_t create_child_sa_i_order[] = { */ static payload_rule_t create_child_sa_r_rules[] = { /* payload type min max encr suff */ + {PLV2_FRAGMENT, 0, 1, TRUE, TRUE}, {PLV2_NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE}, {PLV2_SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE}, {PLV2_NONCE, 1, 1, TRUE, FALSE}, @@ -386,6 +397,7 @@ static payload_order_t create_child_sa_r_order[] = { {PLV2_TS_RESPONDER, 0}, {PLV2_NOTIFY, ADDITIONAL_TS_POSSIBLE}, {PLV2_NOTIFY, 0}, + {PLV2_FRAGMENT, 0}, }; #ifdef ME @@ -2143,6 +2155,8 @@ METHOD(message_t, parse_header, status_t, } ike_header->destroy(ike_header); + this->parser->set_major_version(this->parser, this->major_version); + DBG2(DBG_ENC, "parsed a %N %s header", exchange_type_names, this->exchange_type, this->major_version == IKEV1_MAJOR_VERSION ? "message" : (this->is_request ? "request" : "response")); @@ -2463,7 +2477,7 @@ static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat) was_encrypted = "encrypted fragment payload"; } - if (payload_is_known(type) && !was_encrypted && + if (payload_is_known(type, this->major_version) && !was_encrypted && !is_connectivity_check(this, payload) && this->exchange_type != AGGRESSIVE) { diff --git a/src/libcharon/encoding/parser.c b/src/libcharon/encoding/parser.c index d6240fde2..f8340367e 100644 --- a/src/libcharon/encoding/parser.c +++ b/src/libcharon/encoding/parser.c @@ -58,6 +58,11 @@ struct private_parser_t { */ parser_t public; + /** + * major IKE version + */ + u_int8_t major_version; + /** * Current bit for reading in input data. */ @@ -369,7 +374,14 @@ METHOD(parser_t, parse_payload, status_t, encoding_rule_t *rule; /* create instance of the payload to parse */ - pld = payload_create(payload_type); + if (payload_is_known(payload_type, this->major_version)) + { + pld = payload_create(payload_type); + } + else + { + pld = (payload_t*)unknown_payload_create(payload_type); + } DBG2(DBG_ENC, "parsing %N payload, %d bytes left", payload_type_names, payload_type, this->input_roof - this->byte_pos); @@ -629,6 +641,12 @@ METHOD(parser_t, reset_context, void, this->bit_pos = 0; } +METHOD(parser_t, set_major_version, void, + private_parser_t *this, u_int8_t major_version) +{ + this->major_version = major_version; +} + METHOD(parser_t, destroy, void, private_parser_t *this) { @@ -646,6 +664,7 @@ parser_t *parser_create(chunk_t data) .public = { .parse_payload = _parse_payload, .reset_context = _reset_context, + .set_major_version = _set_major_version, .get_remaining_byte_count = _get_remaining_byte_count, .destroy = _destroy, }, diff --git a/src/libcharon/encoding/parser.h b/src/libcharon/encoding/parser.h index 27c5f03fe..5fd3e86ee 100644 --- a/src/libcharon/encoding/parser.h +++ b/src/libcharon/encoding/parser.h @@ -29,7 +29,7 @@ typedef struct parser_t parser_t; #include /** - * A parser_t class to parse IKEv2 payloads. + * A parser_t class to parse IKE payloads. * * A parser is used for parsing one chunk of data. Multiple * payloads can be parsed out of the chunk using parse_payload. @@ -50,7 +50,8 @@ struct parser_t { * - SUCCESSFUL if succeeded, * - PARSE_ERROR if corrupted/invalid data found */ - status_t (*parse_payload) (parser_t *this, payload_type_t payload_type, payload_t **payload); + status_t (*parse_payload) (parser_t *this, payload_type_t payload_type, + payload_t **payload); /** * Gets the remaining byte count which is not currently parsed. @@ -62,6 +63,13 @@ struct parser_t { */ void (*reset_context) (parser_t *this); + /** + * Set the major IKE version. + * + * @param major_version the major IKE version + */ + void (*set_major_version) (parser_t *this, u_int8_t major_version); + /** * Destroys a parser_t object. */ diff --git a/src/libcharon/encoding/payloads/delete_payload.c b/src/libcharon/encoding/payloads/delete_payload.c index c2ab3b951..f11ea485c 100644 --- a/src/libcharon/encoding/payloads/delete_payload.c +++ b/src/libcharon/encoding/payloads/delete_payload.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter @@ -281,6 +282,19 @@ METHOD(delete_payload_t, set_ike_spi, void, this->payload_length = get_header_length(this) + this->spi_size; } +METHOD(delete_payload_t, get_ike_spi, bool, + private_delete_payload_t *this, u_int64_t *spi_i, u_int64_t *spi_r) +{ + if (this->protocol_id != PROTO_IKE || + this->spis.len < 2 * sizeof(u_int64_t)) + { + return FALSE; + } + memcpy(spi_i, this->spis.ptr, sizeof(u_int64_t)); + memcpy(spi_r, this->spis.ptr + sizeof(u_int64_t), sizeof(u_int64_t)); + return TRUE; +} + /** * SPI enumerator implementation */ @@ -352,6 +366,7 @@ delete_payload_t *delete_payload_create(payload_type_t type, .get_protocol_id = _get_protocol_id, .add_spi = _add_spi, .set_ike_spi = _set_ike_spi, + .get_ike_spi = _get_ike_spi, .create_spi_enumerator = _create_spi_enumerator, .destroy = _destroy, }, diff --git a/src/libcharon/encoding/payloads/delete_payload.h b/src/libcharon/encoding/payloads/delete_payload.h index 46a89eab6..6728718cd 100644 --- a/src/libcharon/encoding/payloads/delete_payload.h +++ b/src/libcharon/encoding/payloads/delete_payload.h @@ -1,4 +1,5 @@ /* + * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -60,6 +61,15 @@ struct delete_payload_t { */ void (*set_ike_spi)(delete_payload_t *this, u_int64_t spi_i, u_int64_t spi_r); + /** + * Get the IKE SPIs from an IKEv1 delete. + * + * @param spi_i initiator SPI + * @param spi_r responder SPI + * @return TRUE if SPIs extracted successfully + */ + bool (*get_ike_spi)(delete_payload_t *this, u_int64_t *spi_i, u_int64_t *spi_r); + /** * Get an enumerator over the SPIs in network order. * diff --git a/src/libcharon/encoding/payloads/encrypted_payload.c b/src/libcharon/encoding/payloads/encrypted_payload.c index 5c574c34d..04372fdf0 100644 --- a/src/libcharon/encoding/payloads/encrypted_payload.c +++ b/src/libcharon/encoding/payloads/encrypted_payload.c @@ -561,6 +561,7 @@ static status_t parse(private_encrypted_payload_t *this, chunk_t plain) payload_type_t type; parser = parser_create(plain); + parser->set_major_version(parser, this->type == PLV1_ENCRYPTED ? 1 : 2); type = this->next_payload; while (type != PL_NONE) { diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c index a002a8f21..bb8aab748 100644 --- a/src/libcharon/encoding/payloads/id_payload.c +++ b/src/libcharon/encoding/payloads/id_payload.c @@ -258,17 +258,20 @@ static traffic_selector_t *get_ts_from_range(private_id_payload_t *this, static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this, ts_type_t type) { + traffic_selector_t *ts; chunk_t net, netmask; int i; net = chunk_create(this->id_data.ptr, this->id_data.len / 2); - netmask = chunk_skip(this->id_data, this->id_data.len / 2); + netmask = chunk_clone(chunk_skip(this->id_data, this->id_data.len / 2)); for (i = 0; i < net.len; i++) { netmask.ptr[i] = (netmask.ptr[i] ^ 0xFF) | net.ptr[i]; } - return traffic_selector_create_from_bytes(this->protocol_id, type, + ts = traffic_selector_create_from_bytes(this->protocol_id, type, net, this->port, netmask, this->port ?: 65535); + chunk_free(&netmask); + return ts; } /** diff --git a/src/libcharon/encoding/payloads/ke_payload.c b/src/libcharon/encoding/payloads/ke_payload.c index 4f552d6ac..50fd73f90 100644 --- a/src/libcharon/encoding/payloads/ke_payload.c +++ b/src/libcharon/encoding/payloads/ke_payload.c @@ -247,9 +247,15 @@ ke_payload_t *ke_payload_create(payload_type_t type) ke_payload_t *ke_payload_create_from_diffie_hellman(payload_type_t type, diffie_hellman_t *dh) { - private_ke_payload_t *this = (private_ke_payload_t*)ke_payload_create(type); + private_ke_payload_t *this; + chunk_t value; - dh->get_my_public_value(dh, &this->key_exchange_data); + if (!dh->get_my_public_value(dh, &value)) + { + return NULL; + } + this = (private_ke_payload_t*)ke_payload_create(type); + this->key_exchange_data = value; this->dh_group_number = dh->get_dh_group(dh); this->payload_length += this->key_exchange_data.len; diff --git a/src/libcharon/encoding/payloads/ke_payload.h b/src/libcharon/encoding/payloads/ke_payload.h index dfc6308b4..96c5096a5 100644 --- a/src/libcharon/encoding/payloads/ke_payload.h +++ b/src/libcharon/encoding/payloads/ke_payload.h @@ -73,7 +73,7 @@ ke_payload_t *ke_payload_create(payload_type_t type); * * @param type PLV2_KEY_EXCHANGE or PLV1_KEY_EXCHANGE * @param dh diffie hellman object containing group and key - * @return ke_payload_t object + * @return ke_payload_t object, NULL on error */ ke_payload_t *ke_payload_create_from_diffie_hellman(payload_type_t type, diffie_hellman_t *dh); diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c index 94723ddd7..f32a1273f 100644 --- a/src/libcharon/encoding/payloads/notify_payload.c +++ b/src/libcharon/encoding/payloads/notify_payload.c @@ -65,7 +65,7 @@ ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_ "ME_CONNECT_FAILED"); ENUM_NEXT(notify_type_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED, "MS_NOTIFY_STATUS"); -ENUM_NEXT(notify_type_names, INITIAL_CONTACT, FRAGMENTATION_SUPPORTED, MS_NOTIFY_STATUS, +ENUM_NEXT(notify_type_names, INITIAL_CONTACT, SIGNATURE_HASH_ALGORITHMS, MS_NOTIFY_STATUS, "INITIAL_CONTACT", "SET_WINDOW_SIZE", "ADDITIONAL_TS_POSSIBLE", @@ -112,8 +112,9 @@ ENUM_NEXT(notify_type_names, INITIAL_CONTACT, FRAGMENTATION_SUPPORTED, MS_NOTIFY "ERX_SUPPORTED", "IFOM_CAPABILITY", "SENDER_REQUEST_ID", - "FRAGMENTATION_SUPPORTED"); -ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, FRAGMENTATION_SUPPORTED, + "FRAGMENTATION_SUPPORTED", + "SIGNATURE_HASH_ALGORITHMS"); +ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, SIGNATURE_HASH_ALGORITHMS, "INITIAL_CONTACT"); ENUM_NEXT(notify_type_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1, "DPD_R_U_THERE", @@ -174,7 +175,7 @@ ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_S "ME_CONN_FAIL"); ENUM_NEXT(notify_type_short_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED, "MS_STATUS"); -ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, FRAGMENTATION_SUPPORTED, MS_NOTIFY_STATUS, +ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, SIGNATURE_HASH_ALGORITHMS, MS_NOTIFY_STATUS, "INIT_CONTACT", "SET_WINSIZE", "ADD_TS_POSS", @@ -221,8 +222,9 @@ ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, FRAGMENTATION_SUPPORTED, MS_ "ERX_SUP", "IFOM_CAP", "SENDER_REQ_ID", - "FRAG_SUP"); -ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, FRAGMENTATION_SUPPORTED, + "FRAG_SUP", + "HASH_ALG"); +ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, SIGNATURE_HASH_ALGORITHMS, "INITIAL_CONTACT"); ENUM_NEXT(notify_type_short_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1, "DPD", @@ -473,6 +475,14 @@ METHOD(payload_t, verify, status_t, } break; } + case SIGNATURE_HASH_ALGORITHMS: + { + if (this->notify_data.len % 2) + { + bad_length = TRUE; + } + break; + } case AUTH_LIFETIME: { if (this->notify_data.len != 4) diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h index 25521c2bb..690757383 100644 --- a/src/libcharon/encoding/payloads/notify_payload.h +++ b/src/libcharon/encoding/payloads/notify_payload.h @@ -151,6 +151,8 @@ enum notify_type_t { SENDER_REQUEST_ID = 16429, /* IKEv2 fragmentation supported, RFC 7383 */ FRAGMENTATION_SUPPORTED = 16430, + /* Signature Hash Algorithms, RFC 7427 */ + SIGNATURE_HASH_ALGORITHMS = 16431, /* IKEv1 initial contact */ INITIAL_CONTACT_IKEV1 = 24578, /* IKEv1 DPD */ diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c index 600b6dd68..a1cd2f945 100644 --- a/src/libcharon/encoding/payloads/payload.c +++ b/src/libcharon/encoding/payloads/payload.c @@ -266,37 +266,51 @@ payload_t *payload_create(payload_type_t type) /** * See header. */ -bool payload_is_known(payload_type_t type) +bool payload_is_known(payload_type_t type, u_int8_t maj_ver) { - if (type == PL_HEADER) + if (type >= PL_HEADER) { return TRUE; } - if (type >= PLV1_SECURITY_ASSOCIATION && type <= PLV1_CONFIGURATION) + switch (maj_ver) { - return TRUE; - } - if (type >= PLV1_NAT_D && type <= PLV1_NAT_OA) - { - return TRUE; - } - if (type >= PLV2_SECURITY_ASSOCIATION && type <= PLV2_EAP) - { - return TRUE; - } - if (type == PLV2_FRAGMENT) - { - return TRUE; - } + case 0: + case IKEV1_MAJOR_VERSION: + if (type >= PLV1_SECURITY_ASSOCIATION && type <= PLV1_CONFIGURATION) + { + return TRUE; + } + if (type >= PLV1_NAT_D && type <= PLV1_NAT_OA) + { + return TRUE; + } + if (type >= PLV1_NAT_D_DRAFT_00_03 && type <= PLV1_FRAGMENT) + { + return TRUE; + } + if (maj_ver) + { + break; + } + /* fall-through */ + case IKEV2_MAJOR_VERSION: + if (type >= PLV2_SECURITY_ASSOCIATION && type <= PLV2_EAP) + { + return TRUE; + } + if (type == PLV2_FRAGMENT) + { + return TRUE; + } #ifdef ME - if (type == PLV2_ID_PEER) - { - return TRUE; - } + if (type == PLV2_ID_PEER) + { + return TRUE; + } #endif - if (type >= PLV1_NAT_D_DRAFT_00_03 && type <= PLV1_FRAGMENT) - { - return TRUE; + break; + default: + break; } return FALSE; } diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h index 036cd422d..920779bd1 100644 --- a/src/libcharon/encoding/payloads/payload.h +++ b/src/libcharon/encoding/payloads/payload.h @@ -405,9 +405,10 @@ payload_t *payload_create(payload_type_t type); * Check if a specific payload is implemented, or handled as unknown payload. * * @param type type of the payload to check + * @param maj_ver major IKE version (use 0 to skip version check) * @return FALSE if payload type handled as unknown payload */ -bool payload_is_known(payload_type_t type); +bool payload_is_known(payload_type_t type, u_int8_t maj_ver); /** * Get the value field in a payload using encoding rules. diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 53e8cf3ad..48dcfeb24 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2014 Tobias Brunner * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -224,26 +224,7 @@ typedef enum { /* FreeS/WAN proprietary */ IKEV1_ESP_ENCR_SERPENT = 252, IKEV1_ESP_ENCR_TWOFISH = 253, -} ikev1_esp_encr_transid_t; - -/** - * IKEv1 Transform ID ESP authentication algorithm. - */ -typedef enum { - IKEV1_ESP_AUTH_HMAC_MD5 = 1, - IKEV1_ESP_AUTH_HMAC_SHA = 2, - IKEV1_ESP_AUTH_DES_MAC = 3, - IKEV1_ESP_AUTH_KPDK = 4, - IKEV1_ESP_AUTH_HMAC_SHA2_256 = 5, - IKEV1_ESP_AUTH_HMAC_SHA2_384 = 6, - IKEV1_ESP_AUTH_HMAC_SHA2_512 = 7, - IKEV1_ESP_AUTH_HMAC_RIPEMD = 8, - IKEV1_ESP_AUTH_AES_XCBC_MAC = 9, - IKEV1_ESP_AUTH_SIG_RSA = 10, - IKEV1_ESP_AUTH_AES_128_GMAC = 11, - IKEV1_ESP_AUTH_AES_192_GMAC = 12, - IKEV1_ESP_AUTH_AES_256_GMAC = 13, -} ikev1_esp_auth_transid_it; +} ikev1_esp_transid_t; /** * IKEv1 Transform ID AH authentication algorithm. @@ -263,6 +244,25 @@ typedef enum { IKEV1_AH_AES_256_GMAC = 13, } ikev1_ah_transid_t; +/** + * IKEv1 authentication algorithm. + */ +typedef enum { + IKEV1_AUTH_HMAC_MD5 = 1, + IKEV1_AUTH_HMAC_SHA = 2, + IKEV1_AUTH_DES_MAC = 3, + IKEV1_AUTH_KPDK = 4, + IKEV1_AUTH_HMAC_SHA2_256 = 5, + IKEV1_AUTH_HMAC_SHA2_384 = 6, + IKEV1_AUTH_HMAC_SHA2_512 = 7, + IKEV1_AUTH_HMAC_RIPEMD = 8, + IKEV1_AUTH_AES_XCBC_MAC = 9, + IKEV1_AUTH_SIG_RSA = 10, + IKEV1_AUTH_AES_128_GMAC = 11, + IKEV1_AUTH_AES_192_GMAC = 12, + IKEV1_AUTH_AES_256_GMAC = 13, +} ikev1_auth_algo_t; + /** * IKEv1 ESP Encapsulation mode. */ @@ -345,7 +345,7 @@ METHOD(payload_t, verify, status_t, switch (this->protocol_id) { case PROTO_IPCOMP: - if (this->spi.len != 2) + if (this->spi.len != 2 && this->spi.len != 4) { DBG1(DBG_ENC, "invalid CPI length in IPCOMP proposal"); return FAILED; @@ -536,7 +536,7 @@ METHOD(proposal_substructure_t, get_cpi, bool, { if (cpi) { - *cpi = *((u_int16_t*)this->spi.ptr); + *cpi = htons(untoh16(this->spi.ptr + this->spi.len - 2)); } enumerator->destroy(enumerator); return TRUE; @@ -620,7 +620,7 @@ static algo_map_t map_prf[] = { /** * ESP encryption algorithm mapping */ -static algo_map_t map_esp_encr[] = { +static algo_map_t map_esp[] = { { IKEV1_ESP_ENCR_DES_IV64, ENCR_DES_IV64 }, { IKEV1_ESP_ENCR_DES, ENCR_DES }, { IKEV1_ESP_ENCR_3DES, ENCR_3DES }, @@ -645,23 +645,6 @@ static algo_map_t map_esp_encr[] = { { IKEV1_ESP_ENCR_TWOFISH, ENCR_TWOFISH_CBC }, }; -/** - * ESP authentication algorithm mapping - */ -static algo_map_t map_esp_auth[] = { - { IKEV1_ESP_AUTH_HMAC_MD5, AUTH_HMAC_MD5_96 }, - { IKEV1_ESP_AUTH_HMAC_SHA, AUTH_HMAC_SHA1_96 }, - { IKEV1_ESP_AUTH_DES_MAC, AUTH_DES_MAC }, - { IKEV1_ESP_AUTH_KPDK, AUTH_KPDK_MD5 }, - { IKEV1_ESP_AUTH_HMAC_SHA2_256, AUTH_HMAC_SHA2_256_128 }, - { IKEV1_ESP_AUTH_HMAC_SHA2_384, AUTH_HMAC_SHA2_384_192 }, - { IKEV1_ESP_AUTH_HMAC_SHA2_512, AUTH_HMAC_SHA2_512_256 }, - { IKEV1_ESP_AUTH_AES_XCBC_MAC, AUTH_AES_XCBC_96 }, - { IKEV1_ESP_AUTH_AES_128_GMAC, AUTH_AES_128_GMAC }, - { IKEV1_ESP_AUTH_AES_192_GMAC, AUTH_AES_192_GMAC }, - { IKEV1_ESP_AUTH_AES_256_GMAC, AUTH_AES_256_GMAC }, -}; - /** * AH authentication algorithm mapping */ @@ -679,34 +662,30 @@ static algo_map_t map_ah[] = { }; /** - * Get IKEv2 algorithm from IKEv1 identifier + * ESP/AH authentication algorithm mapping */ -static u_int16_t get_alg_from_ikev1(transform_type_t type, u_int16_t value) +static algo_map_t map_auth[] = { + { IKEV1_AUTH_HMAC_MD5, AUTH_HMAC_MD5_96 }, + { IKEV1_AUTH_HMAC_SHA, AUTH_HMAC_SHA1_96 }, + { IKEV1_AUTH_DES_MAC, AUTH_DES_MAC }, + { IKEV1_AUTH_KPDK, AUTH_KPDK_MD5 }, + { IKEV1_AUTH_HMAC_SHA2_256, AUTH_HMAC_SHA2_256_128 }, + { IKEV1_AUTH_HMAC_SHA2_384, AUTH_HMAC_SHA2_384_192 }, + { IKEV1_AUTH_HMAC_SHA2_512, AUTH_HMAC_SHA2_512_256 }, + { IKEV1_AUTH_AES_XCBC_MAC, AUTH_AES_XCBC_96 }, + { IKEV1_AUTH_AES_128_GMAC, AUTH_AES_128_GMAC }, + { IKEV1_AUTH_AES_192_GMAC, AUTH_AES_192_GMAC }, + { IKEV1_AUTH_AES_256_GMAC, AUTH_AES_256_GMAC }, +}; + +/** + * Map an IKEv1 to an IKEv2 identifier + */ +static u_int16_t ikev2_from_ikev1(algo_map_t *map, int count, u_int16_t def, + u_int16_t value) { - algo_map_t *map; - u_int16_t def; - int i, count; + int i; - switch (type) - { - case ENCRYPTION_ALGORITHM: - map = map_encr; - count = countof(map_encr); - def = ENCR_UNDEFINED; - break; - case INTEGRITY_ALGORITHM: - map = map_integ; - count = countof(map_integ); - def = AUTH_UNDEFINED; - break; - case PSEUDO_RANDOM_FUNCTION: - map = map_prf; - count = countof(map_prf); - def = PRF_UNDEFINED; - break; - default: - return 0; - } for (i = 0; i < count; i++) { if (map[i].ikev1 == value) @@ -718,30 +697,12 @@ static u_int16_t get_alg_from_ikev1(transform_type_t type, u_int16_t value) } /** - * Get IKEv1 algorithm from IKEv2 identifier + * Map an IKEv2 to an IKEv1 identifier */ -static u_int16_t get_ikev1_from_alg(transform_type_t type, u_int16_t value) +static u_int16_t ikev1_from_ikev2(algo_map_t *map, int count, u_int16_t value) { - algo_map_t *map; - int i, count; + int i; - switch (type) - { - case ENCRYPTION_ALGORITHM: - map = map_encr; - count = countof(map_encr); - break; - case INTEGRITY_ALGORITHM: - map = map_integ; - count = countof(map_integ); - break; - case PSEUDO_RANDOM_FUNCTION: - map = map_prf; - count = countof(map_prf); - break; - default: - return 0; - } for (i = 0; i < count; i++) { if (map[i].ikev2 == value) @@ -753,87 +714,96 @@ static u_int16_t get_ikev1_from_alg(transform_type_t type, u_int16_t value) } /** - * Get IKEv2 algorithm from IKEv1 ESP transaction ID + * Get IKEv2 algorithm from IKEv1 identifier */ -static u_int16_t get_alg_from_ikev1_transid(protocol_id_t proto, - transform_type_t type, u_int16_t value) +static u_int16_t get_alg_from_ikev1(transform_type_t type, u_int16_t value) { - algo_map_t *map; - u_int16_t def; - int i, count; - switch (type) { case ENCRYPTION_ALGORITHM: - map = map_esp_encr; - count = countof(map_esp_encr); - def = ENCR_UNDEFINED; - break; + return ikev2_from_ikev1(map_encr, countof(map_encr), + ENCR_UNDEFINED, value); case INTEGRITY_ALGORITHM: - if (proto == PROTO_ESP) - { - map = map_esp_auth; - count = countof(map_esp_auth); - } - else - { - map = map_ah; - count = countof(map_ah); - } - def = AUTH_UNDEFINED; - break; + return ikev2_from_ikev1(map_integ, countof(map_integ), + AUTH_UNDEFINED, value); + case PSEUDO_RANDOM_FUNCTION: + return ikev2_from_ikev1(map_prf, countof(map_prf), + PRF_UNDEFINED, value); default: return 0; } - for (i = 0; i < count; i++) +} + +/** + * Get IKEv1 algorithm from IKEv2 identifier + */ +static u_int16_t get_ikev1_from_alg(transform_type_t type, u_int16_t value) +{ + switch (type) { - if (map[i].ikev1 == value) - { - return map[i].ikev2; - } + case ENCRYPTION_ALGORITHM: + return ikev1_from_ikev2(map_encr, countof(map_encr), value); + case INTEGRITY_ALGORITHM: + return ikev1_from_ikev2(map_integ, countof(map_integ), value); + case PSEUDO_RANDOM_FUNCTION: + return ikev1_from_ikev2(map_prf, countof(map_prf), value); + default: + return 0; } - return def; } /** - * Get IKEv1 ESP/AH transaction ID from IKEv2 identifier + * Get IKEv2 algorithm from IKEv1 ESP/AH transform ID */ -static u_int16_t get_ikev1_transid_from_alg(protocol_id_t proto, - transform_type_t type, u_int16_t value) +static u_int16_t get_alg_from_ikev1_transid(transform_type_t type, + u_int16_t value) { - algo_map_t *map; - int i, count; - switch (type) { case ENCRYPTION_ALGORITHM: - map = map_esp_encr; - count = countof(map_esp_encr); - break; + return ikev2_from_ikev1(map_esp, countof(map_esp), + ENCR_UNDEFINED, value); case INTEGRITY_ALGORITHM: - if (proto == PROTO_ESP) - { - map = map_esp_auth; - count = countof(map_esp_auth); - } - else - { - map = map_ah; - count = countof(map_ah); - } - break; + return ikev2_from_ikev1(map_ah, countof(map_ah), + AUTH_UNDEFINED, value); default: return 0; } - for (i = 0; i < count; i++) +} + +/** + * Get IKEv1 ESP/AH transform ID from IKEv2 identifier + */ +static u_int16_t get_ikev1_transid_from_alg(transform_type_t type, + u_int16_t value) +{ + switch (type) { - if (map[i].ikev2 == value) - { - return map[i].ikev1; - } + case ENCRYPTION_ALGORITHM: + return ikev1_from_ikev2(map_esp, countof(map_esp), value); + case INTEGRITY_ALGORITHM: + return ikev1_from_ikev2(map_ah, countof(map_ah), value); + default: + return 0; } - return 0; } + +/** + * Get IKEv1 authentication algorithm from IKEv2 identifier + */ +static u_int16_t get_alg_from_ikev1_auth(u_int16_t value) +{ + return ikev2_from_ikev1(map_auth, countof(map_auth), AUTH_UNDEFINED, value); +} + +/** + * Get IKEv1 authentication algorithm from IKEv2 identifier + */ +static u_int16_t get_ikev1_auth_from_alg(u_int16_t value) +{ + return ikev1_from_ikev2(map_auth, countof(map_auth), value); +} + /** * Get IKEv1 authentication attribute from auth_method_t */ @@ -971,8 +941,7 @@ static void add_to_proposal_v1(proposal_t *proposal, break; case TATTR_PH2_AUTH_ALGORITHM: proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, - get_alg_from_ikev1_transid(proto, INTEGRITY_ALGORITHM, - value), 0); + get_alg_from_ikev1_auth(value), 0); break; case TATTR_PH2_GROUP: proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, @@ -989,7 +958,7 @@ static void add_to_proposal_v1(proposal_t *proposal, NO_EXT_SEQ_NUMBERS, 0); if (proto == PROTO_ESP) { - encr = get_alg_from_ikev1_transid(proto, ENCRYPTION_ALGORITHM, + encr = get_alg_from_ikev1_transid(ENCRYPTION_ALGORITHM, transform->get_transform_id(transform)); if (encr) { @@ -1354,19 +1323,17 @@ static void set_from_proposal_v1(private_proposal_substructure_t *this, ipsec_mode_t mode, encap_t udp, int number) { transform_substructure_t *transform = NULL; - u_int16_t alg, key_size; + u_int16_t alg, transid, key_size; enumerator_t *enumerator; - protocol_id_t proto; - proto = proposal->get_protocol(proposal); enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM); if (enumerator->enumerate(enumerator, &alg, &key_size)) { - alg = get_ikev1_transid_from_alg(proto, ENCRYPTION_ALGORITHM, alg); - if (alg) + transid = get_ikev1_transid_from_alg(ENCRYPTION_ALGORITHM, alg); + if (transid) { transform = transform_substructure_create_type( - PLV1_TRANSFORM_SUBSTRUCTURE, number, alg); + PLV1_TRANSFORM_SUBSTRUCTURE, number, transid); if (key_size) { transform->add_transform_attribute(transform, @@ -1380,13 +1347,14 @@ static void set_from_proposal_v1(private_proposal_substructure_t *this, enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM); if (enumerator->enumerate(enumerator, &alg, &key_size)) { - alg = get_ikev1_transid_from_alg(proto, INTEGRITY_ALGORITHM, alg); - if (alg) + transid = get_ikev1_transid_from_alg(INTEGRITY_ALGORITHM, alg); + alg = get_ikev1_auth_from_alg(alg); + if (transid && alg) { if (!transform) { transform = transform_substructure_create_type( - PLV1_TRANSFORM_SUBSTRUCTURE, number, alg); + PLV1_TRANSFORM_SUBSTRUCTURE, number, transid); } transform->add_transform_attribute(transform, transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE, diff --git a/src/libcharon/kernel/kernel_handler.c b/src/libcharon/kernel/kernel_handler.c index 059124e35..9c0e2602b 100644 --- a/src/libcharon/kernel/kernel_handler.c +++ b/src/libcharon/kernel/kernel_handler.c @@ -72,36 +72,39 @@ METHOD(kernel_listener_t, acquire, bool, } METHOD(kernel_listener_t, expire, bool, - private_kernel_handler_t *this, u_int32_t reqid, u_int8_t protocol, - u_int32_t spi, bool hard) + private_kernel_handler_t *this, u_int8_t protocol, u_int32_t spi, + host_t *dst, bool hard) { protocol_id_t proto = proto_ip2ike(protocol); - DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}", - hard ? "delete" : "rekey", protocol_id_names, proto, ntohl(spi), reqid); + DBG1(DBG_KNL, "creating %s job for CHILD_SA %N/0x%08x/%H", + hard ? "delete" : "rekey", protocol_id_names, proto, ntohl(spi), dst); if (hard) { lib->processor->queue_job(lib->processor, - (job_t*)delete_child_sa_job_create(reqid, proto, spi, hard)); + (job_t*)delete_child_sa_job_create(proto, spi, dst, hard)); } else { lib->processor->queue_job(lib->processor, - (job_t*)rekey_child_sa_job_create(reqid, proto, spi)); + (job_t*)rekey_child_sa_job_create(proto, spi, dst)); } return TRUE; } METHOD(kernel_listener_t, mapping, bool, - private_kernel_handler_t *this, u_int32_t reqid, u_int32_t spi, - host_t *remote) + private_kernel_handler_t *this, u_int8_t protocol, u_int32_t spi, + host_t *dst, host_t *remote) { - DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and reqid {%u} " - "changed, queuing update job", ntohl(spi), reqid); + protocol_id_t proto = proto_ip2ike(protocol); + + DBG1(DBG_KNL, "NAT mappings of CHILD_SA %N/0x%08x/%H changed to %#H, " + "queuing update job", protocol_id_names, proto, ntohl(spi), dst, + remote); lib->processor->queue_job(lib->processor, - (job_t*)update_sa_job_create(reqid, remote)); + (job_t*)update_sa_job_create(proto, spi, dst, remote)); return TRUE; } diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in index c3b014c3c..0554465b9 100644 --- a/src/libcharon/plugins/addrblock/Makefile.in +++ b/src/libcharon/plugins/addrblock/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in index 50594a452..58cf97b6e 100644 --- a/src/libcharon/plugins/android_dns/Makefile.in +++ b/src/libcharon/plugins/android_dns/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/android_dns/android_dns_handler.c b/src/libcharon/plugins/android_dns/android_dns_handler.c index 526810355..160a145d3 100644 --- a/src/libcharon/plugins/android_dns/android_dns_handler.c +++ b/src/libcharon/plugins/android_dns/android_dns_handler.c @@ -128,7 +128,7 @@ static bool set_dns_server(private_android_dns_handler_t *this, int index, } METHOD(attribute_handler_t, handle, bool, - private_android_dns_handler_t *this, identification_t *id, + private_android_dns_handler_t *this, ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data) { switch (type) @@ -158,7 +158,7 @@ METHOD(attribute_handler_t, handle, bool, } METHOD(attribute_handler_t, release, void, - private_android_dns_handler_t *this, identification_t *server, + private_android_dns_handler_t *this, ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data) { if (type == INTERNAL_IP4_DNS) @@ -192,7 +192,7 @@ METHOD(enumerator_t, enumerate_dns, bool, } METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *, - private_android_dns_handler_t *this, identification_t *id, + private_android_dns_handler_t *this, ike_sa_t *ike_sa, linked_list_t *vips) { enumerator_t *enumerator; @@ -232,4 +232,3 @@ android_dns_handler_t *android_dns_handler_create() return &this->public; } - diff --git a/src/libcharon/plugins/android_dns/android_dns_plugin.c b/src/libcharon/plugins/android_dns/android_dns_plugin.c index b8eb11b57..9b6ec0dba 100644 --- a/src/libcharon/plugins/android_dns/android_dns_plugin.c +++ b/src/libcharon/plugins/android_dns/android_dns_plugin.c @@ -16,7 +16,6 @@ #include "android_dns_plugin.h" #include "android_dns_handler.h" -#include #include typedef struct private_android_dns_plugin_t private_android_dns_plugin_t; @@ -51,13 +50,13 @@ static bool plugin_cb(private_android_dns_plugin_t *this, { if (reg) { - hydra->attributes->add_handler(hydra->attributes, - &this->handler->handler); + charon->attributes->add_handler(charon->attributes, + &this->handler->handler); } else { - hydra->attributes->remove_handler(hydra->attributes, - &this->handler->handler); + charon->attributes->remove_handler(charon->attributes, + &this->handler->handler); } return TRUE; } diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in index 700a4219c..8ce92e577 100644 --- a/src/libcharon/plugins/android_log/Makefile.in +++ b/src/libcharon/plugins/android_log/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/attr/Makefile.am b/src/libcharon/plugins/attr/Makefile.am new file mode 100644 index 000000000..6bc7e77d8 --- /dev/null +++ b/src/libcharon/plugins/attr/Makefile.am @@ -0,0 +1,19 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-attr.la +else +plugin_LTLIBRARIES = libstrongswan-attr.la +endif + +libstrongswan_attr_la_SOURCES = \ + attr_plugin.h attr_plugin.c \ + attr_provider.h attr_provider.c + +libstrongswan_attr_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/attr/Makefile.in b/src/libcharon/plugins/attr/Makefile.in new file mode 100644 index 000000000..486b3c0b0 --- /dev/null +++ b/src/libcharon/plugins/attr/Makefile.in @@ -0,0 +1,777 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/attr +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_attr_la_LIBADD = +am_libstrongswan_attr_la_OBJECTS = attr_plugin.lo attr_provider.lo +libstrongswan_attr_la_OBJECTS = $(am_libstrongswan_attr_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libstrongswan_attr_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_attr_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_attr_la_rpath = -rpath $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_attr_la_rpath = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libstrongswan_attr_la_SOURCES) +DIST_SOURCES = $(libstrongswan_attr_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-attr.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-attr.la +libstrongswan_attr_la_SOURCES = \ + attr_plugin.h attr_plugin.c \ + attr_provider.h attr_provider.c + +libstrongswan_attr_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/attr/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/attr/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libstrongswan-attr.la: $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_DEPENDENCIES) $(EXTRA_libstrongswan_attr_la_DEPENDENCIES) + $(AM_V_CCLD)$(libstrongswan_attr_la_LINK) $(am_libstrongswan_attr_la_rpath) $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_provider.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-pluginLTLIBRARIES install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/attr/attr_plugin.c b/src/libcharon/plugins/attr/attr_plugin.c new file mode 100644 index 000000000..9b15c3cc9 --- /dev/null +++ b/src/libcharon/plugins/attr/attr_plugin.c @@ -0,0 +1,109 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "attr_plugin.h" +#include "attr_provider.h" + +#include + +typedef struct private_attr_plugin_t private_attr_plugin_t; + +/** + * private data of attr plugin + */ +struct private_attr_plugin_t { + + /** + * implements plugin interface + */ + attr_plugin_t public; + + /** + * CFG attributes provider + */ + attr_provider_t *provider; +}; + +METHOD(plugin_t, get_name, char*, + private_attr_plugin_t *this) +{ + return "attr"; +} + +/** + * Register provider + */ +static bool plugin_cb(private_attr_plugin_t *this, + plugin_feature_t *feature, bool reg, void *cb_data) +{ + if (reg) + { + charon->attributes->add_provider(charon->attributes, + &this->provider->provider); + } + else + { + charon->attributes->remove_provider(charon->attributes, + &this->provider->provider); + } + return TRUE; +} + +METHOD(plugin_t, get_features, int, + private_attr_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL), + PLUGIN_PROVIDE(CUSTOM, "attr"), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, reload, bool, + private_attr_plugin_t *this) +{ + this->provider->reload(this->provider); + return TRUE; +} + +METHOD(plugin_t, destroy, void, + private_attr_plugin_t *this) +{ + this->provider->destroy(this->provider); + free(this); +} + +/* + * see header file + */ +plugin_t *attr_plugin_create() +{ + private_attr_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .reload = _reload, + .destroy = _destroy, + }, + }, + .provider = attr_provider_create(), + ); + + return &this->public.plugin; +} diff --git a/src/libcharon/plugins/attr/attr_plugin.h b/src/libcharon/plugins/attr/attr_plugin.h new file mode 100644 index 000000000..0c6eebfa7 --- /dev/null +++ b/src/libcharon/plugins/attr/attr_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup attr attr + * @ingroup cplugins + * + * @defgroup attr_plugin attr_plugin + * @{ @ingroup attr + */ + +#ifndef ATTR_PLUGIN_H_ +#define ATTR_PLUGIN_H_ + +#include + +typedef struct attr_plugin_t attr_plugin_t; + +/** + * Plugin providing configuration attribute through strongswan.conf. + */ +struct attr_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** ATTR_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/attr/attr_provider.c b/src/libcharon/plugins/attr/attr_provider.c new file mode 100644 index 000000000..cac0ae4bf --- /dev/null +++ b/src/libcharon/plugins/attr/attr_provider.c @@ -0,0 +1,329 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "attr_provider.h" + +#include + +#include +#include +#include +#include + +#define SERVER_MAX 2 + +typedef struct private_attr_provider_t private_attr_provider_t; +typedef struct attribute_entry_t attribute_entry_t; + +/** + * private data of attr_provider + */ +struct private_attr_provider_t { + + /** + * public functions + */ + attr_provider_t public; + + /** + * List of attributes, attribute_entry_t + */ + linked_list_t *attributes; + + /** + * Lock for attribute list + */ + rwlock_t *lock; +}; + +struct attribute_entry_t { + /** type of attribute */ + configuration_attribute_type_t type; + /** attribute value */ + chunk_t value; +}; + +/** + * Destroy an entry + */ +static void attribute_destroy(attribute_entry_t *this) +{ + free(this->value.ptr); + free(this); +} + +/** + * convert enumerator value from attribute_entry + */ +static bool attr_enum_filter(void *null, attribute_entry_t **in, + configuration_attribute_type_t *type, void* none, chunk_t *value) +{ + *type = (*in)->type; + *value = (*in)->value; + return TRUE; +} + +METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*, + private_attr_provider_t *this, linked_list_t *pools, + ike_sa_t *ike_sa, linked_list_t *vips) +{ + if (vips->get_count(vips)) + { + this->lock->read_lock(this->lock); + return enumerator_create_filter( + this->attributes->create_enumerator(this->attributes), + (void*)attr_enum_filter, this->lock, (void*)this->lock->unlock); + } + return enumerator_create_empty(); +} + +METHOD(attr_provider_t, destroy, void, + private_attr_provider_t *this) +{ + this->attributes->destroy_function(this->attributes, + (void*)attribute_destroy); + this->lock->destroy(this->lock); + free(this); +} + +/** + * Add an attribute entry to the list + */ +static void add_legacy_entry(private_attr_provider_t *this, char *key, int nr, + configuration_attribute_type_t type) +{ + attribute_entry_t *entry; + host_t *host; + char *str; + + str = lib->settings->get_str(lib->settings, "%s.%s%d", NULL, lib->ns, + key, nr); + if (str) + { + host = host_create_from_string(str, 0); + if (host) + { + entry = malloc_thing(attribute_entry_t); + + if (host->get_family(host) == AF_INET6) + { + switch (type) + { + case INTERNAL_IP4_DNS: + type = INTERNAL_IP6_DNS; + break; + case INTERNAL_IP4_NBNS: + type = INTERNAL_IP6_NBNS; + break; + default: + break; + } + } + entry->type = type; + entry->value = chunk_clone(host->get_address(host)); + host->destroy(host); + DBG2(DBG_CFG, "loaded legacy entry attribute %N: %#B", + configuration_attribute_type_names, entry->type, &entry->value); + this->attributes->insert_last(this->attributes, entry); + } + } +} + +/** + * Key to attribute type mappings, for v4 and v6 attributes + */ +typedef struct { + char *name; + configuration_attribute_type_t v4; + configuration_attribute_type_t v6; +} attribute_type_key_t; + +static attribute_type_key_t keys[] = { + {"address", INTERNAL_IP4_ADDRESS, INTERNAL_IP6_ADDRESS}, + {"dns", INTERNAL_IP4_DNS, INTERNAL_IP6_DNS}, + {"nbns", INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS}, + {"dhcp", INTERNAL_IP4_DHCP, INTERNAL_IP6_DHCP}, + {"netmask", INTERNAL_IP4_NETMASK, INTERNAL_IP6_NETMASK}, + {"server", INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER}, + {"subnet", INTERNAL_IP4_SUBNET, INTERNAL_IP6_SUBNET}, + {"split-include", UNITY_SPLIT_INCLUDE, UNITY_SPLIT_INCLUDE}, + {"split-exclude", UNITY_LOCAL_LAN, UNITY_LOCAL_LAN}, +}; + +/** + * Load (numerical) entries from the plugins.attr namespace + */ +static void load_entries(private_attr_provider_t *this) +{ + enumerator_t *enumerator, *tokens; + char *key, *value, *token; + int i; + + for (i = 1; i <= SERVER_MAX; i++) + { + add_legacy_entry(this, "dns", i, INTERNAL_IP4_DNS); + add_legacy_entry(this, "nbns", i, INTERNAL_IP4_NBNS); + } + + enumerator = lib->settings->create_key_value_enumerator(lib->settings, + "%s.plugins.attr", lib->ns); + while (enumerator->enumerate(enumerator, &key, &value)) + { + configuration_attribute_type_t type; + attribute_type_key_t *mapped = NULL; + attribute_entry_t *entry; + chunk_t data; + host_t *host; + char *pos; + int i, mask = -1, family; + + if (streq(key, "load")) + { + continue; + } + type = atoi(key); + if (!type) + { + for (i = 0; i < countof(keys); i++) + { + if (streq(key, keys[i].name)) + { + mapped = &keys[i]; + break; + } + } + if (!mapped) + { + DBG1(DBG_CFG, "mapping attribute type %s failed", key); + continue; + } + } + tokens = enumerator_create_token(value, ",", " "); + while (tokens->enumerate(tokens, &token)) + { + pos = strchr(token, '/'); + if (pos) + { + *(pos++) = '\0'; + mask = atoi(pos); + } + host = host_create_from_string(token, 0); + if (!host) + { + if (mapped) + { + DBG1(DBG_CFG, "invalid host in key %s: %s", key, token); + continue; + } + /* store numeric attributes that are no IP addresses as strings */ + data = chunk_clone(chunk_from_str(token)); + } + else + { + family = host->get_family(host); + if (mask == -1) + { + data = chunk_clone(host->get_address(host)); + } + else + { + if (family == AF_INET) + { /* IPv4 attributes contain a subnet mask */ + u_int32_t netmask = 0; + + if (mask) + { /* shifting u_int32_t by 32 or more is undefined */ + mask = 32 - mask; + netmask = htonl((0xFFFFFFFF >> mask) << mask); + } + data = chunk_cat("cc", host->get_address(host), + chunk_from_thing(netmask)); + } + else + { /* IPv6 addresses the prefix only */ + data = chunk_cat("cc", host->get_address(host), + chunk_from_chars(mask)); + } + } + host->destroy(host); + if (mapped) + { + switch (family) + { + case AF_INET: + type = mapped->v4; + break; + case AF_INET6: + type = mapped->v6; + break; + } + } + } + INIT(entry, + .type = type, + .value = data, + ); + DBG2(DBG_CFG, "loaded attribute %N: %#B", + configuration_attribute_type_names, entry->type, &entry->value); + this->attributes->insert_last(this->attributes, entry); + } + tokens->destroy(tokens); + } + enumerator->destroy(enumerator); +} + +METHOD(attr_provider_t, reload, void, + private_attr_provider_t *this) +{ + this->lock->write_lock(this->lock); + + this->attributes->destroy_function(this->attributes, (void*)attribute_destroy); + this->attributes = linked_list_create(); + + load_entries(this); + + DBG1(DBG_CFG, "loaded %d entr%s for attr plugin configuration", + this->attributes->get_count(this->attributes), + this->attributes->get_count(this->attributes) == 1 ? "y" : "ies"); + + this->lock->unlock(this->lock); +} + +/* + * see header file + */ +attr_provider_t *attr_provider_create(database_t *db) +{ + private_attr_provider_t *this; + + INIT(this, + .public = { + .provider = { + .acquire_address = (void*)return_null, + .release_address = (void*)return_false, + .create_attribute_enumerator = _create_attribute_enumerator, + }, + .reload = _reload, + .destroy = _destroy, + }, + .attributes = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); + + load_entries(this); + + return &this->public; +} diff --git a/src/libcharon/plugins/attr/attr_provider.h b/src/libcharon/plugins/attr/attr_provider.h new file mode 100644 index 000000000..17db30408 --- /dev/null +++ b/src/libcharon/plugins/attr/attr_provider.h @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup attr_provider attr_provider + * @{ @ingroup attr + */ + +#ifndef ATTR_PROVIDER_H_ +#define ATTR_PROVIDER_H_ + +#include + +typedef struct attr_provider_t attr_provider_t; + +/** + * Provide configuration attributes through static strongswan.conf definition. + */ +struct attr_provider_t { + + /** + * Implements attribute provider interface + */ + attribute_provider_t provider; + + /** + * Reload configuration from strongswan.conf. + */ + void (*reload)(attr_provider_t *this); + + /** + * Destroy a attr_provider instance. + */ + void (*destroy)(attr_provider_t *this); +}; + +/** + * Create a attr_provider instance. + */ +attr_provider_t *attr_provider_create(); + +#endif /** ATTR_PROVIDER @}*/ diff --git a/src/libcharon/plugins/attr_sql/Makefile.am b/src/libcharon/plugins/attr_sql/Makefile.am new file mode 100644 index 000000000..366c902f7 --- /dev/null +++ b/src/libcharon/plugins/attr_sql/Makefile.am @@ -0,0 +1,19 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-attr-sql.la +else +plugin_LTLIBRARIES = libstrongswan-attr-sql.la +endif + +libstrongswan_attr_sql_la_SOURCES = \ + attr_sql_plugin.h attr_sql_plugin.c \ + attr_sql_provider.h attr_sql_provider.c + +libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/attr_sql/Makefile.in b/src/libcharon/plugins/attr_sql/Makefile.in new file mode 100644 index 000000000..8f1b3c0ff --- /dev/null +++ b/src/libcharon/plugins/attr_sql/Makefile.in @@ -0,0 +1,780 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/attr_sql +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_attr_sql_la_LIBADD = +am_libstrongswan_attr_sql_la_OBJECTS = attr_sql_plugin.lo \ + attr_sql_provider.lo +libstrongswan_attr_sql_la_OBJECTS = \ + $(am_libstrongswan_attr_sql_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libstrongswan_attr_sql_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_attr_sql_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_attr_sql_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_attr_sql_la_rpath = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libstrongswan_attr_sql_la_SOURCES) +DIST_SOURCES = $(libstrongswan_attr_sql_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-attr-sql.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-attr-sql.la +libstrongswan_attr_sql_la_SOURCES = \ + attr_sql_plugin.h attr_sql_plugin.c \ + attr_sql_provider.h attr_sql_provider.c + +libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/attr_sql/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/attr_sql/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libstrongswan-attr-sql.la: $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_DEPENDENCIES) $(EXTRA_libstrongswan_attr_sql_la_DEPENDENCIES) + $(AM_V_CCLD)$(libstrongswan_attr_sql_la_LINK) $(am_libstrongswan_attr_sql_la_rpath) $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_sql_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_sql_provider.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-pluginLTLIBRARIES install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/attr_sql/attr_sql_plugin.c b/src/libcharon/plugins/attr_sql/attr_sql_plugin.c new file mode 100644 index 000000000..908877514 --- /dev/null +++ b/src/libcharon/plugins/attr_sql/attr_sql_plugin.c @@ -0,0 +1,129 @@ +/* + * Copyright (C) 2013 Tobias Brunner + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include +#include + +#include "attr_sql_plugin.h" +#include "attr_sql_provider.h" + +typedef struct private_attr_sql_plugin_t private_attr_sql_plugin_t; + +/** + * private data of attr_sql plugin + */ +struct private_attr_sql_plugin_t { + + /** + * implements plugin interface + */ + attr_sql_plugin_t public; + + /** + * database connection instance + */ + database_t *db; + + /** + * configuration attributes + */ + attr_sql_provider_t *attribute; +}; + +METHOD(plugin_t, get_name, char*, + private_attr_sql_plugin_t *this) +{ + return "attr-sql"; +} + +/** + * Connect to database + */ +static bool open_database(private_attr_sql_plugin_t *this, + plugin_feature_t *feature, bool reg, void *cb_data) +{ + if (reg) + { + char *uri; + + uri = lib->settings->get_str(lib->settings, + "%s.plugins.attr-sql.database", NULL, lib->ns); + if (!uri) + { + DBG1(DBG_CFG, "attr-sql plugin: database URI not set"); + return FALSE; + } + + this->db = lib->db->create(lib->db, uri); + if (!this->db) + { + DBG1(DBG_CFG, "attr-sql plugin failed to connect to database"); + return FALSE; + } + this->attribute = attr_sql_provider_create(this->db); + charon->attributes->add_provider(charon->attributes, + &this->attribute->provider); + } + else + { + charon->attributes->remove_provider(charon->attributes, + &this->attribute->provider); + this->attribute->destroy(this->attribute); + this->db->destroy(this->db); + } + return TRUE; +} + +METHOD(plugin_t, get_features, int, + private_attr_sql_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_CALLBACK((plugin_feature_callback_t)open_database, NULL), + PLUGIN_PROVIDE(CUSTOM, "attr-sql"), + PLUGIN_DEPENDS(DATABASE, DB_ANY), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, destroy, void, + private_attr_sql_plugin_t *this) +{ + free(this); +} + +/* + * see header file + */ +plugin_t *attr_sql_plugin_create() +{ + private_attr_sql_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .destroy = _destroy, + }, + }, + ); + lib->settings->add_fallback(lib->settings, "%s.plugins.attr-sql", + "libhydra.plugins.attr-sql", lib->ns); + + return &this->public.plugin; +} diff --git a/src/libcharon/plugins/attr_sql/attr_sql_plugin.h b/src/libcharon/plugins/attr_sql/attr_sql_plugin.h new file mode 100644 index 000000000..b6b04ccc0 --- /dev/null +++ b/src/libcharon/plugins/attr_sql/attr_sql_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup attr_sql attr_sql + * @ingroup cplugins + * + * @defgroup attr_sql_plugin attr_sql_plugin + * @{ @ingroup attr_sql + */ + +#ifndef ATTR_SQL_PLUGIN_H_ +#define ATTR_SQL_PLUGIN_H_ + +#include + +typedef struct attr_sql_plugin_t attr_sql_plugin_t; + +/** + * SQL database attribute configuration plugin + */ +struct attr_sql_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** ATTR_SQL_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/attr_sql/attr_sql_provider.c b/src/libcharon/plugins/attr_sql/attr_sql_provider.c new file mode 100644 index 000000000..c2410705d --- /dev/null +++ b/src/libcharon/plugins/attr_sql/attr_sql_provider.c @@ -0,0 +1,478 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include +#include + +#include "attr_sql_provider.h" + +typedef struct private_attr_sql_provider_t private_attr_sql_provider_t; + +/** + * private data of attr_sql_provider + */ +struct private_attr_sql_provider_t { + + /** + * public functions + */ + attr_sql_provider_t public; + + /** + * database connection + */ + database_t *db; + + /** + * whether to record lease history in lease table + */ + bool history; +}; + +/** + * lookup/insert an identity + */ +static u_int get_identity(private_attr_sql_provider_t *this, ike_sa_t *ike_sa) +{ + identification_t *id; + enumerator_t *e; + u_int row; + + id = ike_sa->get_other_eap_id(ike_sa); + + this->db->transaction(this->db, TRUE); + /* look for peer identity in the identities table */ + e = this->db->query(this->db, + "SELECT id FROM identities WHERE type = ? AND data = ?", + DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id), + DB_UINT); + if (e && e->enumerate(e, &row)) + { + e->destroy(e); + this->db->commit(this->db); + return row; + } + DESTROY_IF(e); + /* not found, insert new one */ + if (this->db->execute(this->db, &row, + "INSERT INTO identities (type, data) VALUES (?, ?)", + DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id)) == 1) + { + this->db->commit(this->db); + return row; + } + this->db->rollback(this->db); + return 0; +} + +/** + * Lookup an attribute pool by name + */ +static u_int get_attr_pool(private_attr_sql_provider_t *this, char *name) +{ + enumerator_t *e; + u_int row = 0; + + e = this->db->query(this->db, + "SELECT id FROM attribute_pools WHERE name = ?", + DB_TEXT, name, DB_UINT); + if (e) + { + e->enumerate(e, &row); + } + DESTROY_IF(e); + + return row; +} + +/** + * Lookup pool by name and address family + */ +static u_int get_pool(private_attr_sql_provider_t *this, char *name, int family, + u_int *timeout) +{ + enumerator_t *e; + chunk_t start; + u_int pool; + + e = this->db->query(this->db, + "SELECT id, start, timeout FROM pools WHERE name = ?", + DB_TEXT, name, DB_UINT, DB_BLOB, DB_UINT); + if (e && e->enumerate(e, &pool, &start, timeout)) + { + if ((family == AF_INET && start.len == 4) || + (family == AF_INET6 && start.len == 16)) + { + e->destroy(e); + return pool; + } + } + DESTROY_IF(e); + return 0; +} + +/** + * Look up an existing lease + */ +static host_t* check_lease(private_attr_sql_provider_t *this, char *name, + u_int pool, u_int identity) +{ + while (TRUE) + { + u_int id; + chunk_t address; + enumerator_t *e; + time_t now = time(NULL); + + e = this->db->query(this->db, + "SELECT id, address FROM addresses " + "WHERE pool = ? AND identity = ? AND released != 0 LIMIT 1", + DB_UINT, pool, DB_UINT, identity, DB_UINT, DB_BLOB); + if (!e || !e->enumerate(e, &id, &address)) + { + DESTROY_IF(e); + break; + } + address = chunk_clonea(address); + e->destroy(e); + + if (this->db->execute(this->db, NULL, + "UPDATE addresses SET acquired = ?, released = 0 " + "WHERE id = ? AND identity = ? AND released != 0", + DB_UINT, now, DB_UINT, id, DB_UINT, identity) > 0) + { + host_t *host; + + host = host_create_from_chunk(AF_UNSPEC, address, 0); + if (host) + { + DBG1(DBG_CFG, "acquired existing lease for address %H in" + " pool '%s'", host, name); + return host; + } + } + } + return NULL; +} + +/** + * We check for unallocated addresses or expired leases. First we select an + * address as a candidate, but double check later on if it is still available + * during the update operation. This allows us to work without locking. + */ +static host_t* get_lease(private_attr_sql_provider_t *this, char *name, + u_int pool, u_int timeout, u_int identity) +{ + while (TRUE) + { + u_int id; + chunk_t address; + enumerator_t *e; + time_t now = time(NULL); + int hits; + + if (timeout) + { + /* check for an expired lease */ + e = this->db->query(this->db, + "SELECT id, address FROM addresses " + "WHERE pool = ? AND released != 0 AND released < ? LIMIT 1", + DB_UINT, pool, DB_UINT, now - timeout, DB_UINT, DB_BLOB); + } + else + { + /* with static leases, check for an unallocated address */ + e = this->db->query(this->db, + "SELECT id, address FROM addresses " + "WHERE pool = ? AND identity = 0 LIMIT 1", + DB_UINT, pool, DB_UINT, DB_BLOB); + + } + + if (!e || !e->enumerate(e, &id, &address)) + { + DESTROY_IF(e); + break; + } + address = chunk_clonea(address); + e->destroy(e); + + if (timeout) + { + hits = this->db->execute(this->db, NULL, + "UPDATE addresses SET " + "acquired = ?, released = 0, identity = ? " + "WHERE id = ? AND released != 0 AND released < ?", + DB_UINT, now, DB_UINT, identity, + DB_UINT, id, DB_UINT, now - timeout); + } + else + { + hits = this->db->execute(this->db, NULL, + "UPDATE addresses SET " + "acquired = ?, released = 0, identity = ? " + "WHERE id = ? AND identity = 0", + DB_UINT, now, DB_UINT, identity, DB_UINT, id); + } + if (hits > 0) + { + host_t *host; + + host = host_create_from_chunk(AF_UNSPEC, address, 0); + if (host) + { + DBG1(DBG_CFG, "acquired new lease for address %H in pool '%s'", + host, name); + return host; + } + } + } + DBG1(DBG_CFG, "no available address found in pool '%s'", name); + return NULL; +} + +METHOD(attribute_provider_t, acquire_address, host_t*, + private_attr_sql_provider_t *this, linked_list_t *pools, ike_sa_t *ike_sa, + host_t *requested) +{ + enumerator_t *enumerator; + host_t *address = NULL; + u_int identity, pool, timeout; + char *name; + int family; + + identity = get_identity(this, ike_sa); + if (identity) + { + family = requested->get_family(requested); + /* check for an existing lease in all pools */ + enumerator = pools->create_enumerator(pools); + while (enumerator->enumerate(enumerator, &name)) + { + pool = get_pool(this, name, family, &timeout); + if (pool) + { + address = check_lease(this, name, pool, identity); + if (address) + { + break; + } + } + } + enumerator->destroy(enumerator); + + if (!address) + { + /* get an unallocated address or expired lease */ + enumerator = pools->create_enumerator(pools); + while (enumerator->enumerate(enumerator, &name)) + { + pool = get_pool(this, name, family, &timeout); + if (pool) + { + address = get_lease(this, name, pool, timeout, identity); + if (address) + { + break; + } + } + } + enumerator->destroy(enumerator); + } + } + return address; +} + +METHOD(attribute_provider_t, release_address, bool, + private_attr_sql_provider_t *this, linked_list_t *pools, host_t *address, + ike_sa_t *ike_sa) +{ + enumerator_t *enumerator; + u_int pool, timeout; + time_t now = time(NULL); + bool found = FALSE; + char *name; + int family; + + family = address->get_family(address); + enumerator = pools->create_enumerator(pools); + while (enumerator->enumerate(enumerator, &name)) + { + pool = get_pool(this, name, family, &timeout); + if (!pool) + { + continue; + } + if (this->db->execute(this->db, NULL, + "UPDATE addresses SET released = ? WHERE " + "pool = ? AND address = ?", DB_UINT, time(NULL), + DB_UINT, pool, DB_BLOB, address->get_address(address)) > 0) + { + if (this->history) + { + this->db->execute(this->db, NULL, + "INSERT INTO leases (address, identity, acquired, released)" + " SELECT id, identity, acquired, ? FROM addresses " + " WHERE pool = ? AND address = ?", + DB_UINT, now, DB_UINT, pool, + DB_BLOB, address->get_address(address)); + } + found = TRUE; + break; + } + } + enumerator->destroy(enumerator); + + return found; +} + +METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*, + private_attr_sql_provider_t *this, linked_list_t *pools, ike_sa_t *ike_sa, + linked_list_t *vips) +{ + enumerator_t *attr_enumerator = NULL; + + if (vips->get_count(vips)) + { + enumerator_t *pool_enumerator; + u_int count; + char *name; + + /* in a first step check for attributes that match name and id */ + if (ike_sa) + { + u_int identity = get_identity(this, ike_sa); + + pool_enumerator = pools->create_enumerator(pools); + while (pool_enumerator->enumerate(pool_enumerator, &name)) + { + u_int attr_pool = get_attr_pool(this, name); + if (!attr_pool) + { + continue; + } + + attr_enumerator = this->db->query(this->db, + "SELECT count(*) FROM attributes " + "WHERE pool = ? AND identity = ?", + DB_UINT, attr_pool, DB_UINT, identity, DB_UINT); + + if (attr_enumerator && + attr_enumerator->enumerate(attr_enumerator, &count) && + count != 0) + { + attr_enumerator->destroy(attr_enumerator); + attr_enumerator = this->db->query(this->db, + "SELECT type, value FROM attributes " + "WHERE pool = ? AND identity = ?", DB_UINT, + attr_pool, DB_UINT, identity, DB_INT, DB_BLOB); + break; + } + DESTROY_IF(attr_enumerator); + attr_enumerator = NULL; + } + pool_enumerator->destroy(pool_enumerator); + } + + /* in a second step check for attributes that match name */ + if (!attr_enumerator) + { + pool_enumerator = pools->create_enumerator(pools); + while (pool_enumerator->enumerate(pool_enumerator, &name)) + { + u_int attr_pool = get_attr_pool(this, name); + if (!attr_pool) + { + continue; + } + + attr_enumerator = this->db->query(this->db, + "SELECT count(*) FROM attributes " + "WHERE pool = ? AND identity = 0", + DB_UINT, attr_pool, DB_UINT); + + if (attr_enumerator && + attr_enumerator->enumerate(attr_enumerator, &count) && + count != 0) + { + attr_enumerator->destroy(attr_enumerator); + attr_enumerator = this->db->query(this->db, + "SELECT type, value FROM attributes " + "WHERE pool = ? AND identity = 0", + DB_UINT, attr_pool, DB_INT, DB_BLOB); + break; + } + DESTROY_IF(attr_enumerator); + attr_enumerator = NULL; + } + pool_enumerator->destroy(pool_enumerator); + } + + /* lastly try to find global attributes */ + if (!attr_enumerator) + { + attr_enumerator = this->db->query(this->db, + "SELECT type, value FROM attributes " + "WHERE pool = 0 AND identity = 0", + DB_INT, DB_BLOB); + } + } + + return (attr_enumerator ? attr_enumerator : enumerator_create_empty()); +} + +METHOD(attr_sql_provider_t, destroy, void, + private_attr_sql_provider_t *this) +{ + free(this); +} + +/* + * see header file + */ +attr_sql_provider_t *attr_sql_provider_create(database_t *db) +{ + private_attr_sql_provider_t *this; + time_t now = time(NULL); + + INIT(this, + .public = { + .provider = { + .acquire_address = _acquire_address, + .release_address = _release_address, + .create_attribute_enumerator = _create_attribute_enumerator, + }, + .destroy = _destroy, + }, + .db = db, + .history = lib->settings->get_bool(lib->settings, + "%s.plugins.attr-sql.lease_history", TRUE, lib->ns), + ); + + /* close any "online" leases in the case we crashed */ + if (this->history) + { + this->db->execute(this->db, NULL, + "INSERT INTO leases (address, identity, acquired, released)" + " SELECT id, identity, acquired, ? FROM addresses " + " WHERE released = 0", DB_UINT, now); + } + this->db->execute(this->db, NULL, + "UPDATE addresses SET released = ? WHERE released = 0", + DB_UINT, now); + return &this->public; +} diff --git a/src/libcharon/plugins/attr_sql/attr_sql_provider.h b/src/libcharon/plugins/attr_sql/attr_sql_provider.h new file mode 100644 index 000000000..a9b037bf5 --- /dev/null +++ b/src/libcharon/plugins/attr_sql/attr_sql_provider.h @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup attr_sql_provider attr_sql_provider + * @{ @ingroup attr_sql + */ + +#ifndef ATTR_SQL_PROVIDER_H_ +#define ATTR_SQL_PROVIDER_H_ + +#include +#include + +typedef struct attr_sql_provider_t attr_sql_provider_t; + +/** + * SQL database based IKEv2 cfg attribute provider. + */ +struct attr_sql_provider_t { + + /** + * Implements attribute provider interface + */ + attribute_provider_t provider; + + /** + * Destroy a attr_sql_provider instance. + */ + void (*destroy)(attr_sql_provider_t *this); +}; + +/** + * Create a attr_sql_provider instance. + */ +attr_sql_provider_t *attr_sql_provider_create(database_t *db); + +#endif /** ATTR_SQL_PROVIDER_H_ @}*/ diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in index 08101d51d..f946d73c1 100644 --- a/src/libcharon/plugins/certexpire/Makefile.in +++ b/src/libcharon/plugins/certexpire/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/connmark/Makefile.am b/src/libcharon/plugins/connmark/Makefile.am new file mode 100644 index 000000000..cc4d0ec8d --- /dev/null +++ b/src/libcharon/plugins/connmark/Makefile.am @@ -0,0 +1,20 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) $(libiptc_CFLAGS) + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-connmark.la +else +plugin_LTLIBRARIES = libstrongswan-connmark.la +endif + +libstrongswan_connmark_la_SOURCES = \ + connmark_listener.h connmark_listener.c \ + connmark_plugin.h connmark_plugin.c + +libstrongswan_connmark_la_LDFLAGS = -module -avoid-version +libstrongswan_connmark_la_LIBADD = $(libiptc_LIBS) diff --git a/src/libcharon/plugins/connmark/Makefile.in b/src/libcharon/plugins/connmark/Makefile.in new file mode 100644 index 000000000..65f53fde9 --- /dev/null +++ b/src/libcharon/plugins/connmark/Makefile.in @@ -0,0 +1,782 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/connmark +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +am__DEPENDENCIES_1 = +libstrongswan_connmark_la_DEPENDENCIES = $(am__DEPENDENCIES_1) +am_libstrongswan_connmark_la_OBJECTS = connmark_listener.lo \ + connmark_plugin.lo +libstrongswan_connmark_la_OBJECTS = \ + $(am_libstrongswan_connmark_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libstrongswan_connmark_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_connmark_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_connmark_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_connmark_la_rpath = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libstrongswan_connmark_la_SOURCES) +DIST_SOURCES = $(libstrongswan_connmark_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) $(libiptc_CFLAGS) + +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-connmark.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-connmark.la +libstrongswan_connmark_la_SOURCES = \ + connmark_listener.h connmark_listener.c \ + connmark_plugin.h connmark_plugin.c + +libstrongswan_connmark_la_LDFLAGS = -module -avoid-version +libstrongswan_connmark_la_LIBADD = $(libiptc_LIBS) +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/connmark/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/connmark/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libstrongswan-connmark.la: $(libstrongswan_connmark_la_OBJECTS) $(libstrongswan_connmark_la_DEPENDENCIES) $(EXTRA_libstrongswan_connmark_la_DEPENDENCIES) + $(AM_V_CCLD)$(libstrongswan_connmark_la_LINK) $(am_libstrongswan_connmark_la_rpath) $(libstrongswan_connmark_la_OBJECTS) $(libstrongswan_connmark_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connmark_listener.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connmark_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-pluginLTLIBRARIES install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/connmark/connmark_listener.c b/src/libcharon/plugins/connmark/connmark_listener.c new file mode 100644 index 000000000..23df690e8 --- /dev/null +++ b/src/libcharon/plugins/connmark/connmark_listener.c @@ -0,0 +1,538 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "connmark_listener.h" + +#include + +#include +#include +#include +#include +#include +#include +#include + + +typedef struct private_connmark_listener_t private_connmark_listener_t; + +/** + * Private data of an connmark_listener_t object. + */ +struct private_connmark_listener_t { + + /** + * Public connmark_listener_t interface. + */ + connmark_listener_t public; +}; + +/** + * Convert an (IPv4) traffic selector to an address and mask + */ +static bool ts2in(traffic_selector_t *ts, + struct in_addr *addr, struct in_addr *mask) +{ + u_int8_t bits; + host_t *net; + + if (ts->get_type(ts) == TS_IPV4_ADDR_RANGE && + ts->to_subnet(ts, &net, &bits)) + { + memcpy(&addr->s_addr, net->get_address(net).ptr, 4); + net->destroy(net); + mask->s_addr = htonl(0xffffffffU << (32 - bits)); + return TRUE; + } + return FALSE; +} + +/** + * Convert an (IPv4) host to an address with mask + */ +static bool host2in(host_t *host, struct in_addr *addr, struct in_addr *mask) +{ + if (host->get_family(host) == AF_INET) + { + memcpy(&addr->s_addr, host->get_address(host).ptr, 4); + mask->s_addr = ~0; + return TRUE; + } + return FALSE; +} + +/** + * Add or remove a rule to/from the specified chain + */ +static bool manage_rule(struct iptc_handle *ipth, const char *chain, + bool add, struct ipt_entry *e) +{ + if (add) + { + if (!iptc_insert_entry(chain, e, 0, ipth)) + { + DBG1(DBG_CFG, "appending %s rule failed: %s", + chain, iptc_strerror(errno)); + return FALSE; + } + } + else + { + if (!iptc_delete_entry(chain, e, "", ipth)) + { + DBG1(DBG_CFG, "deleting %s rule failed: %s", + chain, iptc_strerror(errno)); + return FALSE; + } + } + return TRUE; +} + +/** + * Add rule marking UDP-encapsulated ESP packets to match the correct policy + */ +static bool manage_pre_esp_in_udp(private_connmark_listener_t *this, + struct iptc_handle *ipth, bool add, + u_int mark, u_int32_t spi, + host_t *dst, host_t *src) +{ + struct { + struct ipt_entry e; + struct ipt_entry_match m; + struct xt_udp udp; + struct ipt_entry_target t; + struct xt_mark_tginfo2 tm; + } ipt = { + .e = { + .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + + sizeof(ipt.udp)), + .next_offset = sizeof(ipt), + .ip = { + .proto = IPPROTO_UDP, + }, + }, + .m = { + .u = { + .user = { + .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)), + .name = "udp", + }, + }, + }, + .udp = { + .spts = { src->get_port(src), src->get_port(src) }, + .dpts = { dst->get_port(dst), dst->get_port(dst) }, + }, + .t = { + .u = { + .user = { + .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)), + .name = "MARK", + .revision = 2, + }, + }, + }, + .tm = { + .mark = mark, + .mask = ~0, + }, + }; + + if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || + !host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk)) + { + return FALSE; + } + return manage_rule(ipth, "PREROUTING", add, &ipt.e); +} + +/** + * Add rule marking non-encapsulated ESP packets to match the correct policy + */ +static bool manage_pre_esp(private_connmark_listener_t *this, + struct iptc_handle *ipth, bool add, + u_int mark, u_int32_t spi, + host_t *dst, host_t *src) +{ + struct { + struct ipt_entry e; + struct ipt_entry_match m; + struct xt_esp esp; + struct ipt_entry_target t; + struct xt_mark_tginfo2 tm; + } ipt = { + .e = { + .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + + sizeof(ipt.esp)), + .next_offset = sizeof(ipt), + .ip = { + .proto = IPPROTO_ESP, + }, + }, + .m = { + .u = { + .user = { + .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)), + .name = "esp", + }, + }, + }, + .esp = { + .spis = { htonl(spi), htonl(spi) }, + }, + .t = { + .u = { + .user = { + .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)), + .name = "MARK", + .revision = 2, + }, + }, + }, + .tm = { + .mark = mark, + .mask = ~0, + }, + }; + + if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || + !host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk)) + { + return FALSE; + } + return manage_rule(ipth, "PREROUTING", add, &ipt.e); +} + +/** + * Add rule marking ESP packets to match the correct policy + */ +static bool manage_pre(private_connmark_listener_t *this, + struct iptc_handle *ipth, bool add, + u_int mark, u_int32_t spi, bool encap, + host_t *dst, host_t *src) +{ + if (encap) + { + return manage_pre_esp_in_udp(this, ipth, add, mark, spi, dst, src); + } + return manage_pre_esp(this, ipth, add, mark, spi, dst, src); +} + +/** + * Add inbound rule applying CONNMARK to matching traffic + */ +static bool manage_in(private_connmark_listener_t *this, + struct iptc_handle *ipth, bool add, + u_int mark, u_int32_t spi, + traffic_selector_t *dst, traffic_selector_t *src) +{ + struct { + struct ipt_entry e; + struct ipt_entry_match m; + struct xt_policy_info p; + struct ipt_entry_target t; + struct xt_connmark_tginfo1 cm; + } ipt = { + .e = { + .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + + sizeof(ipt.p)), + .next_offset = sizeof(ipt), + }, + .m = { + .u = { + .user = { + .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.p)), + .name = "policy", + }, + }, + }, + .p = { + .pol = { + { + .spi = spi, + .match.spi = 1, + }, + }, + .len = 1, + .flags = XT_POLICY_MATCH_IN, + }, + .t = { + .u = { + .user = { + .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)), + .name = "CONNMARK", + .revision = 1, + }, + }, + }, + .cm = { + .ctmark = mark, + .ctmask = ~0, + .nfmask = ~0, + .mode = XT_CONNMARK_SET, + }, + }; + + if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || + !ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk)) + { + return FALSE; + } + return manage_rule(ipth, "INPUT", add, &ipt.e); +} + +/** + * Add outbund rule restoring CONNMARK on matching traffic + */ +static bool manage_out(private_connmark_listener_t *this, + struct iptc_handle *ipth, bool add, + traffic_selector_t *dst, traffic_selector_t *src) +{ + struct { + struct ipt_entry e; + struct ipt_entry_target t; + struct xt_connmark_tginfo1 cm; + } ipt = { + .e = { + .target_offset = XT_ALIGN(sizeof(ipt.e)), + .next_offset = sizeof(ipt), + }, + .t = { + .u = { + .user = { + .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)), + .name = "CONNMARK", + .revision = 1, + }, + }, + }, + .cm = { + .ctmask = ~0, + .nfmask = ~0, + .mode = XT_CONNMARK_RESTORE, + }, + }; + + if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || + !ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk)) + { + return FALSE; + } + return manage_rule(ipth, "OUTPUT", add, &ipt.e); +} + +/** + * Initialize iptables handle, log error + */ +static struct iptc_handle* init_handle() +{ + struct iptc_handle *ipth; + + ipth = iptc_init("mangle"); + if (ipth) + { + return ipth; + } + DBG1(DBG_CFG, "initializing iptables failed: %s", iptc_strerror(errno)); + return NULL; +} + +/** + * Commit iptables rules, log error + */ +static bool commit_handle(struct iptc_handle *ipth) +{ + if (iptc_commit(ipth)) + { + return TRUE; + } + DBG1(DBG_CFG, "forecast iptables commit failed: %s", iptc_strerror(errno)); + return FALSE; +} + +/** + * Add/Remove policies for a CHILD_SA using a iptables handle + */ +static bool manage_policies(private_connmark_listener_t *this, + struct iptc_handle *ipth, host_t *dst, host_t *src, + bool encap, child_sa_t *child_sa, bool add) +{ + traffic_selector_t *local, *remote; + enumerator_t *enumerator; + u_int32_t spi; + u_int mark; + bool done = TRUE; + + spi = child_sa->get_spi(child_sa, TRUE); + mark = child_sa->get_mark(child_sa, TRUE).value; + + enumerator = child_sa->create_policy_enumerator(child_sa); + while (enumerator->enumerate(enumerator, &local, &remote)) + { + if (!manage_pre(this, ipth, add, mark, spi, encap, dst, src) || + !manage_in(this, ipth, add, mark, spi, local, remote) || + !manage_out(this, ipth, add, remote, local)) + { + done = FALSE; + break; + } + } + enumerator->destroy(enumerator); + + return done; +} + +/** + * Check if rules should be installed for given CHILD_SA + */ +static bool handle_sa(child_sa_t *child_sa) +{ + return child_sa->get_mark(child_sa, TRUE).value && + child_sa->get_mark(child_sa, FALSE).value && + child_sa->get_mode(child_sa) == MODE_TRANSPORT && + child_sa->get_protocol(child_sa) == PROTO_ESP; +} + +METHOD(listener_t, child_updown, bool, + private_connmark_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + bool up) +{ + struct iptc_handle *ipth; + host_t *dst, *src; + bool encap; + + dst = ike_sa->get_my_host(ike_sa); + src = ike_sa->get_other_host(ike_sa); + encap = child_sa->has_encap(child_sa); + + if (handle_sa(child_sa)) + { + ipth = init_handle(); + if (ipth) + { + if (manage_policies(this, ipth, dst, src, encap, child_sa, up)) + { + commit_handle(ipth); + } + iptc_free(ipth); + } + } + return TRUE; +} + +METHOD(listener_t, child_rekey, bool, + private_connmark_listener_t *this, ike_sa_t *ike_sa, + child_sa_t *old, child_sa_t *new) +{ + struct iptc_handle *ipth; + host_t *dst, *src; + bool oldencap, newencap; + + dst = ike_sa->get_my_host(ike_sa); + src = ike_sa->get_other_host(ike_sa); + oldencap = old->has_encap(old); + newencap = new->has_encap(new); + + if (handle_sa(old)) + { + ipth = init_handle(); + if (ipth) + { + if (manage_policies(this, ipth, dst, src, oldencap, old, FALSE) && + manage_policies(this, ipth, dst, src, newencap, new, TRUE)) + { + commit_handle(ipth); + } + iptc_free(ipth); + } + } + return TRUE; +} + +METHOD(listener_t, ike_update, bool, + private_connmark_listener_t *this, ike_sa_t *ike_sa, + bool local, host_t *new) +{ + struct iptc_handle *ipth; + enumerator_t *enumerator; + child_sa_t *child_sa; + host_t *dst, *src; + bool oldencap, newencap; + + if (local) + { + dst = new; + src = ike_sa->get_other_host(ike_sa); + } + else + { + dst = ike_sa->get_my_host(ike_sa); + src = new; + } + /* during ike_update(), has_encap() on the CHILD_SA has not yet been + * updated, but shows the old state. */ + newencap = ike_sa->has_condition(ike_sa, COND_NAT_ANY); + + enumerator = ike_sa->create_child_sa_enumerator(ike_sa); + while (enumerator->enumerate(enumerator, &child_sa)) + { + if (handle_sa(child_sa)) + { + oldencap = child_sa->has_encap(child_sa); + ipth = init_handle(); + if (ipth) + { + if (manage_policies(this, ipth, dst, src, oldencap, + child_sa, FALSE) && + manage_policies(this, ipth, dst, src, newencap, + child_sa, TRUE)) + { + commit_handle(ipth); + } + iptc_free(ipth); + } + } + } + enumerator->destroy(enumerator); + + return TRUE; +} + +METHOD(connmark_listener_t, destroy, void, + private_connmark_listener_t *this) +{ + free(this); +} + +/** + * See header + */ +connmark_listener_t *connmark_listener_create() +{ + private_connmark_listener_t *this; + + INIT(this, + .public = { + .listener = { + .ike_update = _ike_update, + .child_updown = _child_updown, + .child_rekey = _child_rekey, + }, + .destroy = _destroy, + }, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/connmark/connmark_listener.h b/src/libcharon/plugins/connmark/connmark_listener.h new file mode 100644 index 000000000..2d4098fb6 --- /dev/null +++ b/src/libcharon/plugins/connmark/connmark_listener.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup connmark_listener connmark_listener + * @{ @ingroup connmark + */ + +#ifndef CONNMARK_LISTENER_H_ +#define CONNMARK_LISTENER_H_ + +#include + +typedef struct connmark_listener_t connmark_listener_t; + +/** + * Listener to install Netfilter rules + */ +struct connmark_listener_t { + + /** + * Implements listener_t interface. + */ + listener_t listener; + + /** + * Destroy a connmark_listener_t. + */ + void (*destroy)(connmark_listener_t *this); +}; + +/** + * Create a connmark_listener instance. + */ +connmark_listener_t *connmark_listener_create(); + +#endif /** CONNMARK_LISTENER_H_ @}*/ diff --git a/src/libcharon/plugins/connmark/connmark_plugin.c b/src/libcharon/plugins/connmark/connmark_plugin.c new file mode 100644 index 000000000..3f276f93e --- /dev/null +++ b/src/libcharon/plugins/connmark/connmark_plugin.c @@ -0,0 +1,105 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "connmark_plugin.h" +#include "connmark_listener.h" + +#include + +typedef struct private_connmark_plugin_t private_connmark_plugin_t; + +/** + * private data of connmark plugin + */ +struct private_connmark_plugin_t { + + /** + * implements plugin interface + */ + connmark_plugin_t public; + + /** + * Listener installing netfilter rules + */ + connmark_listener_t *listener; +}; + +METHOD(plugin_t, get_name, char*, + private_connmark_plugin_t *this) +{ + return "connmark"; +} + +/** + * Register listener + */ +static bool plugin_cb(private_connmark_plugin_t *this, + plugin_feature_t *feature, bool reg, void *cb_data) +{ + if (reg) + { + charon->bus->add_listener(charon->bus, &this->listener->listener); + } + else + { + charon->bus->remove_listener(charon->bus, &this->listener->listener); + } + return TRUE; +} + +METHOD(plugin_t, get_features, int, + private_connmark_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL), + PLUGIN_PROVIDE(CUSTOM, "connmark"), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, destroy, void, + private_connmark_plugin_t *this) +{ + this->listener->destroy(this->listener); + free(this); +} + +/** + * Plugin constructor + */ +plugin_t *connmark_plugin_create() +{ + private_connmark_plugin_t *this; + + if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN)) + { + DBG1(DBG_NET, "connmark plugin requires CAP_NET_ADMIN capability"); + return NULL; + } + + INIT(this, + .public = { + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .destroy = _destroy, + }, + }, + .listener = connmark_listener_create(), + ); + + return &this->public.plugin; +} diff --git a/src/libcharon/plugins/connmark/connmark_plugin.h b/src/libcharon/plugins/connmark/connmark_plugin.h new file mode 100644 index 000000000..5b4ccebbe --- /dev/null +++ b/src/libcharon/plugins/connmark/connmark_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup connmark connmark + * @ingroup cplugins + * + * @defgroup connmark_plugin connmark_plugin + * @{ @ingroup connmark + */ + +#ifndef CONNMARK_PLUGIN_H_ +#define CONNMARK_PLUGIN_H_ + +#include + +typedef struct connmark_plugin_t connmark_plugin_t; + +/** + * Plugin using marks to select return path SA based on conntrack. + */ +struct connmark_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** CONNMARK_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in index 679d2dae6..dff80c37f 100644 --- a/src/libcharon/plugins/coupling/Makefile.in +++ b/src/libcharon/plugins/coupling/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in index 768c2b32b..1e84f04e2 100644 --- a/src/libcharon/plugins/dhcp/Makefile.in +++ b/src/libcharon/plugins/dhcp/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/dhcp/dhcp_plugin.c b/src/libcharon/plugins/dhcp/dhcp_plugin.c index c36c60d28..642e28afc 100644 --- a/src/libcharon/plugins/dhcp/dhcp_plugin.c +++ b/src/libcharon/plugins/dhcp/dhcp_plugin.c @@ -18,7 +18,6 @@ #include "dhcp_plugin.h" -#include #include #include @@ -69,13 +68,13 @@ static bool plugin_cb(private_dhcp_plugin_t *this, return FALSE; } this->provider = dhcp_provider_create(this->socket); - hydra->attributes->add_provider(hydra->attributes, - &this->provider->provider); + charon->attributes->add_provider(charon->attributes, + &this->provider->provider); } else { - hydra->attributes->remove_provider(hydra->attributes, - &this->provider->provider); + charon->attributes->remove_provider(charon->attributes, + &this->provider->provider); this->provider->destroy(this->provider); this->socket->destroy(this->socket); } diff --git a/src/libcharon/plugins/dhcp/dhcp_provider.c b/src/libcharon/plugins/dhcp/dhcp_provider.c index f5325b566..f0681b1da 100644 --- a/src/libcharon/plugins/dhcp/dhcp_provider.c +++ b/src/libcharon/plugins/dhcp/dhcp_provider.c @@ -66,10 +66,11 @@ static uintptr_t hash_transaction(dhcp_transaction_t *transaction) METHOD(attribute_provider_t, acquire_address, host_t*, private_dhcp_provider_t *this, linked_list_t *pools, - identification_t *id, host_t *requested) + ike_sa_t *ike_sa, host_t *requested) { dhcp_transaction_t *transaction, *old; enumerator_t *enumerator; + identification_t *id; char *pool; host_t *vip = NULL; @@ -77,6 +78,7 @@ METHOD(attribute_provider_t, acquire_address, host_t*, { return NULL; } + id = ike_sa->get_other_eap_id(ike_sa); enumerator = pools->create_enumerator(pools); while (enumerator->enumerate(enumerator, &pool)) { @@ -104,10 +106,11 @@ METHOD(attribute_provider_t, acquire_address, host_t*, METHOD(attribute_provider_t, release_address, bool, private_dhcp_provider_t *this, linked_list_t *pools, - host_t *address, identification_t *id) + host_t *address, ike_sa_t *ike_sa) { dhcp_transaction_t *transaction; enumerator_t *enumerator; + identification_t *id; bool found = FALSE; char *pool; @@ -115,6 +118,7 @@ METHOD(attribute_provider_t, release_address, bool, { return FALSE; } + id = ike_sa->get_other_eap_id(ike_sa); enumerator = pools->create_enumerator(pools); while (enumerator->enumerate(enumerator, &pool)) { @@ -139,11 +143,12 @@ METHOD(attribute_provider_t, release_address, bool, } METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*, - private_dhcp_provider_t *this, linked_list_t *pools, identification_t *id, + private_dhcp_provider_t *this, linked_list_t *pools, ike_sa_t *ike_sa, linked_list_t *vips) { dhcp_transaction_t *transaction = NULL; enumerator_t *enumerator; + identification_t *id; host_t *vip; if (pools->find_first(pools, (linked_list_match_t)streq, @@ -152,6 +157,7 @@ METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*, return NULL; } + id = ike_sa->get_other_eap_id(ike_sa); this->mutex->lock(this->mutex); enumerator = vips->create_enumerator(vips); while (enumerator->enumerate(enumerator, &vip)) diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in index 3484e08a3..ed873b316 100644 --- a/src/libcharon/plugins/dnscert/Makefile.in +++ b/src/libcharon/plugins/dnscert/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in index 381d7a119..41862cb2a 100644 --- a/src/libcharon/plugins/duplicheck/Makefile.in +++ b/src/libcharon/plugins/duplicheck/Makefile.in @@ -236,6 +236,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -296,10 +297,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -373,6 +376,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in index 3b0f8763c..dacddfb87 100644 --- a/src/libcharon/plugins/eap_aka/Makefile.in +++ b/src/libcharon/plugins/eap_aka/Makefile.in @@ -230,6 +230,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in index 839a379ea..3c26b8511 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in +++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in @@ -231,6 +231,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in index fdbad6234..402c7cadc 100644 --- a/src/libcharon/plugins/eap_dynamic/Makefile.in +++ b/src/libcharon/plugins/eap_dynamic/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in index 9675104da..2279b2514 100644 --- a/src/libcharon/plugins/eap_gtc/Makefile.in +++ b/src/libcharon/plugins/eap_gtc/Makefile.in @@ -228,6 +228,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in index 0610b5859..30d2c88d1 100644 --- a/src/libcharon/plugins/eap_identity/Makefile.in +++ b/src/libcharon/plugins/eap_identity/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in index 38c9d0b7c..14616c214 100644 --- a/src/libcharon/plugins/eap_md5/Makefile.in +++ b/src/libcharon/plugins/eap_md5/Makefile.in @@ -228,6 +228,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in index f5dfd6814..78dfd29e3 100644 --- a/src/libcharon/plugins/eap_mschapv2/Makefile.in +++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in index 5ccd58158..2f0d65d6d 100644 --- a/src/libcharon/plugins/eap_peap/Makefile.in +++ b/src/libcharon/plugins/eap_peap/Makefile.in @@ -230,6 +230,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in index 04cc422f5..47534372b 100644 --- a/src/libcharon/plugins/eap_radius/Makefile.in +++ b/src/libcharon/plugins/eap_radius/Makefile.in @@ -231,6 +231,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c index 31c96d229..ac4ecfc86 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c @@ -99,7 +99,7 @@ typedef struct { /** IKE_SA identifier this entry is stored under */ ike_sa_id_t *id; /** RADIUS accounting session ID */ - char sid[16]; + char sid[24]; /** number of sent/received octets/packets */ struct { u_int64_t sent; diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c index 1a48c07e5..6a4a0384e 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c @@ -26,7 +26,7 @@ #include #include -#include +#include #include #include #include @@ -149,19 +149,26 @@ static void load_configs(private_eap_radius_plugin_t *this) continue; } nas_identifier = lib->settings->get_str(lib->settings, - "%s.plugins.eap-radius.servers.%s.nas_identifier", "strongSwan", + "%s.plugins.eap-radius.servers.%s.nas_identifier", + lib->settings->get_str(lib->settings, + "%s.plugins.eap-radius.nas_identifier", "strongSwan", + lib->ns), lib->ns, section); auth_port = lib->settings->get_int(lib->settings, "%s.plugins.eap-radius.servers.%s.auth_port", lib->settings->get_int(lib->settings, "%s.plugins.eap-radius.servers.%s.port", - AUTH_PORT, lib->ns, section), + lib->settings->get_int(lib->settings, + "%s.plugins.eap-radius.port", AUTH_PORT, lib->ns), + lib->ns, section), lib->ns, section); acct_port = lib->settings->get_int(lib->settings, "%s.plugins.eap-radius.servers.%s.acct_port", ACCT_PORT, lib->ns, section); sockets = lib->settings->get_int(lib->settings, - "%s.plugins.eap-radius.servers.%s.sockets", 1, + "%s.plugins.eap-radius.servers.%s.sockets", + lib->settings->get_int(lib->settings, + "%s.plugins.eap-radius.sockets", 1, lib->ns), lib->ns, section); preference = lib->settings->get_int(lib->settings, "%s.plugins.eap-radius.servers.%s.preference", 0, @@ -211,13 +218,13 @@ static bool plugin_cb(private_eap_radius_plugin_t *this, { charon->bus->add_listener(charon->bus, &this->forward->listener); } - hydra->attributes->add_provider(hydra->attributes, - &this->provider->provider); + charon->attributes->add_provider(charon->attributes, + &this->provider->provider); } else { - hydra->attributes->remove_provider(hydra->attributes, - &this->provider->provider); + charon->attributes->remove_provider(charon->attributes, + &this->provider->provider); if (this->forward) { charon->bus->remove_listener(charon->bus, &this->forward->listener); diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c index 7c794616b..0cf723711 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_provider.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c @@ -311,19 +311,13 @@ METHOD(listener_t, ike_rekey, bool, METHOD(attribute_provider_t, acquire_address, host_t*, private_eap_radius_provider_t *this, linked_list_t *pools, - identification_t *id, host_t *requested) + ike_sa_t *ike_sa, host_t *requested) { enumerator_t *enumerator; host_t *addr = NULL; - ike_sa_t *ike_sa; uintptr_t sa; char *name; - ike_sa = charon->bus->get_sa(charon->bus); - if (!ike_sa) - { - return NULL; - } sa = ike_sa->get_unique_id(ike_sa); enumerator = pools->create_enumerator(pools); @@ -348,19 +342,13 @@ METHOD(attribute_provider_t, acquire_address, host_t*, METHOD(attribute_provider_t, release_address, bool, private_eap_radius_provider_t *this, linked_list_t *pools, host_t *address, - identification_t *id) + ike_sa_t *ike_sa) { enumerator_t *enumerator; host_t *found = NULL; - ike_sa_t *ike_sa; uintptr_t sa; char *name; - ike_sa = charon->bus->get_sa(charon->bus); - if (!ike_sa) - { - return FALSE; - } sa = ike_sa->get_unique_id(ike_sa); enumerator = pools->create_enumerator(pools); @@ -428,18 +416,12 @@ METHOD(enumerator_t, attribute_destroy, void, METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*, private_eap_radius_provider_t *this, linked_list_t *pools, - identification_t *id, linked_list_t *vips) + ike_sa_t *ike_sa, linked_list_t *vips) { attribute_enumerator_t *enumerator; attr_t *attr; - ike_sa_t *ike_sa; uintptr_t sa; - ike_sa = charon->bus->get_sa(charon->bus); - if (!ike_sa) - { - return NULL; - } sa = ike_sa->get_unique_id(ike_sa); INIT(enumerator, diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in index 6a00ea74d..251eeeeba 100644 --- a/src/libcharon/plugins/eap_sim/Makefile.in +++ b/src/libcharon/plugins/eap_sim/Makefile.in @@ -230,6 +230,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in index 7a08f4e0e..bffcbc0df 100644 --- a/src/libcharon/plugins/eap_sim_file/Makefile.in +++ b/src/libcharon/plugins/eap_sim_file/Makefile.in @@ -231,6 +231,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in index a1ec7adc1..78682ce37 100644 --- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in +++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in @@ -232,6 +232,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in index bf99ab095..2a6be5fd9 100644 --- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in @@ -232,6 +232,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in index ce4602365..de504d4cd 100644 --- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in @@ -231,6 +231,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in index 0c0b7fd52..de3508a07 100644 --- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in @@ -230,6 +230,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in index 25696f524..d4219b876 100644 --- a/src/libcharon/plugins/eap_tls/Makefile.in +++ b/src/libcharon/plugins/eap_tls/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_tls/eap_tls.c b/src/libcharon/plugins/eap_tls/eap_tls.c index dffbaf266..bc01ba5df 100644 --- a/src/libcharon/plugins/eap_tls/eap_tls.c +++ b/src/libcharon/plugins/eap_tls/eap_tls.c @@ -109,6 +109,12 @@ METHOD(eap_method_t, is_mutual, bool, return TRUE; } +METHOD(eap_method_t, get_auth, auth_cfg_t*, + private_eap_tls_t *this) +{ + return this->tls_eap->get_auth(this->tls_eap); +} + METHOD(eap_method_t, destroy, void, private_eap_tls_t *this) { @@ -138,6 +144,7 @@ static eap_tls_t *eap_tls_create(identification_t *server, .get_msk = _get_msk, .get_identifier = _get_identifier, .set_identifier = _set_identifier, + .get_auth = _get_auth, .destroy = _destroy, }, }, diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in index 2d5d65875..6c34ed098 100644 --- a/src/libcharon/plugins/eap_tnc/Makefile.in +++ b/src/libcharon/plugins/eap_tnc/Makefile.in @@ -230,6 +230,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c index 62d23d064..f70f47ef6 100644 --- a/src/libcharon/plugins/eap_tnc/eap_tnc.c +++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2013 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -256,6 +256,8 @@ static eap_tnc_t *eap_tnc_create(identification_t *server, private_eap_tnc_t *this; int max_msg_count; char* protocol; + ike_sa_t *ike_sa; + host_t *server_ip, *peer_ip; tnccs_t *tnccs; tnccs_type_t tnccs_type; @@ -302,8 +304,29 @@ static eap_tnc_t *eap_tnc_create(identification_t *server, free(this); return NULL; } + + /* Determine IP addresses of server and peer */ + ike_sa = charon->bus->get_sa(charon->bus); + if (!ike_sa) + { + DBG1(DBG_TNC, "%N constructor did not find IKE_SA", + eap_type_names, type); + free(this); + return NULL; + } + if (is_server) + { + server_ip = ike_sa->get_my_host(ike_sa); + peer_ip = ike_sa->get_other_host(ike_sa); + } + else + { + peer_ip = ike_sa->get_my_host(ike_sa); + server_ip = ike_sa->get_other_host(ike_sa); + } + tnccs = tnc->tnccs->create_instance(tnc->tnccs, tnccs_type, - is_server, server, peer, + is_server, server, peer, server_ip, peer_ip, (type == EAP_TNC) ? TNC_IFT_EAP_1_1 : TNC_IFT_EAP_2_0, is_server ? enforce_recommendation : NULL); if (!tnccs) diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in index 38c7632ac..0babf1766 100644 --- a/src/libcharon/plugins/eap_ttls/Makefile.in +++ b/src/libcharon/plugins/eap_ttls/Makefile.in @@ -231,6 +231,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c index 703cd3f29..c99d47f8d 100644 --- a/src/libcharon/plugins/eap_ttls/eap_ttls.c +++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c @@ -111,6 +111,12 @@ METHOD(eap_method_t, is_mutual, bool, return TRUE; } +METHOD(eap_method_t, get_auth, auth_cfg_t*, + private_eap_ttls_t *this) +{ + return this->tls_eap->get_auth(this->tls_eap); +} + METHOD(eap_method_t, destroy, void, private_eap_ttls_t *this) { @@ -141,6 +147,7 @@ static eap_ttls_t *eap_ttls_create(identification_t *server, .get_identifier = _get_identifier, .set_identifier = _set_identifier, .get_msk = _get_msk, + .get_auth = _get_auth, .destroy = _destroy, }, }, diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in index d9fa454ca..0a07aa7a3 100644 --- a/src/libcharon/plugins/error_notify/Makefile.in +++ b/src/libcharon/plugins/error_notify/Makefile.in @@ -237,6 +237,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -297,10 +298,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -374,6 +377,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/ext_auth/Makefile.in b/src/libcharon/plugins/ext_auth/Makefile.in index a1b47dd33..d23e680aa 100644 --- a/src/libcharon/plugins/ext_auth/Makefile.in +++ b/src/libcharon/plugins/ext_auth/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in index 2bfd38ba1..318400fc9 100644 --- a/src/libcharon/plugins/farp/Makefile.in +++ b/src/libcharon/plugins/farp/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/forecast/Makefile.am b/src/libcharon/plugins/forecast/Makefile.am new file mode 100644 index 000000000..ce573135d --- /dev/null +++ b/src/libcharon/plugins/forecast/Makefile.am @@ -0,0 +1,21 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) $(libiptc_CFLAGS) + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-forecast.la +else +plugin_LTLIBRARIES = libstrongswan-forecast.la +endif + +libstrongswan_forecast_la_SOURCES = \ + forecast_listener.h forecast_listener.c \ + forecast_forwarder.h forecast_forwarder.c \ + forecast_plugin.h forecast_plugin.c + +libstrongswan_forecast_la_LDFLAGS = -module -avoid-version +libstrongswan_forecast_la_LIBADD = $(libiptc_LIBS) diff --git a/src/libcharon/plugins/forecast/Makefile.in b/src/libcharon/plugins/forecast/Makefile.in new file mode 100644 index 000000000..7b190ca25 --- /dev/null +++ b/src/libcharon/plugins/forecast/Makefile.in @@ -0,0 +1,784 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/forecast +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +am__DEPENDENCIES_1 = +libstrongswan_forecast_la_DEPENDENCIES = $(am__DEPENDENCIES_1) +am_libstrongswan_forecast_la_OBJECTS = forecast_listener.lo \ + forecast_forwarder.lo forecast_plugin.lo +libstrongswan_forecast_la_OBJECTS = \ + $(am_libstrongswan_forecast_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libstrongswan_forecast_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_forecast_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_forecast_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_forecast_la_rpath = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libstrongswan_forecast_la_SOURCES) +DIST_SOURCES = $(libstrongswan_forecast_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) $(libiptc_CFLAGS) + +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-forecast.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-forecast.la +libstrongswan_forecast_la_SOURCES = \ + forecast_listener.h forecast_listener.c \ + forecast_forwarder.h forecast_forwarder.c \ + forecast_plugin.h forecast_plugin.c + +libstrongswan_forecast_la_LDFLAGS = -module -avoid-version +libstrongswan_forecast_la_LIBADD = $(libiptc_LIBS) +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/forecast/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/forecast/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libstrongswan-forecast.la: $(libstrongswan_forecast_la_OBJECTS) $(libstrongswan_forecast_la_DEPENDENCIES) $(EXTRA_libstrongswan_forecast_la_DEPENDENCIES) + $(AM_V_CCLD)$(libstrongswan_forecast_la_LINK) $(am_libstrongswan_forecast_la_rpath) $(libstrongswan_forecast_la_OBJECTS) $(libstrongswan_forecast_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/forecast_forwarder.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/forecast_listener.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/forecast_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-pluginLTLIBRARIES install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/forecast/forecast_forwarder.c b/src/libcharon/plugins/forecast/forecast_forwarder.c new file mode 100644 index 000000000..07a3d4953 --- /dev/null +++ b/src/libcharon/plugins/forecast/forecast_forwarder.c @@ -0,0 +1,496 @@ +/* + * Copyright (C) 2010-2014 Martin Willi + * Copyright (C) 2010-2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "forecast_forwarder.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +#define BOOTP_SERVER_PORT 67 +#define BOOTP_CLIENT_PORT 68 + +typedef struct private_forecast_forwarder_t private_forecast_forwarder_t; +typedef struct private_kernel_listener_t private_kernel_listener_t; + +/** + * Private data of registered kernel listener + */ +struct private_kernel_listener_t { + + /** + * Implements kernel_listener_t + */ + kernel_listener_t listener; + + /** + * Listener that knows active addresses + */ + forecast_listener_t *fc; + + /** + * current broadcast address of internal network + */ + u_int32_t broadcast; + + /** + * LAN interface index + */ + int ifindex; + + /** + * Packet socket + */ + int pkt; + + /** + * RAW socket + */ + int raw; +}; + +/** + * Private data of an forecast_forwarder_t object. + */ +struct private_forecast_forwarder_t { + + /** + * Public forecast_forwarder_t interface. + */ + forecast_forwarder_t public; + + /** + * Public kernel_listener_t interface. + */ + private_kernel_listener_t kernel; +}; + +/** + * Send a broadcast/multicast packet to a network + */ +static void send_net(private_forecast_forwarder_t *this, + struct sockaddr_ll *addr, void *buf, size_t len) +{ + if (sendto(this->kernel.pkt, buf, len, 0, + (struct sockaddr*)addr, sizeof(*addr)) != len) + { + DBG1(DBG_NET, "forecast send_net() failed: %s", strerror(errno)); + } +} + +/** + * Send a broadcast/multicast packet to a peer + */ +static void send_peer(private_forecast_forwarder_t *this, u_int32_t dst, + void *buf, size_t len, int mark) +{ + struct sockaddr_in addr = { + .sin_family = AF_INET, + .sin_addr.s_addr = dst, + }; + + if (setsockopt(this->kernel.raw, SOL_SOCKET, SO_MARK, + &mark, sizeof(mark)) != 0) + { + DBG1(DBG_NET, "forecast setting SO_MARK failed: %s", strerror(errno)); + } + if (sendto(this->kernel.raw, buf, len, 0, + (struct sockaddr*)&addr, sizeof(addr)) != len) + { + DBG1(DBG_NET, "forecast send_peer() failed: %s", strerror(errno)); + } +} + +/** + * Check if an IP packet is BOOTP/DHCP + */ +static bool is_bootp(void *buf, size_t len) +{ + struct __attribute__((__packed__)) { + struct iphdr ip; + struct udphdr udp; + } *pkt = buf; + + if (len > sizeof(*pkt)) + { + if (ntohs(pkt->udp.source) == BOOTP_CLIENT_PORT && + ntohs(pkt->udp.dest) == BOOTP_SERVER_PORT) + { + return TRUE; + } + if (ntohs(pkt->udp.source) == BOOTP_SERVER_PORT && + ntohs(pkt->udp.dest) == BOOTP_CLIENT_PORT) + { + return TRUE; + } + } + return FALSE; +} + +/** + * Broadcast/Multicast receiver + */ +static bool receive_casts(private_forecast_forwarder_t *this) +{ + struct __attribute__((packed)) { + struct iphdr hdr; + char data[2048]; + } buf; + char *type; + ssize_t len; + u_int mark, origin = 0; + host_t *src, *dst; + traffic_selector_t *ts; + enumerator_t *enumerator; + struct sockaddr_ll addr; + socklen_t alen = sizeof(addr); + bool reinject; + + len = recvfrom(this->kernel.pkt, &buf, sizeof(buf), MSG_DONTWAIT, + (struct sockaddr*)&addr, &alen); + if (len < 0) + { + if (errno != EAGAIN && errno != EWOULDBLOCK) + { + DBG1(DBG_NET, "receiving from forecast socket failed: %s", + strerror(errno)); + } + return TRUE; + } + else if (len < sizeof(struct iphdr)) + { + DBG1(DBG_NET, "received short forecast packet: %zd bytes", len); + return TRUE; + } + if (is_bootp(&buf, len)) + { /* don't forward DHCP broadcasts */ + return TRUE; + } + + src = host_create_from_chunk(AF_INET, chunk_from_thing(buf.hdr.saddr), 0); + dst = host_create_from_chunk(AF_INET, chunk_from_thing(buf.hdr.daddr), 0); + + /* create valid broadcast/multicast MAC to send out */ + if (IN_MULTICAST(ntohl(buf.hdr.daddr))) + { + type = "multi"; + ETHER_MAP_IP_MULTICAST(&buf.hdr.daddr, addr.sll_addr); + } + else + { + type = "broad"; + memset(&addr.sll_addr, 0xFF, sizeof(addr.sll_addr)); + } + DBG2(DBG_NET, "forecast intercepted packet: %H to %H", src, dst); + + /* find mark of originating tunnel */ + enumerator = this->kernel.fc->create_enumerator(this->kernel.fc, FALSE); + while (enumerator->enumerate(enumerator, &ts, &mark, &reinject)) + { + if (ts->includes(ts, src)) + { + origin = mark; + break; + } + } + enumerator->destroy(enumerator); + + /* send packet over all tunnels, but not the packets origin */ + enumerator = this->kernel.fc->create_enumerator(this->kernel.fc, FALSE); + while (enumerator->enumerate(enumerator, &ts, &mark, &reinject)) + { + if (ts->includes(ts, dst)) + { + if ((reinject && origin != mark) || origin == 0) + { + DBG2(DBG_NET, "forwarding a %H %scast from %H to peer %R (%u)", + dst, type, src, ts, mark); + send_peer(this, buf.hdr.daddr, &buf, len, mark); + } + } + } + enumerator->destroy(enumerator); + + if (origin) + { + /* forward broadcast/multicast from client to network */ + DBG2(DBG_NET, "forwarding a %H %scast from peer %H to internal network", + dst, type, src); + addr.sll_ifindex = this->kernel.ifindex; + send_net(this, &addr, &buf, len); + } + + dst->destroy(dst); + src->destroy(src); + + return TRUE; +} + +/** + * Join a multicast group + */ +static void join_group(private_kernel_listener_t *this, char *group, + struct sockaddr *addr) +{ + struct sockaddr_in *in; + struct ip_mreqn mreq; + host_t *host; + + host = host_create_from_string(group, 0); + if (host) + { + memset(&mreq, 0, sizeof(mreq)); + memcpy(&mreq.imr_multiaddr.s_addr, host->get_address(host).ptr, 4); + if (addr->sa_family == AF_INET) + { + in = (struct sockaddr_in*)addr; + memcpy(&mreq.imr_address, &in->sin_addr.s_addr, + sizeof(in->sin_addr.s_addr)); + } + mreq.imr_ifindex = this->ifindex; + if (setsockopt(this->raw, IPPROTO_IP, IP_ADD_MEMBERSHIP, + &mreq, sizeof(mreq)) == -1) + { + if (errno != EADDRINUSE) + { + DBG1(DBG_NET, "forecast multicast join to %s failed: %s", + group, strerror(errno)); + } + } + else + { + DBG2(DBG_NET, "forwarding multicast group %s", group); + } + host->destroy(host); + } +} + +/** + * (Re-)Join all multicast groups we want to forward + */ +static void join_groups(private_kernel_listener_t *this, struct sockaddr *addr) +{ + enumerator_t *enumerator; + char *groups, *group; + static char *def = + "224.0.0.1," /* host multicast */ + "224.0.0.22," /* IGMP */ + "224.0.0.251," /* mDNS */ + "224.0.0.252," /* LLMNR */ + "239.255.255.250"; /* SSDP/WS-discovery */ + + groups = lib->settings->get_str(lib->settings, + "%s.plugins.forecast.groups", def, lib->ns); + DBG1(DBG_CFG, "joining forecast multicast groups: %s", groups); + enumerator = enumerator_create_token(groups, ",", " "); + while (enumerator->enumerate(enumerator, &group)) + { + join_group(this, group, addr); + } + enumerator->destroy(enumerator); +} + +/** + * Attach the socket filter to the socket + */ +static bool attach_filter(int fd, u_int32_t broadcast) +{ + struct sock_filter filter_code[] = { + /* destination address: is ... */ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct iphdr, daddr)), + /* broadcast, as received from the local network */ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ntohl(broadcast), 4, 0), + /* broadcast, as Win7 sends them */ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0xFFFFFFFF, 3, 0), + /* any multicast, 224.0.0.0/4 */ + BPF_STMT(BPF_ALU+BPF_AND+BPF_K, 0xF0000000), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0xE0000000, 1, 0), + BPF_STMT(BPF_RET+BPF_K, 0), + BPF_STMT(BPF_LD+BPF_W+BPF_LEN, 0), + BPF_STMT(BPF_RET+BPF_A, 0), + }; + struct sock_fprog filter = { + sizeof(filter_code) / sizeof(struct sock_filter), + filter_code, + }; + + if (setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, + &filter, sizeof(filter)) < 0) + { + DBG1(DBG_NET, "installing forecast PACKET socket filter failed: %s", + strerror(errno)); + return FALSE; + } + return TRUE; +} + +/** + * Get the interface index of an interface name + */ +static int get_ifindex(private_kernel_listener_t *this, char *ifname) +{ + struct ifreq ifr = {}; + + strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + if (ioctl(this->raw, SIOCGIFINDEX, &ifr) == 0) + { + return ifr.ifr_ifindex; + } + return 0; +} + +/** + * Set up the interface for broad/multicast forwarding + */ +static void setup_interface(private_kernel_listener_t *this) +{ + struct ifaddrs *addrs, *current; + struct sockaddr_in *in; + host_t *host; + char *name; + + name = lib->settings->get_str(lib->settings, + "%s.plugins.forecast.interface", NULL, lib->ns); + if (getifaddrs(&addrs) == 0) + { + for (current = addrs; current; current = current->ifa_next) + { + if (name && !streq(name, current->ifa_name)) + { + continue; + } + if (current->ifa_flags & IFF_BROADCAST && + current->ifa_broadaddr && + current->ifa_broadaddr->sa_family == AF_INET) + { + DBG1(DBG_NET, "using forecast interface %s", current->ifa_name); + this->ifindex = get_ifindex(this, current->ifa_name); + in = (struct sockaddr_in*)current->ifa_broadaddr; + attach_filter(this->pkt, in->sin_addr.s_addr); + join_groups(this, current->ifa_addr); + host = host_create_from_sockaddr(current->ifa_broadaddr); + if (host) + { + this->fc->set_broadcast(this->fc, host); + host->destroy(host); + } + break; + } + } + } + freeifaddrs(addrs); +} + +METHOD(kernel_listener_t, roam, bool, + private_kernel_listener_t *this, bool address) +{ + if (address) + { + setup_interface(this); + } + return TRUE; +} + +METHOD(forecast_forwarder_t, destroy, void, + private_forecast_forwarder_t *this) +{ + if (this->kernel.raw != -1) + { + close(this->kernel.raw); + } + if (this->kernel.pkt != -1) + { + lib->watcher->remove(lib->watcher, this->kernel.pkt); + close(this->kernel.pkt); + } + hydra->kernel_interface->remove_listener(hydra->kernel_interface, + &this->kernel.listener); + free(this); +} + +/** + * See header + */ +forecast_forwarder_t *forecast_forwarder_create(forecast_listener_t *listener) +{ + private_forecast_forwarder_t *this; + int on = 1; + + INIT(this, + .public = { + .destroy = _destroy, + }, + .kernel = { + .listener = { + .roam = _roam, + }, + .raw = -1, + .pkt = -1, + .fc = listener, + }, + ); + + this->kernel.pkt = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_IP)); + if (this->kernel.pkt == -1) + { + DBG1(DBG_NET, "opening PACKET socket failed: %s", strerror(errno)); + destroy(this); + return NULL; + } + this->kernel.raw = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); + if (this->kernel.raw == -1) + { + DBG1(DBG_NET, "opening RAW socket failed: %s", strerror(errno)); + destroy(this); + return NULL; + } + if (setsockopt(this->kernel.raw, IPPROTO_IP, IP_HDRINCL, + &on, sizeof(on)) == -1) + { + DBG1(DBG_NET, "forecast socket HDRINCL failed: %s", strerror(errno)); + destroy(this); + return NULL; + } + if (setsockopt(this->kernel.raw, SOL_SOCKET, SO_BROADCAST, + &on, sizeof(on)) == -1) + { + DBG1(DBG_NET, "forecast socket BROADCAST failed: %s", strerror(errno)); + destroy(this); + return NULL; + } + + setup_interface(&this->kernel); + + hydra->kernel_interface->add_listener(hydra->kernel_interface, + &this->kernel.listener); + + lib->watcher->add(lib->watcher, this->kernel.pkt, WATCHER_READ, + (watcher_cb_t)receive_casts, this); + + return &this->public; +} diff --git a/src/libcharon/plugins/forecast/forecast_forwarder.h b/src/libcharon/plugins/forecast/forecast_forwarder.h new file mode 100644 index 000000000..14d107361 --- /dev/null +++ b/src/libcharon/plugins/forecast/forecast_forwarder.h @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2010-2014 Martin Willi + * Copyright (C) 2010-2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup forecast_forwarder forecast_forwarder + * @{ @ingroup forecast + */ + +#ifndef FORECAST_FORWARDER_H_ +#define FORECAST_FORWARDER_H_ + +#include "forecast_listener.h" + +typedef struct forecast_forwarder_t forecast_forwarder_t; + +/** + * Broadcast/Multicast sniffer and forwarder. + */ +struct forecast_forwarder_t { + + /** + * Destroy a forecast_forwarder_t. + */ + void (*destroy)(forecast_forwarder_t *this); +}; + +/** + * Create a forecast_forwarder instance. + * + * @param listener listener to check for addresses to forward to + * @return forwarder instance + */ +forecast_forwarder_t *forecast_forwarder_create(forecast_listener_t *listener); + +#endif /** FORECAST_FORWARDER_H_ @}*/ diff --git a/src/libcharon/plugins/forecast/forecast_listener.c b/src/libcharon/plugins/forecast/forecast_listener.c new file mode 100644 index 000000000..63a8cb15b --- /dev/null +++ b/src/libcharon/plugins/forecast/forecast_listener.c @@ -0,0 +1,680 @@ +/* + * Copyright (C) 2010-2014 Martin Willi + * Copyright (C) 2010-2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "forecast_listener.h" + +#include +#include +#include +#include + +#include +#include +#include +#include + +typedef struct private_forecast_listener_t private_forecast_listener_t; + +/** + * Private data of an forecast_listener_t object. + */ +struct private_forecast_listener_t { + + /** + * Public forecast_listener_t interface. + */ + forecast_listener_t public; + + /** + * List of entries + */ + linked_list_t *entries; + + /** + * RWlock for IP list + */ + rwlock_t *lock; + + /** + * Configs we do reinjection + */ + char *reinject_configs; + + /** + * Broadcast address on LAN interface, network order + */ + u_int32_t broadcast; +}; + +/** + * Hashtable entry + */ +typedef struct { + /** local traffic selectors */ + array_t *lts; + /** remote traffic selectors */ + array_t *rts; + /** firewall mark used by CHILD_SA */ + u_int mark; + /** local IKE_SA endpoint */ + host_t *lhost; + /** remote IKE_SA endpoint */ + host_t *rhost; + /** inbound SPI */ + u_int32_t spi; + /** use UDP encapsulation */ + bool encap; + /** whether we should allow reencapsulation of IPsec received forecasts */ + bool reinject; + /** broadcast address used for that entry */ + u_int32_t broadcast; +} entry_t; + +/** + * Destroy an entry + */ +static void entry_destroy(entry_t *entry) +{ + if (entry) + { + entry->lhost->destroy(entry->lhost); + entry->rhost->destroy(entry->rhost); + array_destroy_offset(entry->lts, offsetof(traffic_selector_t, destroy)); + array_destroy_offset(entry->rts, offsetof(traffic_selector_t, destroy)); + free(entry); + } +} + +/** + * Convert an (IPv4) traffic selector to an address and mask + */ +static bool ts2in(traffic_selector_t *ts, + struct in_addr *addr, struct in_addr *mask) +{ + u_int8_t bits; + host_t *net; + + if (ts->get_type(ts) == TS_IPV4_ADDR_RANGE && + ts->to_subnet(ts, &net, &bits)) + { + memcpy(&addr->s_addr, net->get_address(net).ptr, 4); + net->destroy(net); + mask->s_addr = htonl(0xffffffffU << (32 - bits)); + return TRUE; + } + return FALSE; +} + +/** + * Convert an (IPv4) host to an address with mask + */ +static bool host2in(host_t *host, struct in_addr *addr, struct in_addr *mask) +{ + if (host->get_family(host) == AF_INET) + { + memcpy(&addr->s_addr, host->get_address(host).ptr, 4); + mask->s_addr = ~0; + return TRUE; + } + return FALSE; +} + +/** + * Add or remove a rule to/from the specified chain + */ +static bool manage_rule(struct iptc_handle *ipth, const char *chain, + bool add, struct ipt_entry *e) +{ + if (add) + { + if (!iptc_insert_entry(chain, e, 0, ipth)) + { + DBG1(DBG_CFG, "appending %s rule failed: %s", + chain, iptc_strerror(errno)); + return FALSE; + } + } + else + { + if (!iptc_delete_entry(chain, e, "", ipth)) + { + DBG1(DBG_CFG, "deleting %s rule failed: %s", + chain, iptc_strerror(errno)); + return FALSE; + } + } + return TRUE; +} + +/** + * Add rule marking UDP-encapsulated ESP packets to match the correct policy + */ +static bool manage_pre_esp_in_udp(struct iptc_handle *ipth, + entry_t *entry, bool add) +{ + struct { + struct ipt_entry e; + struct ipt_entry_match m; + struct xt_udp udp; + struct ipt_entry_target t; + struct xt_mark_tginfo2 tm; + } ipt = { + .e = { + .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + + sizeof(ipt.udp)), + .next_offset = sizeof(ipt), + .ip = { + .proto = IPPROTO_UDP, + }, + }, + .m = { + .u = { + .user = { + .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)), + .name = "udp", + }, + }, + }, + .udp = { + .spts = { + entry->rhost->get_port(entry->rhost), + entry->rhost->get_port(entry->lhost) + }, + .dpts = { + entry->lhost->get_port(entry->lhost), + entry->lhost->get_port(entry->lhost) + }, + }, + .t = { + .u = { + .user = { + .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)), + .name = "MARK", + .revision = 2, + }, + }, + }, + .tm = { + .mark = entry->mark, + .mask = ~0, + }, + }; + + if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || + !host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk)) + { + return FALSE; + } + return manage_rule(ipth, "PREROUTING", add, &ipt.e); +} + +/** + * Add rule marking non-encapsulated ESP packets to match the correct policy + */ +static bool manage_pre_esp(struct iptc_handle *ipth, entry_t *entry, bool add) +{ + struct { + struct ipt_entry e; + struct ipt_entry_match m; + struct xt_esp esp; + struct ipt_entry_target t; + struct xt_mark_tginfo2 tm; + } ipt = { + .e = { + .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + + sizeof(ipt.esp)), + .next_offset = sizeof(ipt), + .ip = { + .proto = IPPROTO_ESP, + }, + }, + .m = { + .u = { + .user = { + .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)), + .name = "esp", + }, + }, + }, + .esp = { + .spis = { htonl(entry->spi), htonl(entry->spi) }, + }, + .t = { + .u = { + .user = { + .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)), + .name = "MARK", + .revision = 2, + }, + }, + }, + .tm = { + .mark = entry->mark, + .mask = ~0, + }, + }; + + if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || + !host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk)) + { + return FALSE; + } + return manage_rule(ipth, "PREROUTING", add, &ipt.e); +} + +/** + * Add rule marking ESP packets to match the correct policy + */ +static bool manage_pre(struct iptc_handle *ipth, entry_t *entry, bool add) +{ + if (entry->encap) + { + return manage_pre_esp_in_udp(ipth, entry, add); + } + return manage_pre_esp(ipth, entry, add); +} + +/** + * Add rule handling outbound traffic to use correct mark + */ +static bool manage_out(struct iptc_handle *ipth, entry_t *entry, bool add) +{ + struct { + struct ipt_entry e; + struct ipt_entry_target t; + struct xt_mark_tginfo2 m; + } ipt = { + .e = { + .target_offset = XT_ALIGN(sizeof(ipt.e)), + .next_offset = sizeof(ipt), + }, + .t = { + .u.user.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.m)), + .u.user.name = "MARK", + .u.user.revision = 2, + }, + .m = { + .mark = entry->mark, + .mask = ~0, + }, + }; + enumerator_t *enumerator; + traffic_selector_t *ts; + + enumerator = array_create_enumerator(entry->rts); + while (enumerator->enumerate(enumerator, &ts)) + { + if (!ts2in(ts, &ipt.e.ip.dst, &ipt.e.ip.dmsk)) + { + continue; + } + if (ipt.e.ip.dst.s_addr == 0xffffffff || + ipt.e.ip.dst.s_addr == entry->broadcast || + memeq(&ipt.e.ip.dst.s_addr, "\xe0", 1)) + { + /* skip broadcast/multicast selectors, they are shared and the mark + * is set by the socket we use for reinjection */ + continue; + } + if (!manage_rule(ipth, "PREROUTING", add, &ipt.e) || + !manage_rule(ipth, "OUTPUT", add, &ipt.e)) + { + enumerator->destroy(enumerator); + return FALSE; + } + } + enumerator->destroy(enumerator); + + return TRUE; +} + +/** + * Check if config is whitelisted to reinject traffic + */ +static bool is_reinject_config(private_forecast_listener_t *this, char *name) +{ + enumerator_t *enumerator; + bool reinject = FALSE; + char *token; + + enumerator = enumerator_create_token(this->reinject_configs, ",", " "); + while (enumerator->enumerate(enumerator, &token)) + { + if (streq(token, name)) + { + reinject = TRUE; + break; + } + } + enumerator->destroy(enumerator); + + return reinject; +} + +/** + * Add rules and entry for given CHILD_SA + */ +static bool add_entry(private_forecast_listener_t *this, + struct iptc_handle *ipth, host_t *lhost, host_t *rhost, + child_sa_t *child_sa, bool encap) +{ + enumerator_t *enumerator; + traffic_selector_t *ts; + entry_t *entry; + + INIT(entry, + .lts = array_create(0, 0), + .rts = array_create(0, 0), + .lhost = lhost->clone(lhost), + .rhost = rhost->clone(rhost), + .spi = child_sa->get_spi(child_sa, TRUE), + .encap = encap, + .mark = child_sa->get_mark(child_sa, TRUE).value, + .reinject = is_reinject_config(this, child_sa->get_name(child_sa)), + .broadcast = this->broadcast, + ); + + enumerator = child_sa->create_ts_enumerator(child_sa, TRUE); + while (enumerator->enumerate(enumerator, &ts)) + { + array_insert(entry->lts, ARRAY_TAIL, ts->clone(ts)); + } + enumerator->destroy(enumerator); + + enumerator = child_sa->create_ts_enumerator(child_sa, FALSE); + while (enumerator->enumerate(enumerator, &ts)) + { + array_insert(entry->rts, ARRAY_TAIL, ts->clone(ts)); + } + enumerator->destroy(enumerator); + + if (manage_pre(ipth, entry, TRUE) && + manage_out(ipth, entry, TRUE)) + { + this->lock->write_lock(this->lock); + this->entries->insert_last(this->entries, entry); + this->lock->unlock(this->lock); + return TRUE; + } + entry_destroy(entry); + return FALSE; +} + +/** + * Remove an entry and rules for a given mark + */ +static bool remove_entry(private_forecast_listener_t *this, + struct iptc_handle *ipth, child_sa_t *child_sa) +{ + enumerator_t *enumerator; + entry_t *entry; + bool done = FALSE; + + this->lock->write_lock(this->lock); + enumerator = this->entries->create_enumerator(this->entries); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->mark == child_sa->get_mark(child_sa, TRUE).value) + { + this->entries->remove_at(this->entries, enumerator); + if (manage_pre(ipth, entry, FALSE) && + manage_out(ipth, entry, FALSE)) + { + done = TRUE; + } + entry_destroy(entry); + break; + } + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + + return done; +} + +/** + * Initialize iptables handle, log error + */ +static struct iptc_handle* init_handle() +{ + struct iptc_handle *ipth; + + ipth = iptc_init("mangle"); + if (ipth) + { + return ipth; + } + DBG1(DBG_CFG, "initializing iptables failed: %s", iptc_strerror(errno)); + return NULL; +} + +/** + * Commit iptables rules, log error + */ +static bool commit_handle(struct iptc_handle *ipth) +{ + if (iptc_commit(ipth)) + { + return TRUE; + } + DBG1(DBG_CFG, "forecast iptables commit failed: %s", iptc_strerror(errno)); + return FALSE; +} + +/** + * Check if we should handle the given CHILD_SA + */ +static bool handle_sa(child_sa_t *child_sa) +{ + return child_sa->get_mark(child_sa, TRUE).value && + child_sa->get_mark(child_sa, FALSE).value; +} + +METHOD(listener_t, child_updown, bool, + private_forecast_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + bool up) +{ + struct iptc_handle *ipth; + host_t *lhost, *rhost; + bool encap; + + lhost = ike_sa->get_my_host(ike_sa); + rhost = ike_sa->get_other_host(ike_sa); + encap = child_sa->has_encap(child_sa); + + if (handle_sa(child_sa)) + { + ipth = init_handle(); + if (ipth) + { + if (up) + { + if (add_entry(this, ipth, lhost, rhost, child_sa, encap)) + { + commit_handle(ipth); + } + } + else + { + if (remove_entry(this, ipth, child_sa)) + { + commit_handle(ipth); + } + } + iptc_free(ipth); + } + } + return TRUE; +} + +METHOD(listener_t, child_rekey, bool, + private_forecast_listener_t *this, ike_sa_t *ike_sa, + child_sa_t *old, child_sa_t *new) +{ + struct iptc_handle *ipth;; + host_t *lhost, *rhost; + + lhost = ike_sa->get_my_host(ike_sa); + rhost = ike_sa->get_other_host(ike_sa); + + if (handle_sa(old)) + { + ipth = init_handle(); + if (ipth) + { + if (remove_entry(this, ipth, old) && + add_entry(this, ipth, lhost, rhost, new, new->has_encap(new))) + { + commit_handle(ipth); + } + iptc_free(ipth); + } + } + return TRUE; +} + +METHOD(listener_t, ike_update, bool, + private_forecast_listener_t *this, ike_sa_t *ike_sa, + bool local, host_t *new) +{ + struct iptc_handle *ipth; + enumerator_t *enumerator; + child_sa_t *child_sa; + host_t *lhost, *rhost; + bool encap; + + if (local) + { + lhost = new; + rhost = ike_sa->get_other_host(ike_sa); + } + else + { + lhost = ike_sa->get_my_host(ike_sa); + rhost = new; + } + /* during ike_update(), has_encap() on the CHILD_SA has not yet been + * updated, but shows the old state. */ + encap = ike_sa->has_condition(ike_sa, COND_NAT_ANY); + + enumerator = ike_sa->create_child_sa_enumerator(ike_sa); + while (enumerator->enumerate(enumerator, &child_sa)) + { + if (handle_sa(child_sa)) + { + ipth = init_handle(); + if (ipth) + { + if (remove_entry(this, ipth, child_sa) && + add_entry(this, ipth, lhost, rhost, child_sa, encap)) + { + commit_handle(ipth); + } + iptc_free(ipth); + } + } + } + enumerator->destroy(enumerator); + + return TRUE; +} + +/** + * Filter to map entries to ts/mark + */ +static bool ts_filter(entry_t *entry, traffic_selector_t **ts, + traffic_selector_t **out, void *dummy, u_int32_t *mark, + void *dummy2, bool *reinject) +{ + *out = *ts; + *mark = entry->mark; + *reinject = entry->reinject; + return TRUE; +} + +/** + * Create inner enumerator over local traffic selectors + */ +static enumerator_t* create_inner_local(entry_t *entry, rwlock_t *lock) +{ + return enumerator_create_filter(array_create_enumerator(entry->lts), + (void*)ts_filter, entry, NULL); +} + +/** + * Create inner enumerator over remote traffic selectors + */ +static enumerator_t* create_inner_remote(entry_t *entry, rwlock_t *lock) +{ + return enumerator_create_filter(array_create_enumerator(entry->rts), + (void*)ts_filter, entry, NULL); +} + +METHOD(forecast_listener_t, create_enumerator, enumerator_t*, + private_forecast_listener_t *this, bool local) +{ + this->lock->read_lock(this->lock); + return enumerator_create_nested( + this->entries->create_enumerator(this->entries), + (void*)(local ? create_inner_local : create_inner_remote), + this->lock, (void*)this->lock->unlock); +} + +METHOD(forecast_listener_t, set_broadcast, void, + private_forecast_listener_t *this, host_t *bcast) +{ + if (bcast->get_family(bcast) == AF_INET) + { + struct sockaddr_in *in; + + in = (struct sockaddr_in*)bcast->get_sockaddr(bcast); + this->broadcast = in->sin_addr.s_addr; + } +} + +METHOD(forecast_listener_t, destroy, void, + private_forecast_listener_t *this) +{ + this->entries->destroy(this->entries); + this->lock->destroy(this->lock); + free(this); +} + +/** + * See header + */ +forecast_listener_t *forecast_listener_create() +{ + private_forecast_listener_t *this; + + INIT(this, + .public = { + .listener = { + .ike_update = _ike_update, + .child_updown = _child_updown, + .child_rekey = _child_rekey, + }, + .create_enumerator = _create_enumerator, + .set_broadcast = _set_broadcast, + .destroy = _destroy, + }, + .entries = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + .reinject_configs = lib->settings->get_str(lib->settings, + "%s.plugins.forecast.reinject", "", lib->ns), + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/forecast/forecast_listener.h b/src/libcharon/plugins/forecast/forecast_listener.h new file mode 100644 index 000000000..49827ecb1 --- /dev/null +++ b/src/libcharon/plugins/forecast/forecast_listener.h @@ -0,0 +1,68 @@ +/* + * Copyright (C) 2010-2014 Martin Willi + * Copyright (C) 2010-2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup forecast_listener forecast_listener + * @{ @ingroup forecast + */ + +#ifndef FORECAST_LISTENER_H_ +#define FORECAST_LISTENER_H_ + +#include + +typedef struct forecast_listener_t forecast_listener_t; + +/** + * Listener to register the set of IPs we forward received multi/broadcasts to. + */ +struct forecast_listener_t { + + /** + * Implements listener_t interface. + */ + listener_t listener; + + /** + * Create an enumerator over active tunnels. + * + * The enumerator enumerates over local or remote traffic selectors, + * associated firewall marks and if decasulated packets should get + * reinjected into other tunnels. + * + * @param local TRUE to enumerate local, FALSE to enumerate remote TS + * @return enumerator over (traffic_selector_t*, u_int, bool) + */ + enumerator_t* (*create_enumerator)(forecast_listener_t *this, bool local); + + /** + * Set the broadcast address of the LAN interface. + * + * @param bcast broadcast address + */ + void (*set_broadcast)(forecast_listener_t *this, host_t *bcast); + + /** + * Destroy a forecast_listener_t. + */ + void (*destroy)(forecast_listener_t *this); +}; + +/** + * Create a forecast_listener instance. + */ +forecast_listener_t *forecast_listener_create(); + +#endif /** FORECAST_LISTENER_H_ @}*/ diff --git a/src/libcharon/plugins/forecast/forecast_plugin.c b/src/libcharon/plugins/forecast/forecast_plugin.c new file mode 100644 index 000000000..a129b76b2 --- /dev/null +++ b/src/libcharon/plugins/forecast/forecast_plugin.c @@ -0,0 +1,118 @@ +/* + * Copyright (C) 2010-2014 Martin Willi + * Copyright (C) 2010-2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "forecast_plugin.h" +#include "forecast_listener.h" +#include "forecast_forwarder.h" + +#include + +typedef struct private_forecast_plugin_t private_forecast_plugin_t; + +/** + * Private data of forecast plugin + */ +struct private_forecast_plugin_t { + + /** + * implements plugin interface + */ + forecast_plugin_t public; + + /** + * Listener registering active tunnels + */ + forecast_listener_t *listener; + + /** + * Broadcast/Multicast sniffer and forwarder + */ + forecast_forwarder_t *forwarder; +}; + +METHOD(plugin_t, get_name, char*, + private_forecast_plugin_t *this) +{ + return "forecast"; +} + +/** + * Register plugin features + */ +static bool register_forecast(private_forecast_plugin_t *this, + plugin_feature_t *feature, bool reg, void *data) +{ + if (reg) + { + this->forwarder = forecast_forwarder_create(this->listener); + if (!this->forwarder) + { + return FALSE; + } + charon->bus->add_listener(charon->bus, &this->listener->listener); + } + else + { + charon->bus->remove_listener(charon->bus, &this->listener->listener); + this->forwarder->destroy(this->forwarder); + } + return TRUE; +} + +METHOD(plugin_t, get_features, int, + private_forecast_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_CALLBACK((plugin_feature_callback_t)register_forecast, NULL), + PLUGIN_PROVIDE(CUSTOM, "forecast"), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, destroy, void, + private_forecast_plugin_t *this) +{ + this->listener->destroy(this->listener); + free(this); +} + +/** + * Plugin constructor + */ +plugin_t *forecast_plugin_create() +{ + private_forecast_plugin_t *this; + + if (!lib->caps->keep(lib->caps, CAP_NET_RAW)) + { + DBG1(DBG_NET, "forecast plugin requires CAP_NET_RAW capability"); + return NULL; + } + + INIT(this, + .public = { + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .reload = (void*)return_false, + .destroy = _destroy, + }, + }, + .listener = forecast_listener_create(), + ); + + return &this->public.plugin; +} diff --git a/src/libcharon/plugins/forecast/forecast_plugin.h b/src/libcharon/plugins/forecast/forecast_plugin.h new file mode 100644 index 000000000..739ca4d79 --- /dev/null +++ b/src/libcharon/plugins/forecast/forecast_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010-2014 Martin Willi + * Copyright (C) 2010-2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup forecast forecast + * @ingroup cplugins + * + * @defgroup forecast_plugin forecast_plugin + * @{ @ingroup forecast + */ + +#ifndef FORECAST_PLUGIN_H_ +#define FORECAST_PLUGIN_H_ + +#include + +typedef struct forecast_plugin_t forecast_plugin_t; + +/** + * Broadcast/Multicast forwarding plugin. + */ +struct forecast_plugin_t { + + /** + * Implements plugin interface. + */ + plugin_t plugin; +}; + +#endif /** FORECAST_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in index aa5bdb747..de74f88cc 100644 --- a/src/libcharon/plugins/ha/Makefile.in +++ b/src/libcharon/plugins/ha/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c index dd55fae8b..2b271a8e7 100644 --- a/src/libcharon/plugins/ha/ha_attribute.c +++ b/src/libcharon/plugins/ha/ha_attribute.c @@ -170,7 +170,7 @@ static bool responsible_for(private_ha_attribute_t *this, int bit) } METHOD(attribute_provider_t, acquire_address, host_t*, - private_ha_attribute_t *this, linked_list_t *pools, identification_t *id, + private_ha_attribute_t *this, linked_list_t *pools, ike_sa_t *ike_sa, host_t *requested) { enumerator_t *enumerator; @@ -233,7 +233,7 @@ METHOD(attribute_provider_t, acquire_address, host_t*, METHOD(attribute_provider_t, release_address, bool, private_ha_attribute_t *this, linked_list_t *pools, host_t *address, - identification_t *id) + ike_sa_t *ike_sa) { enumerator_t *enumerator; pool_t *pool; diff --git a/src/libcharon/plugins/ha/ha_cache.c b/src/libcharon/plugins/ha/ha_cache.c index 60e75fc7e..6c1b3471d 100644 --- a/src/libcharon/plugins/ha/ha_cache.c +++ b/src/libcharon/plugins/ha/ha_cache.c @@ -196,9 +196,26 @@ static status_t rekey_children(ike_sa_t *ike_sa) enumerator_t *enumerator; child_sa_t *child_sa; status_t status = SUCCESS; + linked_list_t *children; + struct { + protocol_id_t protocol; + u_int32_t spi; + } *info; + children = linked_list_create(); enumerator = ike_sa->create_child_sa_enumerator(ike_sa); - while (enumerator->enumerate(enumerator, (void**)&child_sa)) + while (enumerator->enumerate(enumerator, &child_sa)) + { + INIT(info, + .protocol = child_sa->get_protocol(child_sa), + .spi = child_sa->get_spi(child_sa, TRUE), + ); + children->insert_last(children, info); + } + enumerator->destroy(enumerator); + + enumerator = children->create_enumerator(children); + while (enumerator->enumerate(enumerator, &info)) { if (ike_sa->supports_extension(ike_sa, EXT_MS_WINDOWS) && ike_sa->has_condition(ike_sa, COND_NAT_THERE)) @@ -207,17 +224,13 @@ static status_t rekey_children(ike_sa_t *ike_sa) * with an "invalid situation" error. We just close the CHILD_SA, * Windows will reestablish it immediately if required. */ DBG1(DBG_CFG, "resyncing CHILD_SA using a delete"); - status = ike_sa->delete_child_sa(ike_sa, - child_sa->get_protocol(child_sa), - child_sa->get_spi(child_sa, TRUE), + status = ike_sa->delete_child_sa(ike_sa, info->protocol, info->spi, FALSE); } else { DBG1(DBG_CFG, "resyncing CHILD_SA using a rekey"); - status = ike_sa->rekey_child_sa(ike_sa, - child_sa->get_protocol(child_sa), - child_sa->get_spi(child_sa, TRUE)); + status = ike_sa->rekey_child_sa(ike_sa, info->protocol, info->spi); } if (status == DESTROY_ME) { @@ -225,6 +238,8 @@ static status_t rekey_children(ike_sa_t *ike_sa) } } enumerator->destroy(enumerator); + children->destroy_function(children, free); + return status; } diff --git a/src/libcharon/plugins/ha/ha_child.c b/src/libcharon/plugins/ha/ha_child.c index c166d72ac..17f2d50d1 100644 --- a/src/libcharon/plugins/ha/ha_child.c +++ b/src/libcharon/plugins/ha/ha_child.c @@ -97,7 +97,7 @@ METHOD(listener_t, child_keys, bool, } m->add_attribute(m, HA_NONCE_I, nonce_i); m->add_attribute(m, HA_NONCE_R, nonce_r); - if (dh && dh->get_shared_secret(dh, &secret) == SUCCESS) + if (dh && dh->get_shared_secret(dh, &secret)) { m->add_attribute(m, HA_SECRET, secret); chunk_clear(&secret); @@ -128,7 +128,7 @@ METHOD(listener_t, child_keys, bool, ike_sa->get_other_host(ike_sa), child_sa->get_spi(child_sa, FALSE)); DBG1(DBG_CFG, "handling HA CHILD_SA %s{%d} %#R=== %#R " "(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa), - child_sa->get_reqid(child_sa), local_ts, remote_ts, + child_sa->get_unique_id(child_sa), local_ts, remote_ts, seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "", seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : ""); diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c index e20e872c1..31eeb934e 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.c +++ b/src/libcharon/plugins/ha/ha_dispatcher.c @@ -81,17 +81,18 @@ struct ha_diffie_hellman_t { chunk_t pub; }; -METHOD(diffie_hellman_t, dh_get_shared_secret, status_t, +METHOD(diffie_hellman_t, dh_get_shared_secret, bool, ha_diffie_hellman_t *this, chunk_t *secret) { *secret = chunk_clone(this->secret); - return SUCCESS; + return TRUE; } -METHOD(diffie_hellman_t, dh_get_my_public_value, void, +METHOD(diffie_hellman_t, dh_get_my_public_value, bool, ha_diffie_hellman_t *this, chunk_t *value) { *value = chunk_clone(this->pub); + return TRUE; } METHOD(diffie_hellman_t, dh_destroy, void, @@ -373,6 +374,9 @@ static void process_ike_update(private_ha_dispatcher_t *this, else { DBG1(DBG_IKE, "HA is missing nodes peer configuration"); + charon->ike_sa_manager->checkin_and_destroy( + charon->ike_sa_manager, ike_sa); + ike_sa = NULL; } break; case HA_EXTENSIONS: @@ -718,7 +722,8 @@ static void process_child_add(private_ha_dispatcher_t *this, child_sa = child_sa_create(ike_sa->get_my_host(ike_sa), ike_sa->get_other_host(ike_sa), config, 0, - ike_sa->has_condition(ike_sa, COND_NAT_ANY)); + ike_sa->has_condition(ike_sa, COND_NAT_ANY), + 0, 0); child_sa->set_mode(child_sa, mode); child_sa->set_protocol(child_sa, PROTO_ESP); child_sa->set_ipcomp(child_sa, ipcomp); @@ -835,7 +840,7 @@ static void process_child_add(private_ha_dispatcher_t *this, DBG1(DBG_CFG, "installed HA CHILD_SA %s{%d} %#R=== %#R " "(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa), - child_sa->get_reqid(child_sa), local_ts, remote_ts, + child_sa->get_unique_id(child_sa), local_ts, remote_ts, seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "", seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : ""); child_sa->add_policies(child_sa, local_ts, remote_ts); diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c index 442a3a23d..6b4b53c9c 100644 --- a/src/libcharon/plugins/ha/ha_ike.c +++ b/src/libcharon/plugins/ha/ha_ike.c @@ -84,7 +84,7 @@ METHOD(listener_t, ike_keys, bool, { /* do not sync SA between nodes */ return TRUE; } - if (dh->get_shared_secret(dh, &secret) != SUCCESS) + if (!dh->get_shared_secret(dh, &secret)) { return TRUE; } @@ -127,9 +127,11 @@ METHOD(listener_t, ike_keys, bool, chunk_clear(&secret); if (ike_sa->get_version(ike_sa) == IKEV1) { - dh->get_my_public_value(dh, &secret); - m->add_attribute(m, HA_LOCAL_DH, secret); - chunk_free(&secret); + if (dh->get_my_public_value(dh, &secret)) + { + m->add_attribute(m, HA_LOCAL_DH, secret); + chunk_free(&secret); + } m->add_attribute(m, HA_REMOTE_DH, dh_other); if (shared) { diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c index 493cad5ec..a58377bab 100644 --- a/src/libcharon/plugins/ha/ha_plugin.c +++ b/src/libcharon/plugins/ha/ha_plugin.c @@ -25,7 +25,6 @@ #include "ha_attribute.h" #include -#include #include typedef struct private_ha_plugin_t private_ha_plugin_t; @@ -108,13 +107,13 @@ static bool plugin_cb(private_ha_plugin_t *this, charon->bus->add_listener(charon->bus, &this->segments->listener); charon->bus->add_listener(charon->bus, &this->ike->listener); charon->bus->add_listener(charon->bus, &this->child->listener); - hydra->attributes->add_provider(hydra->attributes, - &this->attr->provider); + charon->attributes->add_provider(charon->attributes, + &this->attr->provider); } else { - hydra->attributes->remove_provider(hydra->attributes, - &this->attr->provider); + charon->attributes->remove_provider(charon->attributes, + &this->attr->provider); charon->bus->remove_listener(charon->bus, &this->segments->listener); charon->bus->remove_listener(charon->bus, &this->ike->listener); charon->bus->remove_listener(charon->bus, &this->child->listener); @@ -224,4 +223,3 @@ plugin_t *ha_plugin_create() return &this->public.plugin; } - diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in index bd3fd63aa..f98e78ffc 100644 --- a/src/libcharon/plugins/ipseckey/Makefile.in +++ b/src/libcharon/plugins/ipseckey/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/kernel_iph/Makefile.in b/src/libcharon/plugins/kernel_iph/Makefile.in index 7e1f79bd8..7a2583d06 100644 --- a/src/libcharon/plugins/kernel_iph/Makefile.in +++ b/src/libcharon/plugins/kernel_iph/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in index c961c0bd8..6b6c95688 100644 --- a/src/libcharon/plugins/kernel_libipsec/Makefile.in +++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in @@ -231,6 +231,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c index bd07a67a2..6246dc505 100644 --- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c +++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c @@ -222,10 +222,10 @@ static inline bool policy_entry_equals(policy_entry_t *a, /** * Expiration callback */ -static void expire(u_int32_t reqid, u_int8_t protocol, u_int32_t spi, bool hard) +static void expire(u_int8_t protocol, u_int32_t spi, host_t *dst, bool hard) { - hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol, - spi, hard); + hydra->kernel_interface->expire(hydra->kernel_interface, protocol, + spi, dst, hard); } METHOD(kernel_ipsec_t, get_features, kernel_feature_t, @@ -236,14 +236,14 @@ METHOD(kernel_ipsec_t, get_features, kernel_feature_t, METHOD(kernel_ipsec_t, get_spi, status_t, private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst, - u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) + u_int8_t protocol, u_int32_t *spi) { - return ipsec->sas->get_spi(ipsec->sas, src, dst, protocol, reqid, spi); + return ipsec->sas->get_spi(ipsec->sas, src, dst, protocol, spi); } METHOD(kernel_ipsec_t, get_cpi, status_t, private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t reqid, u_int16_t *cpi) + u_int16_t *cpi) { return NOT_SUPPORTED; } @@ -254,13 +254,13 @@ METHOD(kernel_ipsec_t, add_sa, status_t, u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window, - bool initiator, bool encap, bool esn, bool inbound, - traffic_selector_t *src_ts, traffic_selector_t *dst_ts) + bool initiator, bool encap, bool esn, bool inbound, bool update, + linked_list_t *src_ts, linked_list_t *dst_ts) { return ipsec->sas->add_sa(ipsec->sas, src, dst, spi, protocol, reqid, mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, - mode, ipcomp, cpi, initiator, encap, esn, inbound, - src_ts, dst_ts); + mode, ipcomp, cpi, initiator, encap, esn, + inbound, update); } METHOD(kernel_ipsec_t, update_sa, status_t, diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c index 6ce1d4eb0..830954e11 100644 --- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c +++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c @@ -130,35 +130,6 @@ static void deliver_plain(private_kernel_libipsec_router_t *this, packet->destroy(packet); } -/** - * Create an FD set covering all TUN devices and the read end of the notify pipe - */ -static int collect_fds(private_kernel_libipsec_router_t *this, fd_set *fds) -{ - enumerator_t *enumerator; - tun_entry_t *entry; - int maxfd; - - FD_ZERO(fds); - FD_SET(this->notify[0], fds); - maxfd = this->notify[0]; - - FD_SET(this->tun.fd, fds); - maxfd = max(maxfd, this->tun.fd); - - this->lock->read_lock(this->lock); - enumerator = this->tuns->create_enumerator(this->tuns); - while (enumerator->enumerate(enumerator, NULL, &entry)) - { - FD_SET(entry->fd, fds); - maxfd = max(maxfd, entry->fd); - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); - - return maxfd + 1; -} - /** * Read and process outbound plaintext packet for the given TUN device */ @@ -183,29 +154,20 @@ static void process_plain(tun_device_t *tun) } /** - * Handle waiting data for any TUN device + * Find flagged revents in a pollfd set by fd */ -static void handle_tuns(private_kernel_libipsec_router_t *this, fd_set *fds) +static int find_revents(struct pollfd *pfd, int count, int fd) { - enumerator_t *enumerator; - tun_entry_t *entry; + int i; - if (FD_ISSET(this->tun.fd, fds)) + for (i = 0; i < count; i++) { - process_plain(this->tun.tun); - } - - this->lock->read_lock(this->lock); - enumerator = this->tuns->create_enumerator(this->tuns); - while (enumerator->enumerate(enumerator, NULL, &entry)) - { - if (FD_ISSET(entry->fd, fds)) + if (pfd[i].fd == fd) { - process_plain(entry->tun); + return pfd[i].revents; } } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); + return 0; } /** @@ -213,28 +175,68 @@ static void handle_tuns(private_kernel_libipsec_router_t *this, fd_set *fds) */ static job_requeue_t handle_plain(private_kernel_libipsec_router_t *this) { + enumerator_t *enumerator; + tun_entry_t *entry; bool oldstate; - fd_set fds; - int maxfd; + int count = 0; + char buf[1]; + struct pollfd *pfd; + + this->lock->read_lock(this->lock); - maxfd = collect_fds(this, &fds); + pfd = alloca(sizeof(*pfd) * (this->tuns->get_count(this->tuns) + 2)); + pfd[count].fd = this->notify[0]; + pfd[count].events = POLLIN; + count++; + pfd[count].fd = this->tun.fd; + pfd[count].events = POLLIN; + count++; + + enumerator = this->tuns->create_enumerator(this->tuns); + while (enumerator->enumerate(enumerator, NULL, &entry)) + { + pfd[count].fd = entry->fd; + pfd[count].events = POLLIN; + count++; + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); oldstate = thread_cancelability(TRUE); - if (select(maxfd, &fds, NULL, NULL, NULL) <= 0) + if (poll(pfd, count, -1) <= 0) { thread_cancelability(oldstate); return JOB_REQUEUE_FAIR; } thread_cancelability(oldstate); - if (FD_ISSET(this->notify[0], &fds)) - { /* list of TUN devices changed, read notification data, rebuild FDs */ - char buf[1]; - while (read(this->notify[0], &buf, sizeof(buf)) == sizeof(buf)); + if (pfd[0].revents & POLLIN) + { + /* list of TUN devices changed, read notification data, rebuild FDs */ + while (read(this->notify[0], &buf, sizeof(buf)) == sizeof(buf)) + { + /* nop */ + } return JOB_REQUEUE_DIRECT; } - handle_tuns(this, &fds); + if (pfd[1].revents & POLLIN) + { + process_plain(this->tun.tun); + } + + this->lock->read_lock(this->lock); + enumerator = this->tuns->create_enumerator(this->tuns); + while (enumerator->enumerate(enumerator, NULL, &entry)) + { + if (find_revents(pfd, count, entry->fd) & POLLIN) + { + process_plain(entry->tun); + } + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + return JOB_REQUEUE_DIRECT; } diff --git a/src/libcharon/plugins/kernel_wfp/Makefile.in b/src/libcharon/plugins/kernel_wfp/Makefile.in index 1c92e30fc..efb214b88 100644 --- a/src/libcharon/plugins/kernel_wfp/Makefile.in +++ b/src/libcharon/plugins/kernel_wfp/Makefile.in @@ -237,6 +237,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -297,10 +298,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -374,6 +377,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c index 41f85ba5c..2e31aa151 100644 --- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c +++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c @@ -54,6 +54,24 @@ const GUID FWPM_LAYER_IPFORWARD_V4 = { const GUID FWPM_LAYER_IPFORWARD_V6 = { 0x7b964818, 0x19c7, 0x493a, { 0xb7,0x1f,0x83,0x2c,0x36,0x84,0xd2,0x8c } }; +const GUID FWPM_LAYER_ALE_AUTH_CONNECT_V4 = { + 0xc38d57d1, 0x05a7, 0x4c33, { 0x90,0x4f,0x7f,0xbc,0xee,0xe6,0x0e,0x82 } +}; +const GUID FWPM_LAYER_ALE_AUTH_CONNECT_V6 = { + 0x4a72393b, 0x319f, 0x44bc, { 0x84,0xc3,0xba,0x54,0xdc,0xb3,0xb6,0xb4 } +}; +const GUID FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 = { + 0xe1cd9fe7, 0xf4b5, 0x4273, { 0x96,0xc0,0x59,0x2e,0x48,0x7b,0x86,0x50 } +}; +const GUID FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6 = { + 0xa3b42c97, 0x9f04, 0x4672, { 0xb8,0x7e,0xce,0xe9,0xc4,0x83,0x25,0x7f } +}; +const GUID FWPM_SUBLAYER_IPSEC_TUNNEL = { + 0x83f299ed, 0x9ff4, 0x4967, { 0xaf,0xf4,0xc3,0x09,0xf4,0xda,0xb8,0x27 } +}; +const GUID FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL = { + 0xa5082e73, 0x8f71, 0x4559, { 0x8a,0x9a,0x10,0x1c,0xea,0x04,0xef,0x87 } +}; const GUID FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4 = { 0x5132900d, 0x5e84, 0x4b5f, { 0x80,0xe4,0x01,0x74,0x1e,0x81,0xff,0x10 } }; @@ -90,6 +108,24 @@ const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4 = { const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6 = { 0xdae640cc, 0xe021, 0x4bee, { 0x9e,0xb6,0xa4,0x8b,0x27,0x5c,0x8c,0x1d } }; +const GUID FWPM_CALLOUT_IPSEC_ALE_CONNECT_V4 = { + 0x6ac141fc, 0xf75d, 0x4203, { 0xb9,0xc8,0x48,0xe6,0x14,0x9c,0x27,0x12 } +}; +const GUID FWPM_CALLOUT_IPSEC_ALE_CONNECT_V6 = { + 0x4c0dda05, 0xe31f, 0x4666, { 0x90,0xb0,0xb3,0xdf,0xad,0x34,0x12,0x9a } +}; +const GUID FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V4 = { + 0x3df6e7de, 0xfd20, 0x48f2, { 0x9f,0x26,0xf8,0x54,0x44,0x4c,0xba,0x79 } +}; +const GUID FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V6 = { + 0xa1e392d3, 0x72ac, 0x47bb, { 0x87,0xa7,0x01,0x22,0xc6,0x94,0x34,0xab } +}; +const GUID FWPM_CALLOUT_IPSEC_INBOUND_INITIATE_SECURE_V4 = { + 0x7dff309b, 0xba7d, 0x4aba, { 0x91,0xaa,0xae,0x5c,0x66,0x40,0xc9,0x44 } +}; +const GUID FWPM_CALLOUT_IPSEC_INBOUND_INITIATE_SECURE_V6 = { + 0xa9a0d6d9, 0xc58c, 0x474e, { 0x8a,0xeb,0x3c,0xfe,0x99,0xd6,0xd5,0x3d } +}; /** * Load a function symbol from a loaded dll diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h index 50a89a007..a553a0986 100644 --- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h +++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h @@ -127,6 +127,10 @@ const GUID FWPM_LAYER_OUTBOUND_TRANSPORT_V4; const GUID FWPM_LAYER_OUTBOUND_TRANSPORT_V6; const GUID FWPM_LAYER_IPFORWARD_V4; const GUID FWPM_LAYER_IPFORWARD_V6; +const GUID FWPM_LAYER_ALE_AUTH_CONNECT_V4; +const GUID FWPM_LAYER_ALE_AUTH_CONNECT_V6; +const GUID FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4; +const GUID FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6; const GUID FWPM_SUBLAYER_IPSEC_TUNNEL; const GUID FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL; const GUID FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4; @@ -141,6 +145,12 @@ const GUID FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4; const GUID FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6; const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4; const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6; +const GUID FWPM_CALLOUT_IPSEC_ALE_CONNECT_V4; +const GUID FWPM_CALLOUT_IPSEC_ALE_CONNECT_V6; +const GUID FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V4; +const GUID FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V6; +const GUID FWPM_CALLOUT_IPSEC_INBOUND_INITIATE_SECURE_V4; +const GUID FWPM_CALLOUT_IPSEC_INBOUND_INITIATE_SECURE_V6; /* integrity config, missing in some MinGW versions */ #ifndef IPSEC_AUTH_CONFIG_HMAC_MD5_96 diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c index c788bfb10..b38ded846 100644 --- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c +++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c @@ -26,6 +26,8 @@ #include #include +#define IPPROTO_IPIP 4 +#define IPPROTO_IPV6 41 typedef struct private_kernel_wfp_ipsec_t private_kernel_wfp_ipsec_t; @@ -188,6 +190,14 @@ typedef struct { u_int64_t provider; /** WFP allocated LUID for SA context */ u_int64_t sa_id; + /** WFP allocated LUID for tunnel mode IP-IPv4 inbound filter */ + u_int64_t ip_ipv4_in; + /** WFP allocated LUID for tunnel mode IP-IPv4 outbound filter */ + u_int64_t ip_ipv4_out; + /** WFP allocated LUID for tunnel mode IP-IPv6 inbound filter */ + u_int64_t ip_ipv6_in; + /** WFP allocated LUID for tunnel mode IP-IPv6 outbound filter */ + u_int64_t ip_ipv6_out; } entry_t; /** @@ -285,6 +295,22 @@ static void cleanup_policies(private_kernel_wfp_ipsec_t *this, entry_t *entry) */ static void entry_destroy(private_kernel_wfp_ipsec_t *this, entry_t *entry) { + if (entry->ip_ipv4_in) + { + FwpmFilterDeleteById0(this->handle, entry->ip_ipv4_in); + } + if (entry->ip_ipv4_out) + { + FwpmFilterDeleteById0(this->handle, entry->ip_ipv4_out); + } + if (entry->ip_ipv6_in) + { + FwpmFilterDeleteById0(this->handle, entry->ip_ipv6_in); + } + if (entry->ip_ipv6_out) + { + FwpmFilterDeleteById0(this->handle, entry->ip_ipv6_out); + } if (entry->sa_id) { IPsecSaContextDeleteById0(this->handle, entry->sa_id); @@ -553,49 +579,58 @@ static void free_conditions(FWPM_FILTER_CONDITION0 *conds, int count) * Find the callout GUID for given parameters */ static bool find_callout(bool tunnel, bool v6, bool inbound, bool forward, - GUID *layer, GUID *sublayer, GUID *callout) + bool ale, GUID *layer, GUID *sublayer, GUID *callout) { struct { bool tunnel; bool v6; bool inbound; bool forward; + bool ale; const GUID *layer; const GUID *sublayer; const GUID *callout; } map[] = { - { 0, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4, NULL, - &FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4 }, - { 0, 0, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V4, NULL, - &FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4 }, - { 0, 1, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V6, NULL, - &FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V6 }, - { 0, 1, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V6, NULL, - &FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6 }, - { 1, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4, - &FWPM_SUBLAYER_IPSEC_TUNNEL, - &FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4 }, - { 1, 0, 0, 1, &FWPM_LAYER_IPFORWARD_V4, - &FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL, - &FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4 }, - { 1, 0, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V4, - &FWPM_SUBLAYER_IPSEC_TUNNEL, - &FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4 }, - { 1, 0, 1, 1, &FWPM_LAYER_IPFORWARD_V4, - &FWPM_SUBLAYER_IPSEC_TUNNEL, - &FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4 }, - { 1, 1, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V6, - &FWPM_SUBLAYER_IPSEC_TUNNEL, - &FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V6 }, - { 1, 1, 0, 1, &FWPM_LAYER_IPFORWARD_V6, - &FWPM_SUBLAYER_IPSEC_TUNNEL, - &FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6 }, - { 1, 1, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V6, - &FWPM_SUBLAYER_IPSEC_TUNNEL, - &FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V6 }, - { 1, 1, 1, 1, &FWPM_LAYER_IPFORWARD_V6, - &FWPM_SUBLAYER_IPSEC_TUNNEL, - &FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6 }, + { 0, 0, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4, NULL, + &FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4 }, + { 0, 0, 1, 0, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V4, NULL, + &FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4 }, + { 0, 1, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V6, NULL, + &FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V6 }, + { 0, 1, 1, 0, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V6, NULL, + &FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6 }, + { 1, 0, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4, + &FWPM_SUBLAYER_IPSEC_TUNNEL, + &FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4 }, + { 1, 0, 0, 1, 0, &FWPM_LAYER_IPFORWARD_V4, + &FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL, + &FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4 }, + { 1, 0, 1, 0, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V4, + &FWPM_SUBLAYER_IPSEC_TUNNEL, + &FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4 }, + { 1, 0, 1, 1, 0, &FWPM_LAYER_IPFORWARD_V4, + &FWPM_SUBLAYER_IPSEC_TUNNEL, + &FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4 }, + { 1, 0, 0, 0, 1, &FWPM_LAYER_ALE_AUTH_CONNECT_V4, NULL, + &FWPM_CALLOUT_IPSEC_ALE_CONNECT_V4 }, + { 1, 0, 1, 0, 1, &FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4, NULL, + &FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V4}, + { 1, 1, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V6, + &FWPM_SUBLAYER_IPSEC_TUNNEL, + &FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V6 }, + { 1, 1, 0, 1, 0, &FWPM_LAYER_IPFORWARD_V6, + &FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL, + &FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6 }, + { 1, 1, 1, 0, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V6, + &FWPM_SUBLAYER_IPSEC_TUNNEL, + &FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V6 }, + { 1, 1, 1, 1, 0, &FWPM_LAYER_IPFORWARD_V6, + &FWPM_SUBLAYER_IPSEC_TUNNEL, + &FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6 }, + { 1, 1, 0, 0, 1, &FWPM_LAYER_ALE_AUTH_CONNECT_V6, NULL, + &FWPM_CALLOUT_IPSEC_ALE_CONNECT_V6 }, + { 1, 1, 1, 0, 1, &FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6, NULL, + &FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V6}, }; int i; @@ -604,7 +639,8 @@ static bool find_callout(bool tunnel, bool v6, bool inbound, bool forward, if (tunnel == map[i].tunnel && v6 == map[i].v6 && inbound == map[i].inbound && - forward == map[i].forward) + forward == map[i].forward && + ale == map[i].ale) { *callout = *map[i].callout; *layer = *map[i].layer; @@ -647,7 +683,7 @@ static bool install_sp(private_kernel_wfp_ipsec_t *this, sp_entry_t *sp, } v6 = sp->src->get_type(sp->src) == TS_IPV6_ADDR_RANGE; - if (!find_callout(context != NULL, v6, inbound, fwd, + if (!find_callout(context != NULL, v6, inbound, fwd, FALSE, &filter.layerKey, &filter.subLayerKey, &filter.action.calloutKey)) { @@ -688,8 +724,73 @@ static bool install_sp(private_kernel_wfp_ipsec_t *this, sp_entry_t *sp, free_conditions(conds, count); if (res != ERROR_SUCCESS) { - DBG1(DBG_KNL, "installing %s%sbound WFP filter failed: 0x%08x", - fwd ? "forward " : "", inbound ? "in" : "out", res); + DBG1(DBG_KNL, "installing IPv%d %s%sbound %s WFP filter failed: 0x%08x", + v6 ? 6 : 4, fwd ? "forward " : "", inbound ? "in" : "out", + context ? "tunnel" : "transport", res); + return FALSE; + } + return TRUE; +} + +/** + * Install an IP-IP allow filter for SA specific hosts + */ +static bool install_ipip_ale(private_kernel_wfp_ipsec_t *this, + host_t *local, host_t *remote, GUID *context, + bool inbound, int proto, u_int64_t *filter_id) +{ + traffic_selector_t *lts, *rts; + FWPM_FILTER_CONDITION0 *conds = NULL; + int count = 0; + bool v6; + DWORD res; + FWPM_FILTER0 filter = { + .displayData = { + .name = L"charon IPsec IP-in-IP ALE policy", + }, + .action = { + .type = FWP_ACTION_CALLOUT_TERMINATING, + }, + }; + + if (context) + { + filter.flags |= FWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT; + filter.providerKey = (GUID*)&this->provider.providerKey; + filter.providerContextKey = *context; + } + + v6 = local->get_family(local) == AF_INET6; + if (!find_callout(TRUE, v6, inbound, FALSE, TRUE, &filter.layerKey, + &filter.subLayerKey, &filter.action.calloutKey)) + { + return FALSE; + } + + lts = traffic_selector_create_from_subnet(local->clone(local), + v6 ? 128 : 32 , proto, 0, 65535); + rts = traffic_selector_create_from_subnet(remote->clone(remote), + v6 ? 128 : 32 , proto, 0, 65535); + if (!ts2condition(lts, &FWPM_CONDITION_IP_LOCAL_ADDRESS, &conds, &count) || + !ts2condition(rts, &FWPM_CONDITION_IP_REMOTE_ADDRESS, &conds, &count)) + { + free_conditions(conds, count); + lts->destroy(lts); + rts->destroy(rts); + return FALSE; + } + lts->destroy(lts); + rts->destroy(rts); + + filter.numFilterConditions = count; + filter.filterCondition = conds; + + res = FwpmFilterAdd0(this->handle, &filter, NULL, filter_id); + free_conditions(conds, count); + if (res != ERROR_SUCCESS) + { + DBG1(DBG_KNL, "installing IP-IPv%d %s ALE WFP filter failed: 0x%08x", + v6 ? 6 : 4, inbound ? "inbound" : "outbound", res); return FALSE; } return TRUE; @@ -703,10 +804,21 @@ static bool install_sps(private_kernel_wfp_ipsec_t *this, { enumerator_t *enumerator; sp_entry_t *sp; + bool has_v4 = FALSE, has_v6 = FALSE; enumerator = array_create_enumerator(entry->sps); while (enumerator->enumerate(enumerator, &sp)) { + switch (sp->src->get_type(sp->src)) + { + case TS_IPV4_ADDR_RANGE: + has_v4 = TRUE; + break; + case TS_IPV6_ADDR_RANGE: + has_v6 = TRUE; + break; + } + /* inbound policy */ if (!install_sp(this, sp, context, TRUE, FALSE, &sp->policy_in)) { @@ -719,21 +831,22 @@ static bool install_sps(private_kernel_wfp_ipsec_t *this, enumerator->destroy(enumerator); return FALSE; } + if (context) { if (!sp->src->is_host(sp->src, entry->local) || !sp->dst->is_host(sp->dst, entry->remote)) { /* inbound forward policy, from decapsulation */ - if (!install_sp(this, sp, context, - TRUE, TRUE, &sp->policy_fwd_in)) + if (!install_sp(this, sp, context, TRUE, TRUE, + &sp->policy_fwd_in)) { enumerator->destroy(enumerator); return FALSE; } /* outbound forward policy, to encapsulate */ - if (!install_sp(this, sp, context, - FALSE, TRUE, &sp->policy_fwd_out)) + if (!install_sp(this, sp, context, FALSE, TRUE, + &sp->policy_fwd_out)) { enumerator->destroy(enumerator); return FALSE; @@ -743,6 +856,38 @@ static bool install_sps(private_kernel_wfp_ipsec_t *this, } enumerator->destroy(enumerator); + if (context) + { + /* In tunnel mode, Windows does firewall filtering on decrypted but + * non-unwrapped packets: It sees them as IP-in-IP packets. When using + * a default-drop policy, we need to allow such packets explicitly. */ + if (has_v4) + { + if (!install_ipip_ale(this, entry->local, entry->remote, context, + TRUE, IPPROTO_IPIP, &entry->ip_ipv4_in)) + { + return FALSE; + } + if (!install_ipip_ale(this, entry->local, entry->remote, NULL, + FALSE, IPPROTO_IPIP, &entry->ip_ipv4_out)) + { + return FALSE; + } + } + if (has_v6) + { + if (!install_ipip_ale(this, entry->local, entry->remote, context, + TRUE, IPPROTO_IPV6, &entry->ip_ipv6_in)) + { + return FALSE; + } + if (!install_ipip_ale(this, entry->local, entry->remote, NULL, + FALSE, IPPROTO_IPV6, &entry->ip_ipv6_out)) + { + return FALSE; + } + } + } return TRUE; } @@ -1583,8 +1728,20 @@ static void WINAPI event_callback(void *user, const FWPM_NET_EVENT1 *event) acquire(this, event->classifyDrop->filterId, local, remote); break; case FWPM_NET_EVENT_TYPE_IKEEXT_MM_FAILURE: + DBG1(DBG_KNL, "WFP MM failure: %R === %R, 0x%08x, filterId %llu", + local, remote, event->ikeMmFailure->failureErrorCode, + event->ikeMmFailure->mmFilterId); + break; case FWPM_NET_EVENT_TYPE_IKEEXT_QM_FAILURE: + DBG1(DBG_KNL, "WFP QM failure: %R === %R, 0x%08x, filterId %llu", + local, remote, event->ikeQmFailure->failureErrorCode, + event->ikeQmFailure->qmFilterId); + break; case FWPM_NET_EVENT_TYPE_IKEEXT_EM_FAILURE: + DBG1(DBG_KNL, "WFP EM failure: %R === %R, 0x%08x, filterId %llu", + local, remote, event->ikeEmFailure->failureErrorCode, + event->ikeEmFailure->qmFilterId); + break; case FWPM_NET_EVENT_TYPE_IPSEC_KERNEL_DROP: DBG1(DBG_KNL, "IPsec kernel drop: %R === %R, error 0x%08x, " "SPI 0x%08x, %s filterId %llu", local, remote, @@ -1824,7 +1981,7 @@ static u_int permute(u_int x, u_int p) METHOD(kernel_ipsec_t, get_spi, status_t, private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst, - u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) + u_int8_t protocol, u_int32_t *spi) { /* To avoid sequencial SPIs, we use a one-to-one permuation function on * an incrementing counter, that is a full period PRNG for the range we @@ -1841,7 +1998,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t, METHOD(kernel_ipsec_t, get_cpi, status_t, private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t reqid, u_int16_t *cpi) + u_int16_t *cpi) { return NOT_SUPPORTED; } @@ -1875,9 +2032,8 @@ static void expire_data_destroy(expire_data_t *data) static job_requeue_t expire_job(expire_data_t *data) { private_kernel_wfp_ipsec_t *this = data->this; - u_int32_t reqid = 0; u_int8_t protocol; - entry_t *entry; + entry_t *entry = NULL; sa_entry_t key = { .spi = data->spi, .dst = data->dst, @@ -1891,7 +2047,6 @@ static job_requeue_t expire_job(expire_data_t *data) if (entry) { protocol = entry->isa.protocol; - reqid = entry->reqid; if (entry->osa.dst) { key.dst = entry->osa.dst; @@ -1908,15 +2063,14 @@ static job_requeue_t expire_job(expire_data_t *data) if (entry) { protocol = entry->isa.protocol; - reqid = entry->reqid; } this->mutex->unlock(this->mutex); } - if (reqid) + if (entry) { - hydra->kernel_interface->expire(hydra->kernel_interface, - reqid, protocol, data->spi, data->hard); + hydra->kernel_interface->expire(hydra->kernel_interface, protocol, + data->spi, data->dst, data->hard); } return JOB_REQUEUE_NONE; @@ -1949,8 +2103,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t, u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window, - bool initiator, bool encap, bool esn, bool inbound, - traffic_selector_t *src_ts, traffic_selector_t *dst_ts) + bool initiator, bool encap, bool esn, bool inbound, bool update, + linked_list_t *src_ts, linked_list_t *dst_ts) { host_t *local, *remote; entry_t *entry; diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in index db4552dde..7942868f6 100644 --- a/src/libcharon/plugins/led/Makefile.in +++ b/src/libcharon/plugins/led/Makefile.in @@ -226,6 +226,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in index 418dccba5..52dbec53f 100644 --- a/src/libcharon/plugins/load_tester/Makefile.in +++ b/src/libcharon/plugins/load_tester/Makefile.in @@ -239,6 +239,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -299,10 +300,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -376,6 +379,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c index bc7c0ffbc..8a500635c 100644 --- a/src/libcharon/plugins/load_tester/load_tester_config.c +++ b/src/libcharon/plugins/load_tester/load_tester_config.c @@ -394,6 +394,28 @@ static void generate_auth_cfg(private_load_tester_config_t *this, char *str, } } } + else if (strpfx(str, "xauth")) + { /* XAuth, use a username */ + class = AUTH_CLASS_XAUTH; + if (*(str + strlen("xauth")) == '-') + { + auth->add(auth, AUTH_RULE_XAUTH_BACKEND, str + strlen("xauth-")); + } + if (!id) + { + if (local && num) + { + snprintf(buf, sizeof(buf), "cli-%.6d-%.2d", num, rnd); + id = identification_create_from_string(buf); + } + else + { + id = identification_create_from_encoding(ID_ANY, chunk_empty); + } + } + /* additionally set the ID as XAuth identity */ + auth->add(auth, AUTH_RULE_XAUTH_IDENTITY, id->clone(id)); + } else { if (!streq(str, "pubkey")) @@ -618,7 +640,7 @@ static host_t *allocate_addr(private_load_tester_config_t *this, uint num) enumerator = this->pools->create_enumerator(this->pools); while (enumerator->enumerate(enumerator, &pool)) { - found = pool->acquire_address(pool, id, requested, MEM_POOL_NEW); + found = pool->acquire_address(pool, id, requested, MEM_POOL_NEW, NULL); if (found) { iface = (char*)pool->get_name(pool); diff --git a/src/libcharon/plugins/load_tester/load_tester_diffie_hellman.c b/src/libcharon/plugins/load_tester/load_tester_diffie_hellman.c index d5ec3599b..e1c7c0e0b 100644 --- a/src/libcharon/plugins/load_tester/load_tester_diffie_hellman.c +++ b/src/libcharon/plugins/load_tester/load_tester_diffie_hellman.c @@ -15,33 +15,38 @@ #include "load_tester_diffie_hellman.h" -/** - * Implementation of gmp_diffie_hellman_t.get_my_public_value. - */ -static void get_my_public_value(load_tester_diffie_hellman_t *this, - chunk_t *value) +METHOD(diffie_hellman_t, get_my_public_value, bool, + load_tester_diffie_hellman_t *this, chunk_t *value) { *value = chunk_empty; + return TRUE; } -/** - * Implementation of gmp_diffie_hellman_t.get_shared_secret. - */ -static status_t get_shared_secret(load_tester_diffie_hellman_t *this, - chunk_t *secret) +METHOD(diffie_hellman_t, set_other_public_value, bool, + load_tester_diffie_hellman_t *this, chunk_t value) +{ + return TRUE; +} + +METHOD(diffie_hellman_t, get_shared_secret, bool, + load_tester_diffie_hellman_t *this, chunk_t *secret) { *secret = chunk_empty; - return SUCCESS; + return TRUE; } -/** - * Implementation of gmp_diffie_hellman_t.get_dh_group. - */ -static diffie_hellman_group_t get_dh_group(load_tester_diffie_hellman_t *this) +METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t, + load_tester_diffie_hellman_t *this) { return MODP_NULL; } +METHOD(diffie_hellman_t, destroy, void, + load_tester_diffie_hellman_t *this) +{ + free(this); +} + /** * See header */ @@ -55,13 +60,15 @@ load_tester_diffie_hellman_t *load_tester_diffie_hellman_create( return NULL; } - this = malloc_thing(load_tester_diffie_hellman_t); - - this->dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *))get_shared_secret; - this->dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t ))nop; - this->dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *))get_my_public_value; - this->dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *))get_dh_group; - this->dh.destroy = (void (*)(diffie_hellman_t *))free; + INIT(this, + .dh = { + .get_shared_secret = _get_shared_secret, + .set_other_public_value = _set_other_public_value, + .get_my_public_value = _get_my_public_value, + .get_dh_group = _get_dh_group, + .destroy = _destroy, + } + ); return this; } diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c index 3f256ddd0..62d43e302 100644 --- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c +++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c @@ -36,7 +36,7 @@ struct private_load_tester_ipsec_t { METHOD(kernel_ipsec_t, get_spi, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, - u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) + u_int8_t protocol, u_int32_t *spi) { *spi = (uint32_t)ref_get(&this->spi); return SUCCESS; @@ -44,7 +44,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t, METHOD(kernel_ipsec_t, get_cpi, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t reqid, u_int16_t *cpi) + u_int16_t *cpi) { return FAILED; } @@ -55,8 +55,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t, u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window, - bool initiator, bool encap, bool esn, bool inbound, - traffic_selector_t *src_ts, traffic_selector_t *dst_ts) + bool initiator, bool encap, bool esn, bool inbound, bool update, + linked_list_t *src_ts, linked_list_t *dst_ts) { return SUCCESS; } diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in index f0f2c75f4..264c58ff5 100644 --- a/src/libcharon/plugins/lookip/Makefile.in +++ b/src/libcharon/plugins/lookip/Makefile.in @@ -235,6 +235,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -295,10 +296,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -372,6 +375,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in index 3a866e968..76c9012b2 100644 --- a/src/libcharon/plugins/maemo/Makefile.in +++ b/src/libcharon/plugins/maemo/Makefile.in @@ -231,6 +231,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in index e0f70ce44..35740c369 100644 --- a/src/libcharon/plugins/medcli/Makefile.in +++ b/src/libcharon/plugins/medcli/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in index adb61e817..8fe160ef3 100644 --- a/src/libcharon/plugins/medsrv/Makefile.in +++ b/src/libcharon/plugins/medsrv/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in index a0c21c442..9a5e438e1 100644 --- a/src/libcharon/plugins/osx_attr/Makefile.in +++ b/src/libcharon/plugins/osx_attr/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/osx_attr/osx_attr_handler.c b/src/libcharon/plugins/osx_attr/osx_attr_handler.c index 9a3b2701d..d974b57ce 100644 --- a/src/libcharon/plugins/osx_attr/osx_attr_handler.c +++ b/src/libcharon/plugins/osx_attr/osx_attr_handler.c @@ -169,7 +169,7 @@ static bool manage_dns(int family, chunk_t data, bool add) } METHOD(attribute_handler_t, handle, bool, - private_osx_attr_handler_t *this, identification_t *id, + private_osx_attr_handler_t *this, ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data) { switch (type) @@ -182,7 +182,7 @@ METHOD(attribute_handler_t, handle, bool, } METHOD(attribute_handler_t, release, void, - private_osx_attr_handler_t *this, identification_t *server, + private_osx_attr_handler_t *this, ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data) { switch (type) @@ -206,7 +206,7 @@ METHOD(enumerator_t, enumerate_dns, bool, } METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *, - private_osx_attr_handler_t *this, identification_t *id, + private_osx_attr_handler_t *this, ike_sa_t *ike_sa, linked_list_t *vips) { enumerator_t *enumerator; diff --git a/src/libcharon/plugins/osx_attr/osx_attr_plugin.c b/src/libcharon/plugins/osx_attr/osx_attr_plugin.c index 380483c23..4be9eda5e 100644 --- a/src/libcharon/plugins/osx_attr/osx_attr_plugin.c +++ b/src/libcharon/plugins/osx_attr/osx_attr_plugin.c @@ -16,7 +16,6 @@ #include "osx_attr_plugin.h" #include "osx_attr_handler.h" -#include #include typedef struct private_osx_attr_plugin_t private_osx_attr_plugin_t; @@ -51,13 +50,13 @@ static bool plugin_cb(private_osx_attr_plugin_t *this, { if (reg) { - hydra->attributes->add_handler(hydra->attributes, - &this->handler->handler); + charon->attributes->add_handler(charon->attributes, + &this->handler->handler); } else { - hydra->attributes->remove_handler(hydra->attributes, - &this->handler->handler); + charon->attributes->remove_handler(charon->attributes, + &this->handler->handler); } return TRUE; } diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in index 14abba99a..baff3fc76 100644 --- a/src/libcharon/plugins/radattr/Makefile.in +++ b/src/libcharon/plugins/radattr/Makefile.in @@ -230,6 +230,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/resolve/Makefile.am b/src/libcharon/plugins/resolve/Makefile.am new file mode 100644 index 000000000..9cfc370c0 --- /dev/null +++ b/src/libcharon/plugins/resolve/Makefile.am @@ -0,0 +1,20 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon \ + -DRESOLV_CONF=\"${resolv_conf}\" + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-resolve.la +else +plugin_LTLIBRARIES = libstrongswan-resolve.la +endif + +libstrongswan_resolve_la_SOURCES = \ + resolve_plugin.h resolve_plugin.c \ + resolve_handler.h resolve_handler.c + +libstrongswan_resolve_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/resolve/Makefile.in b/src/libcharon/plugins/resolve/Makefile.in new file mode 100644 index 000000000..91479bf52 --- /dev/null +++ b/src/libcharon/plugins/resolve/Makefile.in @@ -0,0 +1,781 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/resolve +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_resolve_la_LIBADD = +am_libstrongswan_resolve_la_OBJECTS = resolve_plugin.lo \ + resolve_handler.lo +libstrongswan_resolve_la_OBJECTS = \ + $(am_libstrongswan_resolve_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libstrongswan_resolve_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_resolve_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_resolve_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_resolve_la_rpath = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libstrongswan_resolve_la_SOURCES) +DIST_SOURCES = $(libstrongswan_resolve_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon \ + -DRESOLV_CONF=\"${resolv_conf}\" + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-resolve.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-resolve.la +libstrongswan_resolve_la_SOURCES = \ + resolve_plugin.h resolve_plugin.c \ + resolve_handler.h resolve_handler.c + +libstrongswan_resolve_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/resolve/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/resolve/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libstrongswan-resolve.la: $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_DEPENDENCIES) $(EXTRA_libstrongswan_resolve_la_DEPENDENCIES) + $(AM_V_CCLD)$(libstrongswan_resolve_la_LINK) $(am_libstrongswan_resolve_la_rpath) $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_handler.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-pluginLTLIBRARIES install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/resolve/resolve_handler.c b/src/libcharon/plugins/resolve/resolve_handler.c new file mode 100644 index 000000000..74c3960ff --- /dev/null +++ b/src/libcharon/plugins/resolve/resolve_handler.c @@ -0,0 +1,380 @@ +/* + * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "resolve_handler.h" + +#include +#include +#include + +#include +#include +#include + +/* path to resolvconf executable */ +#define RESOLVCONF_EXEC "/sbin/resolvconf" + +/* default prefix used for resolvconf interfaces (should have high prio) */ +#define RESOLVCONF_PREFIX "lo.inet.ipsec." + +typedef struct private_resolve_handler_t private_resolve_handler_t; + +/** + * Private data of an resolve_handler_t object. + */ +struct private_resolve_handler_t { + + /** + * Public resolve_handler_t interface. + */ + resolve_handler_t public; + + /** + * resolv.conf file to use + */ + char *file; + + /** + * use resolvconf instead of writing directly to resolv.conf + */ + bool use_resolvconf; + + /** + * prefix to be used for interface names sent to resolvconf + */ + char *iface_prefix; + + /** + * Mutex to access file exclusively + */ + mutex_t *mutex; +}; + +/** + * Writes the given nameserver to resolv.conf + */ +static bool write_nameserver(private_resolve_handler_t *this, + identification_t *server, host_t *addr) +{ + FILE *in, *out; + char buf[1024]; + size_t len; + bool handled = FALSE; + + in = fopen(this->file, "r"); + /* allows us to stream from in to out */ + unlink(this->file); + out = fopen(this->file, "w"); + if (out) + { + fprintf(out, "nameserver %H # by strongSwan, from %Y\n", addr, + server); + DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file); + handled = TRUE; + + /* copy rest of the file */ + if (in) + { + while ((len = fread(buf, 1, sizeof(buf), in))) + { + ignore_result(fwrite(buf, 1, len, out)); + } + } + fclose(out); + } + if (in) + { + fclose(in); + } + return handled; +} + +/** + * Removes the given nameserver from resolv.conf + */ +static void remove_nameserver(private_resolve_handler_t *this, + identification_t *server, host_t *addr) +{ + FILE *in, *out; + char line[1024], matcher[512]; + + in = fopen(this->file, "r"); + if (in) + { + /* allows us to stream from in to out */ + unlink(this->file); + out = fopen(this->file, "w"); + if (out) + { + snprintf(matcher, sizeof(matcher), + "nameserver %H # by strongSwan, from %Y\n", + addr, server); + + /* copy all, but matching line */ + while (fgets(line, sizeof(line), in)) + { + if (strpfx(line, matcher)) + { + DBG1(DBG_IKE, "removing DNS server %H from %s", + addr, this->file); + } + else + { + fputs(line, out); + } + } + fclose(out); + } + fclose(in); + } +} + +/** + * Add or remove the given nameserver by invoking resolvconf. + */ +static bool invoke_resolvconf(private_resolve_handler_t *this, + identification_t *server, host_t *addr, + bool install) +{ + char cmd[128]; + bool success = TRUE; + + /* we use the nameserver's IP address as part of the interface name to + * make them unique */ + if (snprintf(cmd, sizeof(cmd), "%s %s %s%H", RESOLVCONF_EXEC, + install ? "-a" : "-d", this->iface_prefix, addr) >= sizeof(cmd)) + { + return FALSE; + } + + if (install) + { + FILE *out; + + out = popen(cmd, "w"); + if (!out) + { + return FALSE; + } + DBG1(DBG_IKE, "installing DNS server %H via resolvconf", addr); + fprintf(out, "nameserver %H\n", addr); + success = !ferror(out); + if (pclose(out)) + { + return FALSE; + } + } + else + { + ignore_result(system(cmd)); + } + return success; +} + +METHOD(attribute_handler_t, handle, bool, + private_resolve_handler_t *this, ike_sa_t *ike_sa, + configuration_attribute_type_t type, chunk_t data) +{ + identification_t *server; + host_t *addr; + bool handled; + + switch (type) + { + case INTERNAL_IP4_DNS: + addr = host_create_from_chunk(AF_INET, data, 0); + break; + case INTERNAL_IP6_DNS: + addr = host_create_from_chunk(AF_INET6, data, 0); + break; + default: + return FALSE; + } + + if (!addr || addr->is_anyaddr(addr)) + { + DESTROY_IF(addr); + return FALSE; + } + server = ike_sa->get_other_id(ike_sa); + + this->mutex->lock(this->mutex); + if (this->use_resolvconf) + { + handled = invoke_resolvconf(this, server, addr, TRUE); + } + else + { + handled = write_nameserver(this, server, addr); + } + this->mutex->unlock(this->mutex); + addr->destroy(addr); + + if (!handled) + { + DBG1(DBG_IKE, "adding DNS server failed"); + } + return handled; +} + +METHOD(attribute_handler_t, release, void, + private_resolve_handler_t *this, ike_sa_t *ike_sa, + configuration_attribute_type_t type, chunk_t data) +{ + identification_t *server; + host_t *addr; + int family; + + switch (type) + { + case INTERNAL_IP4_DNS: + family = AF_INET; + break; + case INTERNAL_IP6_DNS: + family = AF_INET6; + break; + default: + return; + } + addr = host_create_from_chunk(family, data, 0); + server = ike_sa->get_other_id(ike_sa); + + this->mutex->lock(this->mutex); + if (this->use_resolvconf) + { + invoke_resolvconf(this, server, addr, FALSE); + } + else + { + remove_nameserver(this, server, addr); + } + this->mutex->unlock(this->mutex); + + addr->destroy(addr); +} + +/** + * Attribute enumerator implementation + */ +typedef struct { + /** implements enumerator_t interface */ + enumerator_t public; + /** request IPv4 DNS? */ + bool v4; + /** request IPv6 DNS? */ + bool v6; +} attribute_enumerator_t; + +static bool attribute_enumerate(attribute_enumerator_t *this, + configuration_attribute_type_t *type, + chunk_t *data) +{ + if (this->v4) + { + *type = INTERNAL_IP4_DNS; + *data = chunk_empty; + this->v4 = FALSE; + return TRUE; + } + if (this->v6) + { + *type = INTERNAL_IP6_DNS; + *data = chunk_empty; + this->v6 = FALSE; + return TRUE; + } + return FALSE; +} + +/** + * Check if a list has a host of given family + */ +static bool has_host_family(linked_list_t *list, int family) +{ + enumerator_t *enumerator; + host_t *host; + bool found = FALSE; + + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &host)) + { + if (host->get_family(host) == family) + { + found = TRUE; + break; + } + } + enumerator->destroy(enumerator); + + return found; +} + +METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*, + private_resolve_handler_t *this, ike_sa_t *ike_sa, + linked_list_t *vips) +{ + attribute_enumerator_t *enumerator; + + INIT(enumerator, + .public = { + .enumerate = (void*)attribute_enumerate, + .destroy = (void*)free, + }, + .v4 = has_host_family(vips, AF_INET), + .v6 = has_host_family(vips, AF_INET6), + ); + return &enumerator->public; +} + +METHOD(resolve_handler_t, destroy, void, + private_resolve_handler_t *this) +{ + this->mutex->destroy(this->mutex); + free(this); +} + +/** + * See header + */ +resolve_handler_t *resolve_handler_create() +{ + private_resolve_handler_t *this; + struct stat st; + + INIT(this, + .public = { + .handler = { + .handle = _handle, + .release = _release, + .create_attribute_enumerator = _create_attribute_enumerator, + }, + .destroy = _destroy, + }, + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .file = lib->settings->get_str(lib->settings, "%s.plugins.resolve.file", + RESOLV_CONF, lib->ns), + ); + + if (stat(RESOLVCONF_EXEC, &st) == 0) + { + this->use_resolvconf = TRUE; + this->iface_prefix = lib->settings->get_str(lib->settings, + "%s.plugins.resolve.resolvconf.iface_prefix", + RESOLVCONF_PREFIX, lib->ns); + } + + return &this->public; +} diff --git a/src/libcharon/plugins/resolve/resolve_handler.h b/src/libcharon/plugins/resolve/resolve_handler.h new file mode 100644 index 000000000..77bf9781c --- /dev/null +++ b/src/libcharon/plugins/resolve/resolve_handler.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup resolve_handler resolve_handler + * @{ @ingroup resolve + */ + +#ifndef RESOLVE_HANDLER_H_ +#define RESOLVE_HANDLER_H_ + +#include + +typedef struct resolve_handler_t resolve_handler_t; + +/** + * Handle DNS configuration attributes by mangling a resolv.conf file. + */ +struct resolve_handler_t { + + /** + * Implements the attribute_handler_t interface + */ + attribute_handler_t handler; + + /** + * Destroy a resolve_handler_t. + */ + void (*destroy)(resolve_handler_t *this); +}; + +/** + * Create a resolve_handler instance. + */ +resolve_handler_t *resolve_handler_create(); + +#endif /** RESOLVE_HANDLER_H_ @}*/ diff --git a/src/libcharon/plugins/resolve/resolve_plugin.c b/src/libcharon/plugins/resolve/resolve_plugin.c new file mode 100644 index 000000000..193c5b602 --- /dev/null +++ b/src/libcharon/plugins/resolve/resolve_plugin.c @@ -0,0 +1,101 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "resolve_plugin.h" +#include "resolve_handler.h" + +#include + +typedef struct private_resolve_plugin_t private_resolve_plugin_t; + +/** + * private data of resolve plugin + */ +struct private_resolve_plugin_t { + + /** + * implements plugin interface + */ + resolve_plugin_t public; + + /** + * The registered DNS attribute handler + */ + resolve_handler_t *handler; +}; + +METHOD(plugin_t, get_name, char*, + private_resolve_plugin_t *this) +{ + return "resolve"; +} + +/** + * Register handler + */ +static bool plugin_cb(private_resolve_plugin_t *this, + plugin_feature_t *feature, bool reg, void *cb_data) +{ + if (reg) + { + charon->attributes->add_handler(charon->attributes, + &this->handler->handler); + } + else + { + charon->attributes->remove_handler(charon->attributes, + &this->handler->handler); + } + return TRUE; +} + +METHOD(plugin_t, get_features, int, + private_resolve_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL), + PLUGIN_PROVIDE(CUSTOM, "resolve"), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, destroy, void, + private_resolve_plugin_t *this) +{ + this->handler->destroy(this->handler); + free(this); +} + +/* + * see header file + */ +plugin_t *resolve_plugin_create() +{ + private_resolve_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .destroy = _destroy, + }, + }, + .handler = resolve_handler_create(), + ); + + return &this->public.plugin; +} diff --git a/src/libcharon/plugins/resolve/resolve_plugin.h b/src/libcharon/plugins/resolve/resolve_plugin.h new file mode 100644 index 000000000..0148b10d7 --- /dev/null +++ b/src/libcharon/plugins/resolve/resolve_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup resolve resolve + * @ingroup cplugins + * + * @defgroup resolve_plugin resolve_plugin + * @{ @ingroup resolve + */ + +#ifndef RESOLVE_PLUGIN_H_ +#define RESOLVE_PLUGIN_H_ + +#include + +typedef struct resolve_plugin_t resolve_plugin_t; + +/** + * Plugin that writes received DNS servers in a resolv.conf file. + */ +struct resolve_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** RESOLVE_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in index 7c5b030f4..572e7fc2f 100644 --- a/src/libcharon/plugins/smp/Makefile.in +++ b/src/libcharon/plugins/smp/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in index 548524a38..25b40995b 100644 --- a/src/libcharon/plugins/socket_default/Makefile.in +++ b/src/libcharon/plugins/socket_default/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c index 9cc39955b..dbfddbb81 100644 --- a/src/libcharon/plugins/socket_default/socket_default_socket.c +++ b/src/libcharon/plugins/socket_default/socket_default_socket.c @@ -141,6 +141,11 @@ struct private_socket_default_socket_t { * TRUE if the source address should be set on outbound packets */ bool set_source; + + /** + * A counter to implement round-robin selection of read sockets + */ + u_int rr_counter; }; METHOD(socket_t, receiver, status_t, @@ -150,66 +155,43 @@ METHOD(socket_t, receiver, status_t, chunk_t data; packet_t *pkt; host_t *source = NULL, *dest = NULL; - int bytes_read = 0; + int i, rr, index, bytes_read = 0, selected = -1; bool oldstate; - - fd_set rfds; - int max_fd = 0, selected = 0; u_int16_t port = 0; - - FD_ZERO(&rfds); - - if (this->ipv4 != -1) - { - FD_SET(this->ipv4, &rfds); - max_fd = max(max_fd, this->ipv4); - } - if (this->ipv4_natt != -1) - { - FD_SET(this->ipv4_natt, &rfds); - max_fd = max(max_fd, this->ipv4_natt); - } - if (this->ipv6 != -1) - { - FD_SET(this->ipv6, &rfds); - max_fd = max(max_fd, this->ipv6); - } - if (this->ipv6_natt != -1) - { - FD_SET(this->ipv6_natt, &rfds); - max_fd = max(max_fd, this->ipv6_natt); - } + struct pollfd pfd[] = { + { .fd = this->ipv4, .events = POLLIN }, + { .fd = this->ipv4_natt, .events = POLLIN }, + { .fd = this->ipv6, .events = POLLIN }, + { .fd = this->ipv6_natt, .events = POLLIN }, + }; + int ports[] = { + /* port numbers associated to pollfds */ + this->port, this->natt, this->port, this->natt, + }; DBG2(DBG_NET, "waiting for data on sockets"); oldstate = thread_cancelability(TRUE); - if (select(max_fd + 1, &rfds, NULL, NULL, NULL) <= 0) + if (poll(pfd, countof(pfd), -1) <= 0) { thread_cancelability(oldstate); return FAILED; } thread_cancelability(oldstate); - if (this->ipv4 != -1 && FD_ISSET(this->ipv4, &rfds)) + rr = this->rr_counter++; + for (i = 0; i < countof(pfd); i++) { - port = this->port; - selected = this->ipv4; - } - if (this->ipv4_natt != -1 && FD_ISSET(this->ipv4_natt, &rfds)) - { - port = this->natt; - selected = this->ipv4_natt; - } - if (this->ipv6 != -1 && FD_ISSET(this->ipv6, &rfds)) - { - port = this->port; - selected = this->ipv6; - } - if (this->ipv6_natt != -1 && FD_ISSET(this->ipv6_natt, &rfds)) - { - port = this->natt; - selected = this->ipv6_natt; + /* To serve all ports with equal priority, we use a round-robin + * scheme to choose the one to process in this invocation */ + index = (rr + i) % countof(pfd); + if (pfd[index].revents & POLLIN) + { + selected = pfd[index].fd; + port = ports[index]; + break; + } } - if (selected) + if (selected != -1) { struct msghdr msg; struct cmsghdr *cmsgptr; diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in index 892549c6c..5c010a59a 100644 --- a/src/libcharon/plugins/socket_dynamic/Makefile.in +++ b/src/libcharon/plugins/socket_dynamic/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/socket_win/Makefile.in b/src/libcharon/plugins/socket_win/Makefile.in index 88b2ac3f0..0c3bf31b9 100644 --- a/src/libcharon/plugins/socket_win/Makefile.in +++ b/src/libcharon/plugins/socket_win/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in index 3c132457b..f74257af2 100644 --- a/src/libcharon/plugins/sql/Makefile.in +++ b/src/libcharon/plugins/sql/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in index d4680186a..a316f5c25 100644 --- a/src/libcharon/plugins/stroke/Makefile.in +++ b/src/libcharon/plugins/stroke/Makefile.in @@ -231,6 +231,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/stroke/stroke_attribute.c b/src/libcharon/plugins/stroke/stroke_attribute.c index 0f3c38986..cd1b4d093 100644 --- a/src/libcharon/plugins/stroke/stroke_attribute.c +++ b/src/libcharon/plugins/stroke/stroke_attribute.c @@ -94,7 +94,7 @@ static mem_pool_t *find_pool(private_stroke_attribute_t *this, char *name) */ static host_t *find_addr(private_stroke_attribute_t *this, linked_list_t *pools, identification_t *id, host_t *requested, - mem_pool_op_t operation) + mem_pool_op_t operation, host_t *peer) { host_t *addr = NULL; enumerator_t *enumerator; @@ -107,7 +107,7 @@ static host_t *find_addr(private_stroke_attribute_t *this, linked_list_t *pools, pool = find_pool(this, name); if (pool) { - addr = pool->acquire_address(pool, id, requested, operation); + addr = pool->acquire_address(pool, id, requested, operation, peer); if (addr) { break; @@ -120,20 +120,24 @@ static host_t *find_addr(private_stroke_attribute_t *this, linked_list_t *pools, } METHOD(attribute_provider_t, acquire_address, host_t*, - private_stroke_attribute_t *this, linked_list_t *pools, identification_t *id, + private_stroke_attribute_t *this, linked_list_t *pools, ike_sa_t *ike_sa, host_t *requested) { - host_t *addr; + identification_t *id; + host_t *addr, *peer; + + id = ike_sa->get_other_eap_id(ike_sa); + peer = ike_sa->get_other_host(ike_sa); this->lock->read_lock(this->lock); - addr = find_addr(this, pools, id, requested, MEM_POOL_EXISTING); + addr = find_addr(this, pools, id, requested, MEM_POOL_EXISTING, peer); if (!addr) { - addr = find_addr(this, pools, id, requested, MEM_POOL_NEW); + addr = find_addr(this, pools, id, requested, MEM_POOL_NEW, peer); if (!addr) { - addr = find_addr(this, pools, id, requested, MEM_POOL_REASSIGN); + addr = find_addr(this, pools, id, requested, MEM_POOL_REASSIGN, peer); } } @@ -144,13 +148,16 @@ METHOD(attribute_provider_t, acquire_address, host_t*, METHOD(attribute_provider_t, release_address, bool, private_stroke_attribute_t *this, linked_list_t *pools, host_t *address, - identification_t *id) + ike_sa_t *ike_sa) { enumerator_t *enumerator; + identification_t *id; mem_pool_t *pool; bool found = FALSE; char *name; + id = ike_sa->get_other_eap_id(ike_sa); + enumerator = pools->create_enumerator(pools); this->lock->read_lock(this->lock); while (enumerator->enumerate(enumerator, &name)) @@ -197,9 +204,8 @@ static bool attr_filter(void *lock, host_t **in, METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*, private_stroke_attribute_t *this, linked_list_t *pools, - identification_t *id, linked_list_t *vips) + ike_sa_t *ike_sa, linked_list_t *vips) { - ike_sa_t *ike_sa; peer_cfg_t *peer_cfg; enumerator_t *enumerator; attributes_t *attr; @@ -413,4 +419,3 @@ stroke_attribute_t *stroke_attribute_create() return &this->public; } - diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c index f8026875f..b470b81c6 100644 --- a/src/libcharon/plugins/stroke/stroke_ca.c +++ b/src/libcharon/plugins/stroke/stroke_ca.c @@ -119,6 +119,84 @@ static void ca_section_destroy(ca_section_t *this) free(this); } +/** + * Data for the certificate enumerator + */ +typedef struct { + private_stroke_ca_t *this; + certificate_type_t cert; + key_type_t key; + identification_t *id; +} cert_data_t; + +/** + * destroy cert_data + */ +static void cert_data_destroy(cert_data_t *data) +{ + data->this->lock->unlock(data->this->lock); + free(data); +} + +/** + * filter function for certs enumerator + */ +static bool certs_filter(cert_data_t *data, ca_section_t **in, + certificate_t **out) +{ + public_key_t *public; + certificate_t *cert = (*in)->cert; + + if (data->cert == CERT_ANY || data->cert == cert->get_type(cert)) + { + public = cert->get_public_key(cert); + if (public) + { + if (data->key == KEY_ANY || data->key == public->get_type(public)) + { + if (data->id && public->has_fingerprint(public, + data->id->get_encoding(data->id))) + { + public->destroy(public); + *out = cert; + return TRUE; + } + } + public->destroy(public); + } + else if (data->key != KEY_ANY) + { + return FALSE; + } + if (data->id == NULL || cert->has_subject(cert, data->id)) + { + *out = cert; + return TRUE; + } + } + return FALSE; +} + +METHOD(credential_set_t, create_cert_enumerator, enumerator_t*, + private_stroke_ca_t *this, certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted) +{ + enumerator_t *enumerator; + cert_data_t *data; + + INIT(data, + .this = this, + .cert = cert, + .key = key, + .id = id, + ); + + this->lock->read_lock(this->lock); + enumerator = this->sections->create_enumerator(this->sections); + return enumerator_create_filter(enumerator, (void*)certs_filter, data, + (void*)cert_data_destroy); +} + /** * data to pass to create_inner_cdp */ @@ -438,7 +516,7 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred) .public = { .set = { .create_private_enumerator = (void*)return_null, - .create_cert_enumerator = (void*)return_null, + .create_cert_enumerator = _create_cert_enumerator, .create_shared_enumerator = (void*)return_null, .create_cdp_enumerator = _create_cdp_enumerator, .cache_cert = (void*)nop, @@ -456,4 +534,3 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred) return &this->public; } - diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index 62967b006..55ec7cdc9 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2014 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -301,7 +301,8 @@ static void build_crl_policy(auth_cfg_t *cfg, bool local, int policy) static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg) { enumerator_t *enumerator; - bool rsa = FALSE, ecdsa = FALSE, rsa_len = FALSE, ecdsa_len = FALSE; + bool rsa = FALSE, ecdsa = FALSE, bliss = FALSE, + rsa_len = FALSE, ecdsa_len = FALSE, bliss_strength = FALSE; int strength; char *token; @@ -328,9 +329,12 @@ static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg) { "sha256", SIGN_ECDSA_256, KEY_ECDSA, }, { "sha384", SIGN_ECDSA_384, KEY_ECDSA, }, { "sha512", SIGN_ECDSA_521, KEY_ECDSA, }, + { "sha256", SIGN_BLISS_WITH_SHA256, KEY_BLISS, }, + { "sha384", SIGN_BLISS_WITH_SHA384, KEY_BLISS, }, + { "sha512", SIGN_BLISS_WITH_SHA512, KEY_BLISS, }, }; - if (rsa_len || ecdsa_len) + if (rsa_len || ecdsa_len || bliss_strength) { /* expecting a key strength token */ strength = atoi(token); if (strength) @@ -343,8 +347,12 @@ static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg) { cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength); } + else if (bliss_strength) + { + cfg->add(cfg, AUTH_RULE_BLISS_STRENGTH, (uintptr_t)strength); + } } - rsa_len = ecdsa_len = FALSE; + rsa_len = ecdsa_len = bliss_strength = FALSE; if (strength) { continue; @@ -360,6 +368,11 @@ static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg) ecdsa = ecdsa_len = TRUE; continue; } + if (streq(token, "bliss")) + { + bliss = bliss_strength = TRUE; + continue; + } if (streq(token, "pubkey")) { continue; @@ -376,7 +389,8 @@ static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg) */ if ((rsa && schemes[i].key == KEY_RSA) || (ecdsa && schemes[i].key == KEY_ECDSA) || - (!rsa && !ecdsa)) + (bliss && schemes[i].key == KEY_BLISS) || + (!rsa && !ecdsa && !bliss)) { cfg->add(cfg, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)schemes[i].scheme); @@ -590,7 +604,8 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, /* authentication metod (class, actually) */ if (strpfx(auth, "pubkey") || strpfx(auth, "rsa") || - strpfx(auth, "ecdsa")) + strpfx(auth, "ecdsa") || + strpfx(auth, "bliss")) { cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); build_crl_policy(cfg, local, msg->add_conn.crl_policy); @@ -620,9 +635,16 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, else if (strpfx(auth, "eap")) { eap_vendor_type_t *type; + char *pos; cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); - + /* check for public key constraints for EAP-TLS etc. */ + pos = strchr(auth, ':'); + if (pos) + { + *pos = 0; + parse_pubkey_constraints(pos + 1, cfg); + } type = eap_vendor_type_from_string(auth); if (type) { @@ -666,6 +688,24 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, return cfg; } +/** + * build a mem_pool_t from an address range + */ +static mem_pool_t *create_pool_range(char *str) +{ + mem_pool_t *pool; + host_t *from, *to; + + if (!host_create_from_range(str, &from, &to)) + { + return NULL; + } + pool = mem_pool_create_range(str, from, to); + from->destroy(from); + to->destroy(to); + return pool; +} + /** * build a peer_cfg from a stroke msg */ @@ -789,17 +829,25 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this, } else { - /* in-memory pool, named using CIDR notation */ + /* in-memory pool, using range or CIDR notation */ + mem_pool_t *pool; host_t *base; int bits; - base = host_create_from_subnet(token, &bits); - if (base) + pool = create_pool_range(token); + if (!pool) + { + base = host_create_from_subnet(token, &bits); + if (base) + { + pool = mem_pool_create(token, base, bits); + base->destroy(base); + } + } + if (pool) { - this->attributes->add_pool(this->attributes, - mem_pool_create(token, base, bits)); + this->attributes->add_pool(this->attributes, pool); peer_cfg->add_pool(peer_cfg, token); - base->destroy(base); } else { diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c index f770d7c9e..0084fbf93 100644 --- a/src/libcharon/plugins/stroke/stroke_control.c +++ b/src/libcharon/plugins/stroke/stroke_control.c @@ -352,7 +352,7 @@ METHOD(stroke_control_t, terminate, void, if (streq(name, child_sa->get_name(child_sa))) { child_list->insert_last(child_list, - (void*)(uintptr_t)child_sa->get_reqid(child_sa)); + (void*)(uintptr_t)child_sa->get_unique_id(child_sa)); if (!all) { break; @@ -432,13 +432,13 @@ METHOD(stroke_control_t, rekey, void, while (children->enumerate(children, (void**)&child_sa)) { if ((name && streq(name, child_sa->get_name(child_sa))) || - (id && id == child_sa->get_reqid(child_sa))) + (id && id == child_sa->get_unique_id(child_sa))) { lib->processor->queue_job(lib->processor, (job_t*)rekey_child_sa_job_create( - child_sa->get_reqid(child_sa), child_sa->get_protocol(child_sa), - child_sa->get_spi(child_sa, TRUE))); + child_sa->get_spi(child_sa, TRUE), + ike_sa->get_my_host(ike_sa))); if (!all) { finished = TRUE; diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c index 83431d17c..5e423f1de 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.c +++ b/src/libcharon/plugins/stroke/stroke_cred.c @@ -70,10 +70,20 @@ struct private_stroke_cred_t { char *secrets_file; /** - * credentials + * credentials: end entity certs, attribute certs, CRLs, etc. */ mem_cred_t *creds; + /** + * CA certificates + */ + mem_cred_t *cacerts; + + /** + * Attribute Authority certificates + */ + mem_cred_t *aacerts; + /** * ignore missing CA basic constraint (i.e. treat all certificates in * ipsec.conf ca sections and ipsec.d/cacerts as CA certificates) @@ -231,7 +241,7 @@ METHOD(stroke_cred_t, load_ca, certificate_t*, } DBG1(DBG_CFG, " loaded ca certificate \"%Y\" from '%s'", cert->get_subject(cert), filename); - return this->creds->add_cert_ref(this->creds, TRUE, cert); + return this->creds->get_cert_ref(this->creds, cert); } return NULL; } @@ -374,133 +384,183 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*, } /** - * load trusted certificates from a directory + * Load a CA certificate from disk */ -static void load_certdir(private_stroke_cred_t *this, char *path, - certificate_type_t type, x509_flag_t flag) +static void load_x509_ca(private_stroke_cred_t *this, char *file) { - struct stat st; - char *file; - - enumerator_t *enumerator = enumerator_create_directory(path); + certificate_t *cert; - if (!enumerator) + if (this->force_ca_cert) + { /* treat certificate as CA cert even it has no CA basic constraint */ + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, file, + BUILD_X509_FLAG, X509_CA, BUILD_END); + } + else { - DBG1(DBG_CFG, " reading directory failed"); - return; + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, file, BUILD_END); } - - while (enumerator->enumerate(enumerator, NULL, &file, &st)) + if (cert) { - certificate_t *cert; + x509_t *x509 = (x509_t*)cert; - if (!S_ISREG(st.st_mode)) + if (!(x509->get_flags(x509) & X509_CA)) { - /* skip special file */ - continue; + DBG1(DBG_CFG, " ca certificate \"%Y\" lacks ca basic constraint, " + "discarded", cert->get_subject(cert)); + cert->destroy(cert); } - switch (type) + else { - case CERT_X509: - if (flag & X509_CA) - { - if (this->force_ca_cert) - { /* treat this certificate as CA cert even it has no - * CA basic constraint */ - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, file, BUILD_X509_FLAG, - X509_CA, BUILD_END); - } - else - { - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, file, BUILD_END); - } - if (cert) - { - x509_t *x509 = (x509_t*)cert; - - if (!(x509->get_flags(x509) & X509_CA)) - { - DBG1(DBG_CFG, " ca certificate \"%Y\" lacks " - "ca basic constraint, discarded", - cert->get_subject(cert)); - cert->destroy(cert); - cert = NULL; - } - else - { - DBG1(DBG_CFG, " loaded ca certificate \"%Y\" " - "from '%s'", cert->get_subject(cert), file); - } - } - else + DBG1(DBG_CFG, " loaded ca certificate \"%Y\" from '%s'", + cert->get_subject(cert), file); + this->cacerts->add_cert(this->cacerts, TRUE, cert); + } + } + else + { + DBG1(DBG_CFG, " loading ca certificate from '%s' failed", file); + } +} + +/** + * Load AA certificate with flags from disk + */ +static void load_x509_aa(private_stroke_cred_t *this, char *file) +{ + certificate_t *cert; + + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, file, + BUILD_X509_FLAG, X509_AA, BUILD_END); + if (cert) + { + DBG1(DBG_CFG, " loaded AA certificate \"%Y\" from '%s'", + cert->get_subject(cert), file); + this->aacerts->add_cert(this->aacerts, TRUE, cert); + } + else + { + DBG1(DBG_CFG, " loading AA certificate from '%s' failed", file); + } +} + +/** + * Load a certificate with flags from disk + */ +static void load_x509(private_stroke_cred_t *this, char *file, x509_flag_t flag) +{ + certificate_t *cert; + + /* for all other flags, we add them to the certificate. */ + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, file, + BUILD_X509_FLAG, flag, BUILD_END); + if (cert) + { + DBG1(DBG_CFG, " loaded certificate \"%Y\" from '%s'", + cert->get_subject(cert), file); + this->creds->add_cert(this->creds, TRUE, cert); + } + else + { + DBG1(DBG_CFG, " loading certificate from '%s' failed", file); + } +} + +/** + * Load a CRL from a file + */ +static void load_x509_crl(private_stroke_cred_t *this, char *file) +{ + certificate_t *cert; + + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + BUILD_FROM_FILE, file, BUILD_END); + if (cert) + { + this->creds->add_crl(this->creds, (crl_t*)cert); + DBG1(DBG_CFG, " loaded crl from '%s'", file); + } + else + { + DBG1(DBG_CFG, " loading crl from '%s' failed", file); + } +} + +/** + * Load an attribute certificate from a file + */ +static void load_x509_ac(private_stroke_cred_t *this, char *file) +{ + certificate_t *cert; + + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, + BUILD_FROM_FILE, file, BUILD_END); + if (cert) + { + DBG1(DBG_CFG, " loaded attribute certificate from '%s'", file); + this->creds->add_cert(this->creds, FALSE, cert); + } + else + { + DBG1(DBG_CFG, " loading attribute certificate from '%s' failed", file); + } +} + +/** + * load trusted certificates from a directory + */ +static void load_certdir(private_stroke_cred_t *this, char *path, + certificate_type_t type, x509_flag_t flag) +{ + enumerator_t *enumerator; + struct stat st; + char *file; + + enumerator = enumerator_create_directory(path); + if (enumerator) + { + while (enumerator->enumerate(enumerator, NULL, &file, &st)) + { + if (!S_ISREG(st.st_mode)) + { + /* skip special file */ + continue; + } + switch (type) + { + case CERT_X509: + if (flag & X509_CA) { - DBG1(DBG_CFG, " loading ca certificate from '%s' " - "failed", file); + load_x509_ca(this, file); } - } - else - { /* for all other flags, we add them to the certificate. */ - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, file, - BUILD_X509_FLAG, flag, BUILD_END); - if (cert) + else if (flag & X509_AA) { - DBG1(DBG_CFG, " loaded certificate \"%Y\" from '%s'", - cert->get_subject(cert), file); + load_x509_aa(this, file); } else { - DBG1(DBG_CFG, " loading certificate from '%s' " - "failed", file); + load_x509(this, file, flag); } - } - if (cert) - { - this->creds->add_cert(this->creds, TRUE, cert); - } - break; - case CERT_X509_CRL: - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509_CRL, - BUILD_FROM_FILE, file, - BUILD_END); - if (cert) - { - this->creds->add_crl(this->creds, (crl_t*)cert); - DBG1(DBG_CFG, " loaded crl from '%s'", file); - } - else - { - DBG1(DBG_CFG, " loading crl from '%s' failed", file); - } - break; - case CERT_X509_AC: - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509_AC, - BUILD_FROM_FILE, file, - BUILD_END); - if (cert) - { - this->creds->add_cert(this->creds, FALSE, cert); - DBG1(DBG_CFG, " loaded attribute certificate from '%s'", - file); - } - else - { - DBG1(DBG_CFG, " loading attribute certificate from '%s' " - "failed", file); - } - break; - default: - break; + break; + case CERT_X509_CRL: + load_x509_crl(this, file); + break; + case CERT_X509_AC: + load_x509_ac(this, file); + break; + default: + break; + } } + enumerator->destroy(enumerator); + } + else + { + DBG1(DBG_CFG, " reading directory failed"); } - enumerator->destroy(enumerator); } METHOD(stroke_cred_t, cache_cert, void, @@ -1124,6 +1184,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets, while (fetchline(src, &line)) { chunk_t ids, token; + key_type_t key_type; shared_key_type_t type; line_nr++; @@ -1222,10 +1283,22 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets, DBG1(DBG_CFG, "line %d: missing token", line_nr); break; } - if (match("RSA", &token) || match("ECDSA", &token)) + if (match("RSA", &token) || match("ECDSA", &token) || + match("BLISS", &token)) { - if (!load_private(secrets, line, line_nr, prompt, - match("RSA", &token) ? KEY_RSA : KEY_ECDSA)) + if (match("RSA", &token)) + { + key_type = KEY_RSA; + } + else if (match("ECDSA", &token)) + { + key_type = KEY_ECDSA; + } + else + { + key_type = KEY_BLISS; + } + if (!load_private(secrets, line, line_nr, prompt, key_type)) { break; } @@ -1256,8 +1329,8 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets, } else { - DBG1(DBG_CFG, "line %d: token must be either " - "RSA, ECDSA, P12, PIN, PSK, EAP, XAUTH or NTLM", line_nr); + DBG1(DBG_CFG, "line %d: token must be either RSA, ECDSA, BLISS, " + "P12, PIN, PSK, EAP, XAUTH or NTLM", line_nr); break; } } @@ -1308,6 +1381,8 @@ METHOD(stroke_cred_t, reread, void, { DBG1(DBG_CFG, "rereading ca certificates from '%s'", CA_CERTIFICATE_DIR); + this->cacerts->clear(this->cacerts); + lib->credmgr->flush_cache(lib->credmgr, CERT_X509); load_certdir(this, CA_CERTIFICATE_DIR, CERT_X509, X509_CA); } if (msg->reread.flags & REREAD_OCSPCERTS) @@ -1321,6 +1396,8 @@ METHOD(stroke_cred_t, reread, void, { DBG1(DBG_CFG, "rereading aa certificates from '%s'", AA_CERTIFICATE_DIR); + this->aacerts->clear(this->aacerts); + lib->credmgr->flush_cache(lib->credmgr, CERT_X509); load_certdir(this, AA_CERTIFICATE_DIR, CERT_X509, X509_AA); } if (msg->reread.flags & REREAD_ACERTS) @@ -1346,7 +1423,11 @@ METHOD(stroke_cred_t, add_shared, void, METHOD(stroke_cred_t, destroy, void, private_stroke_cred_t *this) { + lib->credmgr->remove_set(lib->credmgr, &this->aacerts->set); + lib->credmgr->remove_set(lib->credmgr, &this->cacerts->set); lib->credmgr->remove_set(lib->credmgr, &this->creds->set); + this->aacerts->destroy(this->aacerts); + this->cacerts->destroy(this->cacerts); this->creds->destroy(this->creds); free(this); } @@ -1379,9 +1460,13 @@ stroke_cred_t *stroke_cred_create() "%s.plugins.stroke.secrets_file", SECRETS_FILE, lib->ns), .creds = mem_cred_create(), + .cacerts = mem_cred_create(), + .aacerts = mem_cred_create(), ); lib->credmgr->add_set(lib->credmgr, &this->creds->set); + lib->credmgr->add_set(lib->credmgr, &this->cacerts->set); + lib->credmgr->add_set(lib->credmgr, &this->aacerts->set); this->force_ca_cert = lib->settings->get_bool(lib->settings, "%s.plugins.stroke.ignore_missing_ca_basic_constraint", diff --git a/src/libcharon/plugins/stroke/stroke_cred.h b/src/libcharon/plugins/stroke/stroke_cred.h index f6fbb96d3..9434629ef 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.h +++ b/src/libcharon/plugins/stroke/stroke_cred.h @@ -50,10 +50,13 @@ struct stroke_cred_t { void (*reread)(stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt); /** - * Load a CA certificate, and serve it through the credential_set. + * Load a CA certificate. + * + * This method does not add the loaded CA certificate to the internal + * credentail set, but returns it only. * * @param filename file to load CA cert from - * @return reference to loaded certificate, or NULL + * @return loaded certificate, or NULL */ certificate_t* (*load_ca)(stroke_cred_t *this, char *filename); diff --git a/src/libcharon/plugins/stroke/stroke_handler.c b/src/libcharon/plugins/stroke/stroke_handler.c index fef8cab67..d0cc9afab 100644 --- a/src/libcharon/plugins/stroke/stroke_handler.c +++ b/src/libcharon/plugins/stroke/stroke_handler.c @@ -94,10 +94,9 @@ static bool attr_filter(void *lock, host_t **in, } METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*, - private_stroke_handler_t *this, identification_t *server, + private_stroke_handler_t *this, ike_sa_t *ike_sa, linked_list_t *vips) { - ike_sa_t *ike_sa; peer_cfg_t *peer_cfg; enumerator_t *enumerator; attributes_t *attr; diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index 1aa49ce0d..68b8232bc 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -214,11 +214,12 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) config = child_sa->get_config(child_sa); now = time_monotonic(NULL); - fprintf(out, "%12s{%d}: %N, %N%s", - child_sa->get_name(child_sa), child_sa->get_reqid(child_sa), + fprintf(out, "%12s{%d}: %N, %N%s, reqid %u", + child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), child_sa_state_names, child_sa->get_state(child_sa), ipsec_mode_names, child_sa->get_mode(child_sa), - config->use_proxy_mode(config) ? "_PROXY" : ""); + config->use_proxy_mode(config) ? "_PROXY" : "", + child_sa->get_reqid(child_sa)); if (child_sa->get_state(child_sa) == CHILD_INSTALLED) { @@ -238,7 +239,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) if (all) { fprintf(out, "\n%12s{%d}: ", child_sa->get_name(child_sa), - child_sa->get_reqid(child_sa)); + child_sa->get_unique_id(child_sa)); proposal = child_sa->get_proposal(child_sa); if (proposal) @@ -322,7 +323,8 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) } } - else if (child_sa->get_state(child_sa) == CHILD_REKEYING) + else if (child_sa->get_state(child_sa) == CHILD_REKEYING || + child_sa->get_state(child_sa) == CHILD_REKEYED) { rekey = child_sa->get_lifetime(child_sa, TRUE); fprintf(out, ", expires in %V", &now, &rekey); @@ -333,7 +335,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) other_ts = linked_list_create_from_enumerator( child_sa->create_ts_enumerator(child_sa, FALSE)); fprintf(out, "\n%12s{%d}: %#R=== %#R\n", - child_sa->get_name(child_sa), child_sa->get_reqid(child_sa), + child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), my_ts, other_ts); my_ts->destroy(my_ts); other_ts->destroy(other_ts); @@ -496,7 +498,7 @@ METHOD(stroke_list_t, status, void, { struct mallinfo mi = mallinfo(); - fprintf(out, " malloc: sbrk %d, mmap %d, used %d, free %d\n", + fprintf(out, " malloc: sbrk %u, mmap %u, used %u, free %u\n", mi.arena, mi.hblkhd, mi.uordblks, mi.fordblks); } #endif /* HAVE_MALLINFO */ diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c index 31df1f99b..f64b99f08 100644 --- a/src/libcharon/plugins/stroke/stroke_plugin.c +++ b/src/libcharon/plugins/stroke/stroke_plugin.c @@ -69,6 +69,7 @@ METHOD(plugin_t, get_features, int, PLUGIN_SDEPEND(PRIVKEY, KEY_RSA), PLUGIN_SDEPEND(PRIVKEY, KEY_ECDSA), PLUGIN_SDEPEND(PRIVKEY, KEY_DSA), + PLUGIN_SDEPEND(PRIVKEY, KEY_BLISS), PLUGIN_SDEPEND(CERT_DECODE, CERT_ANY), PLUGIN_SDEPEND(CERT_DECODE, CERT_X509), PLUGIN_SDEPEND(CERT_DECODE, CERT_X509_CRL), diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index 54dd56e91..db7e66f14 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -24,7 +24,6 @@ #include #include -#include #include #include "stroke_config.h" @@ -747,8 +746,10 @@ METHOD(stroke_socket_t, destroy, void, lib->credmgr->remove_set(lib->credmgr, &this->ca->set); lib->credmgr->remove_set(lib->credmgr, &this->cred->set); charon->backends->remove_backend(charon->backends, &this->config->backend); - hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider); - hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler); + charon->attributes->remove_provider(charon->attributes, + &this->attribute->provider); + charon->attributes->remove_handler(charon->attributes, + &this->handler->handler); charon->bus->remove_listener(charon->bus, &this->counter->listener); this->cred->destroy(this->cred); this->ca->destroy(this->ca); @@ -790,8 +791,10 @@ stroke_socket_t *stroke_socket_create() lib->credmgr->add_set(lib->credmgr, &this->ca->set); lib->credmgr->add_set(lib->credmgr, &this->cred->set); charon->backends->add_backend(charon->backends, &this->config->backend); - hydra->attributes->add_provider(hydra->attributes, &this->attribute->provider); - hydra->attributes->add_handler(hydra->attributes, &this->handler->handler); + charon->attributes->add_provider(charon->attributes, + &this->attribute->provider); + charon->attributes->add_handler(charon->attributes, + &this->handler->handler); charon->bus->add_listener(charon->bus, &this->counter->listener); max_concurrent = lib->settings->get_int(lib->settings, diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in index 0e477f9f3..be148b6c3 100644 --- a/src/libcharon/plugins/systime_fix/Makefile.in +++ b/src/libcharon/plugins/systime_fix/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in index 3f2952c4b..17cc341c5 100644 --- a/src/libcharon/plugins/tnc_ifmap/Makefile.in +++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in @@ -232,6 +232,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in index 97c479632..ef05275b7 100644 --- a/src/libcharon/plugins/tnc_pdp/Makefile.in +++ b/src/libcharon/plugins/tnc_pdp/Makefile.in @@ -233,6 +233,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -293,10 +294,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -370,6 +373,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c index 109c216d5..91456f8da 100644 --- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c +++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2013 Andreas Steffen + * Copyright (C) 2012-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -646,8 +646,8 @@ static bool pt_tls_receive(private_tnc_pdp_t *this, int fd, watcher_event_t even int pt_tls_fd; struct sockaddr_storage addr; socklen_t addrlen = sizeof(addr); - identification_t *peer; - host_t *host; + identification_t *client_id; + host_t *server_ip, *client_ip; pt_tls_server_t *pt_tls; tnccs_t *tnccs; pt_tls_auth_t auth = PT_TLS_AUTH_TLS_OR_SASL; @@ -658,17 +658,22 @@ static bool pt_tls_receive(private_tnc_pdp_t *this, int fd, watcher_event_t even DBG1(DBG_TNC, "accepting PT-TLS stream failed: %s", strerror(errno)); return FALSE; } - host = host_create_from_sockaddr((sockaddr_t*)&addr); - DBG1(DBG_TNC, "accepting PT-TLS stream from %H", host); - host->destroy(host); + client_ip = host_create_from_sockaddr((sockaddr_t*)&addr); + DBG1(DBG_TNC, "accepting PT-TLS stream from %H", client_ip); + + /* Currently we do not determine the IP address of the server interface */ + server_ip = host_create_any(client_ip->get_family(client_ip)); - /* At this moment the peer identity is not known yet */ - peer = identification_create_from_encoding(ID_ANY, chunk_empty), + /* At this moment the client identity is not known yet */ + client_id = identification_create_from_encoding(ID_ANY, chunk_empty), tnccs = tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, TRUE, - this->server, peer, TNC_IFT_TLS_2_0, + this->server, client_id, server_ip, + client_ip, TNC_IFT_TLS_2_0, (tnccs_cb_t)get_recommendation); - peer->destroy(peer); + client_id->destroy(client_id); + server_ip->destroy(server_ip); + client_ip->destroy(client_ip); if (!tnccs) { diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in index 5e16c3c35..2c031383a 100644 --- a/src/libcharon/plugins/uci/Makefile.in +++ b/src/libcharon/plugins/uci/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/unit_tester/Makefile.am b/src/libcharon/plugins/unit_tester/Makefile.am deleted file mode 100644 index b7f8fc319..000000000 --- a/src/libcharon/plugins/unit_tester/Makefile.am +++ /dev/null @@ -1,26 +0,0 @@ -AM_CPPFLAGS = \ - -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon - -AM_CFLAGS = \ - $(PLUGIN_CFLAGS) - -if MONOLITHIC -noinst_LTLIBRARIES = libstrongswan-unit-tester.la -else -plugin_LTLIBRARIES = libstrongswan-unit-tester.la -endif - -libstrongswan_unit_tester_la_SOURCES = \ - unit_tester.c unit_tester.h tests.h \ - tests/test_auth_info.c \ - tests/test_curl.c \ - tests/test_mysql.c \ - tests/test_sqlite.c \ - tests/test_cert.c \ - tests/test_med_db.c \ - tests/test_pool.c \ - tests/test_agent.c - -libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in deleted file mode 100644 index 1aca319c7..000000000 --- a/src/libcharon/plugins/unit_tester/Makefile.in +++ /dev/null @@ -1,819 +0,0 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994-2013 Free Software Foundation, Inc. - -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' -am__make_running_with_option = \ - case $${target_option-} in \ - ?) ;; \ - *) echo "am__make_running_with_option: internal error: invalid" \ - "target option '$${target_option-}' specified" >&2; \ - exit 1;; \ - esac; \ - has_opt=no; \ - sane_makeflags=$$MAKEFLAGS; \ - if $(am__is_gnu_make); then \ - sane_makeflags=$$MFLAGS; \ - else \ - case $$MAKEFLAGS in \ - *\\[\ \ ]*) \ - bs=\\; \ - sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ - | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ - esac; \ - fi; \ - skip_next=no; \ - strip_trailopt () \ - { \ - flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ - }; \ - for flg in $$sane_makeflags; do \ - test $$skip_next = yes && { skip_next=no; continue; }; \ - case $$flg in \ - *=*|--*) continue;; \ - -*I) strip_trailopt 'I'; skip_next=yes;; \ - -*I?*) strip_trailopt 'I';; \ - -*O) strip_trailopt 'O'; skip_next=yes;; \ - -*O?*) strip_trailopt 'O';; \ - -*l) strip_trailopt 'l'; skip_next=yes;; \ - -*l?*) strip_trailopt 'l';; \ - -[dEDm]) skip_next=yes;; \ - -[JT]) skip_next=yes;; \ - esac; \ - case $$flg in \ - *$$target_option*) has_opt=yes; break;; \ - esac; \ - done; \ - test $$has_opt = yes -am__make_dryrun = (target_option=n; $(am__make_running_with_option)) -am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) -pkgdatadir = $(datadir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkglibexecdir = $(libexecdir)/@PACKAGE@ -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -build_triplet = @build@ -host_triplet = @host@ -subdir = src/libcharon/plugins/unit_tester -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/depcomp -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ - $(top_srcdir)/m4/config/ltoptions.m4 \ - $(top_srcdir)/m4/config/ltsugar.m4 \ - $(top_srcdir)/m4/config/ltversion.m4 \ - $(top_srcdir)/m4/config/lt~obsolete.m4 \ - $(top_srcdir)/m4/macros/split-package-version.m4 \ - $(top_srcdir)/m4/macros/with.m4 \ - $(top_srcdir)/m4/macros/enable-disable.m4 \ - $(top_srcdir)/m4/macros/add-plugin.m4 \ - $(top_srcdir)/configure.ac -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(install_sh) -d -CONFIG_HEADER = $(top_builddir)/config.h -CONFIG_CLEAN_FILES = -CONFIG_CLEAN_VPATH_FILES = -am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; -am__vpath_adj = case $$p in \ - $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ - *) f=$$p;; \ - esac; -am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; -am__install_max = 40 -am__nobase_strip_setup = \ - srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` -am__nobase_strip = \ - for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" -am__nobase_list = $(am__nobase_strip_setup); \ - for p in $$list; do echo "$$p $$p"; done | \ - sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ - $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ - if (++n[$$2] == $(am__install_max)) \ - { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ - END { for (dir in files) print dir, files[dir] }' -am__base_list = \ - sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ - sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -am__uninstall_files_from_dir = { \ - test -z "$$files" \ - || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ - || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ - $(am__cd) "$$dir" && rm -f $$files; }; \ - } -am__installdirs = "$(DESTDIR)$(plugindir)" -LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -libstrongswan_unit_tester_la_LIBADD = -am__dirstamp = $(am__leading_dot)dirstamp -am_libstrongswan_unit_tester_la_OBJECTS = unit_tester.lo \ - tests/test_auth_info.lo tests/test_curl.lo tests/test_mysql.lo \ - tests/test_sqlite.lo tests/test_cert.lo tests/test_med_db.lo \ - tests/test_pool.lo tests/test_agent.lo -libstrongswan_unit_tester_la_OBJECTS = \ - $(am_libstrongswan_unit_tester_la_OBJECTS) -AM_V_lt = $(am__v_lt_@AM_V@) -am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) -am__v_lt_0 = --silent -am__v_lt_1 = -libstrongswan_unit_tester_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ - $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ - $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_unit_tester_la_LDFLAGS) \ - $(LDFLAGS) -o $@ -@MONOLITHIC_FALSE@am_libstrongswan_unit_tester_la_rpath = -rpath \ -@MONOLITHIC_FALSE@ $(plugindir) -@MONOLITHIC_TRUE@am_libstrongswan_unit_tester_la_rpath = -AM_V_P = $(am__v_P_@AM_V@) -am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) -am__v_P_0 = false -am__v_P_1 = : -AM_V_GEN = $(am__v_GEN_@AM_V@) -am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) -am__v_GEN_0 = @echo " GEN " $@; -am__v_GEN_1 = -AM_V_at = $(am__v_at_@AM_V@) -am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) -am__v_at_0 = @ -am__v_at_1 = -DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) -depcomp = $(SHELL) $(top_srcdir)/depcomp -am__depfiles_maybe = depfiles -am__mv = mv -f -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -AM_V_CC = $(am__v_CC_@AM_V@) -am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) -am__v_CC_0 = @echo " CC " $@; -am__v_CC_1 = -CCLD = $(CC) -LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -AM_V_CCLD = $(am__v_CCLD_@AM_V@) -am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) -am__v_CCLD_0 = @echo " CCLD " $@; -am__v_CCLD_1 = -SOURCES = $(libstrongswan_unit_tester_la_SOURCES) -DIST_SOURCES = $(libstrongswan_unit_tester_la_SOURCES) -am__can_run_installinfo = \ - case $$AM_UPDATE_INFO_DIR in \ - n|no|NO) false;; \ - *) (install-info --version) >/dev/null 2>&1;; \ - esac -am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) -# Read a list of newline-separated strings from the standard input, -# and print each of them once, without duplicates. Input order is -# *not* preserved. -am__uniquify_input = $(AWK) '\ - BEGIN { nonempty = 0; } \ - { items[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in items) print i; }; } \ -' -# Make sure the list of sources is unique. This is necessary because, -# e.g., the same source file might be shared among _SOURCES variables -# for different programs/libraries. -am__define_uniq_tagged_files = \ - list='$(am__tagged_files)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -ALLOCA = @ALLOCA@ -AMTAR = @AMTAR@ -AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -BFDLIB = @BFDLIB@ -BTLIB = @BTLIB@ -CC = @CC@ -CCDEPMODE = @CCDEPMODE@ -CFLAGS = @CFLAGS@ -COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ -COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DEFS = @DEFS@ -DEPDIR = @DEPDIR@ -DLLIB = @DLLIB@ -DLLTOOL = @DLLTOOL@ -DSYMUTIL = @DSYMUTIL@ -DUMPBIN = @DUMPBIN@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -FGREP = @FGREP@ -GEM = @GEM@ -GENHTML = @GENHTML@ -GPERF = @GPERF@ -GPRBUILD = @GPRBUILD@ -GREP = @GREP@ -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LCOV = @LCOV@ -LD = @LD@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIPO = @LIPO@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAKEINFO = @MAKEINFO@ -MANIFEST_TOOL = @MANIFEST_TOOL@ -MKDIR_P = @MKDIR_P@ -MYSQLCFLAG = @MYSQLCFLAG@ -MYSQLCONFIG = @MYSQLCONFIG@ -MYSQLLIB = @MYSQLLIB@ -NM = @NM@ -NMEDIT = @NMEDIT@ -OBJDUMP = @OBJDUMP@ -OBJEXT = @OBJEXT@ -OPENSSL_LIB = @OPENSSL_LIB@ -OTOOL = @OTOOL@ -OTOOL64 = @OTOOL64@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ -PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ -PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ -PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -PERL = @PERL@ -PKG_CONFIG = @PKG_CONFIG@ -PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ -PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ -PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ -PTHREADLIB = @PTHREADLIB@ -PYTHON = @PYTHON@ -PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ -PYTHON_PLATFORM = @PYTHON_PLATFORM@ -PYTHON_PREFIX = @PYTHON_PREFIX@ -PYTHON_VERSION = @PYTHON_VERSION@ -RANLIB = @RANLIB@ -RTLIB = @RTLIB@ -RUBY = @RUBY@ -RUBYGEMDIR = @RUBYGEMDIR@ -RUBYINCLUDE = @RUBYINCLUDE@ -RUBYLIB = @RUBYLIB@ -SED = @SED@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -SOCKLIB = @SOCKLIB@ -STRIP = @STRIP@ -UNWINDLIB = @UNWINDLIB@ -VERSION = @VERSION@ -YACC = @YACC@ -YFLAGS = @YFLAGS@ -abs_builddir = @abs_builddir@ -abs_srcdir = @abs_srcdir@ -abs_top_builddir = @abs_top_builddir@ -abs_top_srcdir = @abs_top_srcdir@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ -aikgen_plugins = @aikgen_plugins@ -am__include = @am__include@ -am__leading_dot = @am__leading_dot@ -am__quote = @am__quote@ -am__tar = @am__tar@ -am__untar = @am__untar@ -attest_plugins = @attest_plugins@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -builddir = @builddir@ -c_plugins = @c_plugins@ -charon_natt_port = @charon_natt_port@ -charon_plugins = @charon_plugins@ -charon_udp_port = @charon_udp_port@ -clearsilver_LIBS = @clearsilver_LIBS@ -cmd_plugins = @cmd_plugins@ -datadir = @datadir@ -datarootdir = @datarootdir@ -dbusservicedir = @dbusservicedir@ -dev_headers = @dev_headers@ -docdir = @docdir@ -dvidir = @dvidir@ -exec_prefix = @exec_prefix@ -fips_mode = @fips_mode@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ -h_plugins = @h_plugins@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -htmldir = @htmldir@ -imcvdir = @imcvdir@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -ipsec_script = @ipsec_script@ -ipsec_script_upper = @ipsec_script_upper@ -ipsecdir = @ipsecdir@ -ipsecgroup = @ipsecgroup@ -ipseclibdir = @ipseclibdir@ -ipsecuser = @ipsecuser@ -json_CFLAGS = @json_CFLAGS@ -json_LIBS = @json_LIBS@ -libdir = @libdir@ -libexecdir = @libexecdir@ -linux_headers = @linux_headers@ -localedir = @localedir@ -localstatedir = @localstatedir@ -maemo_CFLAGS = @maemo_CFLAGS@ -maemo_LIBS = @maemo_LIBS@ -manager_plugins = @manager_plugins@ -mandir = @mandir@ -medsrv_plugins = @medsrv_plugins@ -mkdir_p = @mkdir_p@ -nm_CFLAGS = @nm_CFLAGS@ -nm_LIBS = @nm_LIBS@ -nm_ca_dir = @nm_ca_dir@ -nm_plugins = @nm_plugins@ -oldincludedir = @oldincludedir@ -pcsclite_CFLAGS = @pcsclite_CFLAGS@ -pcsclite_LIBS = @pcsclite_LIBS@ -pdfdir = @pdfdir@ -piddir = @piddir@ -pkgpyexecdir = @pkgpyexecdir@ -pkgpythondir = @pkgpythondir@ -pki_plugins = @pki_plugins@ -plugindir = @plugindir@ -pool_plugins = @pool_plugins@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -psdir = @psdir@ -pyexecdir = @pyexecdir@ -pythondir = @pythondir@ -random_device = @random_device@ -resolv_conf = @resolv_conf@ -routing_table = @routing_table@ -routing_table_prio = @routing_table_prio@ -s_plugins = @s_plugins@ -sbindir = @sbindir@ -scepclient_plugins = @scepclient_plugins@ -scripts_plugins = @scripts_plugins@ -sharedstatedir = @sharedstatedir@ -soup_CFLAGS = @soup_CFLAGS@ -soup_LIBS = @soup_LIBS@ -srcdir = @srcdir@ -starter_plugins = @starter_plugins@ -strongswan_conf = @strongswan_conf@ -strongswan_options = @strongswan_options@ -swanctldir = @swanctldir@ -sysconfdir = @sysconfdir@ -systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ -systemd_daemon_LIBS = @systemd_daemon_LIBS@ -systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ -systemd_journal_LIBS = @systemd_journal_LIBS@ -systemdsystemunitdir = @systemdsystemunitdir@ -t_plugins = @t_plugins@ -target_alias = @target_alias@ -top_build_prefix = @top_build_prefix@ -top_builddir = @top_builddir@ -top_srcdir = @top_srcdir@ -urandom_device = @urandom_device@ -xml_CFLAGS = @xml_CFLAGS@ -xml_LIBS = @xml_LIBS@ -AM_CPPFLAGS = \ - -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon - -AM_CFLAGS = \ - $(PLUGIN_CFLAGS) - -@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-unit-tester.la -@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-unit-tester.la -libstrongswan_unit_tester_la_SOURCES = \ - unit_tester.c unit_tester.h tests.h \ - tests/test_auth_info.c \ - tests/test_curl.c \ - tests/test_mysql.c \ - tests/test_sqlite.c \ - tests/test_cert.c \ - tests/test_med_db.c \ - tests/test_pool.c \ - tests/test_agent.c - -libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version -all: all-am - -.SUFFIXES: -.SUFFIXES: .c .lo .o .obj -$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ - && { if test -f $@; then exit 0; else break; fi; }; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/unit_tester/Makefile'; \ - $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libcharon/plugins/unit_tester/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(am__aclocal_m4_deps): - -clean-noinstLTLIBRARIES: - -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) - @list='$(noinst_LTLIBRARIES)'; \ - locs=`for p in $$list; do echo $$p; done | \ - sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ - sort -u`; \ - test -z "$$locs" || { \ - echo rm -f $${locs}; \ - rm -f $${locs}; \ - } - -install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) - @$(NORMAL_INSTALL) - @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ - list2=; for p in $$list; do \ - if test -f $$p; then \ - list2="$$list2 $$p"; \ - else :; fi; \ - done; \ - test -z "$$list2" || { \ - echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ - } - -uninstall-pluginLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ - for p in $$list; do \ - $(am__strip_dir) \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ - done - -clean-pluginLTLIBRARIES: - -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) - @list='$(plugin_LTLIBRARIES)'; \ - locs=`for p in $$list; do echo $$p; done | \ - sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ - sort -u`; \ - test -z "$$locs" || { \ - echo rm -f $${locs}; \ - rm -f $${locs}; \ - } -tests/$(am__dirstamp): - @$(MKDIR_P) tests - @: > tests/$(am__dirstamp) -tests/$(DEPDIR)/$(am__dirstamp): - @$(MKDIR_P) tests/$(DEPDIR) - @: > tests/$(DEPDIR)/$(am__dirstamp) -tests/test_auth_info.lo: tests/$(am__dirstamp) \ - tests/$(DEPDIR)/$(am__dirstamp) -tests/test_curl.lo: tests/$(am__dirstamp) \ - tests/$(DEPDIR)/$(am__dirstamp) -tests/test_mysql.lo: tests/$(am__dirstamp) \ - tests/$(DEPDIR)/$(am__dirstamp) -tests/test_sqlite.lo: tests/$(am__dirstamp) \ - tests/$(DEPDIR)/$(am__dirstamp) -tests/test_cert.lo: tests/$(am__dirstamp) \ - tests/$(DEPDIR)/$(am__dirstamp) -tests/test_med_db.lo: tests/$(am__dirstamp) \ - tests/$(DEPDIR)/$(am__dirstamp) -tests/test_pool.lo: tests/$(am__dirstamp) \ - tests/$(DEPDIR)/$(am__dirstamp) -tests/test_agent.lo: tests/$(am__dirstamp) \ - tests/$(DEPDIR)/$(am__dirstamp) - -libstrongswan-unit-tester.la: $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_DEPENDENCIES) $(EXTRA_libstrongswan_unit_tester_la_DEPENDENCIES) - $(AM_V_CCLD)$(libstrongswan_unit_tester_la_LINK) $(am_libstrongswan_unit_tester_la_rpath) $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_LIBADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -rm -f tests/*.$(OBJEXT) - -rm -f tests/*.lo - -distclean-compile: - -rm -f *.tab.c - -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unit_tester.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_agent.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_auth_info.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_cert.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_curl.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_med_db.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_mysql.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_pool.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_sqlite.Plo@am__quote@ - -.c.o: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< - -.c.obj: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` - -.c.lo: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ -@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -rm -rf tests/.libs tests/_libs - -ID: $(am__tagged_files) - $(am__define_uniq_tagged_files); mkid -fID $$unique -tags: tags-am -TAGS: tags - -tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) - set x; \ - here=`pwd`; \ - $(am__define_uniq_tagged_files); \ - shift; \ - if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ - test -n "$$unique" || unique=$$empty_fix; \ - if test $$# -gt 0; then \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - "$$@" $$unique; \ - else \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$unique; \ - fi; \ - fi -ctags: ctags-am - -CTAGS: ctags -ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) - $(am__define_uniq_tagged_files); \ - test -z "$(CTAGS_ARGS)$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && $(am__cd) $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) "$$here" -cscopelist: cscopelist-am - -cscopelist-am: $(am__tagged_files) - list='$(am__tagged_files)'; \ - case "$(srcdir)" in \ - [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ - *) sdir=$(subdir)/$(srcdir) ;; \ - esac; \ - for i in $$list; do \ - if test -f "$$i"; then \ - echo "$(subdir)/$$i"; \ - else \ - echo "$$sdir/$$i"; \ - fi; \ - done >> $(top_builddir)/cscope.files - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - list='$(DISTFILES)'; \ - dist_files=`for file in $$list; do echo $$file; done | \ - sed -e "s|^$$srcdirstrip/||;t" \ - -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ - case $$dist_files in \ - */*) $(MKDIR_P) `echo "$$dist_files" | \ - sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ - sort -u` ;; \ - esac; \ - for file in $$dist_files; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - if test -d $$d/$$file; then \ - dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test -d "$(distdir)/$$file"; then \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ - else \ - test -f "$(distdir)/$$file" \ - || cp -p $$d/$$file "$(distdir)/$$file" \ - || exit 1; \ - fi; \ - done -check-am: all-am -check: check-am -all-am: Makefile $(LTLIBRARIES) -installdirs: - for dir in "$(DESTDIR)$(plugindir)"; do \ - test -z "$$dir" || $(MKDIR_P) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - if test -z '$(STRIP)'; then \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - install; \ - else \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ - fi -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) - -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) - -rm -f tests/$(DEPDIR)/$(am__dirstamp) - -rm -f tests/$(am__dirstamp) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ - clean-pluginLTLIBRARIES mostlyclean-am - -distclean: distclean-am - -rm -rf ./$(DEPDIR) tests/$(DEPDIR) - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -html-am: - -info: info-am - -info-am: - -install-data-am: install-pluginLTLIBRARIES - -install-dvi: install-dvi-am - -install-dvi-am: - -install-exec-am: - -install-html: install-html-am - -install-html-am: - -install-info: install-info-am - -install-info-am: - -install-man: - -install-pdf: install-pdf-am - -install-pdf-am: - -install-ps: install-ps-am - -install-ps-am: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) tests/$(DEPDIR) - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-pluginLTLIBRARIES - -.MAKE: install-am install-strip - -.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ - clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-pdf \ - install-pdf-am install-pluginLTLIBRARIES install-ps \ - install-ps-am install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ - uninstall-am uninstall-pluginLTLIBRARIES - - -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/src/libcharon/plugins/unit_tester/tests.h b/src/libcharon/plugins/unit_tester/tests.h deleted file mode 100644 index 169292e9b..000000000 --- a/src/libcharon/plugins/unit_tester/tests.h +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup tests tests - * @{ @ingroup unit_tester - */ - -DEFINE_TEST("auth cfg", test_auth_cfg, FALSE) -DEFINE_TEST("CURL get", test_curl_get, FALSE) -DEFINE_TEST("MySQL operations", test_mysql, FALSE) -DEFINE_TEST("SQLite operations", test_sqlite, FALSE) -DEFINE_TEST("X509 certificate", test_cert_x509, FALSE) -DEFINE_TEST("Mediation database key fetch", test_med_db, FALSE) -DEFINE_TEST("IP pool", test_pool, FALSE) -DEFINE_TEST("SSH agent", test_agent, FALSE) - -/** @}*/ diff --git a/src/libcharon/plugins/unit_tester/tests/test_agent.c b/src/libcharon/plugins/unit_tester/tests/test_agent.c deleted file mode 100644 index baab629be..000000000 --- a/src/libcharon/plugins/unit_tester/tests/test_agent.c +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include - -/******************************************************************************* - * SSH agent signature creation and verification - ******************************************************************************/ -bool test_agent() -{ - char *path; - chunk_t sig, data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08); - private_key_t *private; - public_key_t *public; - - path = getenv("SSH_AUTH_SOCK"); - if (!path) - { - DBG1(DBG_CFG, "ssh-agent not found."); - return FALSE; - } - - private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, - BUILD_AGENT_SOCKET, path, BUILD_END); - if (!private) - { - return FALSE; - } - if (!private->sign(private, SIGN_RSA_EMSA_PKCS1_SHA1, data, &sig)) - { - return FALSE; - } - public = private->get_public_key(private); - if (!public) - { - return FALSE;; - } - if (!public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig)) - { - return FALSE; - } - free(sig.ptr); - data.ptr[1] = 0x01; /* fake it */ - if (public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig)) - { - return FALSE; - } - - private->destroy(private); - public->destroy(public); - - return TRUE; -} - diff --git a/src/libcharon/plugins/unit_tester/tests/test_auth_info.c b/src/libcharon/plugins/unit_tester/tests/test_auth_info.c deleted file mode 100644 index c250c356f..000000000 --- a/src/libcharon/plugins/unit_tester/tests/test_auth_info.c +++ /dev/null @@ -1,140 +0,0 @@ -/* - * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include -#include - - -static chunk_t certchunk = chunk_from_chars( - 0x30,0x82,0x02,0xfa,0x30,0x82,0x01,0xe2,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x5a, - 0xf2,0x65,0xae,0x78,0xff,0x23,0xde,0xf7,0xa6,0xa3,0x94,0x8c,0x3f,0xa0,0xc1,0x30, - 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x39, - 0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x19,0x30, - 0x17,0x06,0x03,0x55,0x04,0x0a,0x13,0x10,0x4c,0x69,0x6e,0x75,0x78,0x20,0x73,0x74, - 0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x0f,0x30,0x0d,0x06,0x03,0x55,0x04, - 0x03,0x13,0x06,0x6d,0x61,0x72,0x74,0x69,0x6e,0x30,0x1e,0x17,0x0d,0x30,0x37,0x30, - 0x34,0x32,0x37,0x30,0x37,0x31,0x34,0x32,0x36,0x5a,0x17,0x0d,0x31,0x32,0x30,0x34, - 0x32,0x35,0x30,0x37,0x31,0x34,0x32,0x36,0x5a,0x30,0x39,0x31,0x0b,0x30,0x09,0x06, - 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04, - 0x0a,0x13,0x10,0x4c,0x69,0x6e,0x75,0x78,0x20,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53, - 0x77,0x61,0x6e,0x31,0x0f,0x30,0x0d,0x06,0x03,0x55,0x04,0x03,0x13,0x06,0x6d,0x61, - 0x72,0x74,0x69,0x6e,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86, - 0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a, - 0x02,0x82,0x01,0x01,0x00,0xd7,0xb9,0xba,0x4d,0xe2,0x3b,0x3d,0x35,0x7a,0x3f,0x88, - 0x67,0x95,0xe7,0xfd,0x9f,0xe9,0x0a,0x0d,0x79,0x3a,0x9e,0x21,0x8f,0xcb,0xe4,0x67, - 0x24,0xae,0x0c,0xda,0xb3,0xcc,0xec,0x36,0xb4,0xa8,0x4d,0xf1,0x3d,0xad,0xe4,0x8c, - 0x63,0x92,0x54,0xb7,0xb2,0x02,0xa2,0x00,0x62,0x8b,0x04,0xac,0xa0,0x17,0xad,0x17, - 0x9a,0x05,0x0d,0xd7,0xb3,0x08,0x02,0xc5,0x26,0xcf,0xdd,0x05,0x42,0xfc,0x13,0x6d, - 0x9f,0xb1,0xf3,0x4f,0x82,0x1d,0xef,0x01,0xc9,0x91,0xea,0x37,0x1b,0x79,0x28,0xfa, - 0xbf,0x9f,0xb3,0xeb,0x82,0x4f,0x10,0xc6,0x4b,0xa4,0x08,0xf7,0x8e,0xf2,0x00,0xea, - 0x04,0x97,0x80,0x9f,0x65,0x86,0xde,0x6b,0xc7,0xda,0x83,0xfc,0xad,0x4a,0xaf,0x52, - 0x8b,0x4d,0x33,0xee,0x49,0x87,0x2f,0x3b,0x60,0x45,0x66,0x8f,0xe6,0x89,0xcc,0xb1, - 0x92,0x02,0x17,0x2b,0x7b,0x8e,0x90,0x47,0x84,0x84,0x59,0x95,0x81,0xd8,0xe0,0xf3, - 0x87,0xe0,0x04,0x09,0xfd,0xcc,0x3a,0x21,0x34,0xfa,0xec,0xbe,0xf5,0x9c,0xcf,0x55, - 0x80,0x7b,0xe3,0x75,0x9d,0x36,0x68,0xab,0x83,0xe3,0xad,0x01,0x53,0x0d,0x8a,0x9a, - 0xa6,0xb0,0x15,0xc9,0xc5,0xf8,0x9b,0x51,0x32,0xcf,0x97,0x6c,0xfe,0x4a,0x56,0x3c, - 0xc8,0x8f,0x4a,0x70,0x23,0x4f,0xf6,0xf7,0xe6,0x9f,0x09,0xcd,0x8f,0xea,0x20,0x7d, - 0x34,0xc0,0xc5,0xc0,0x34,0x06,0x6f,0x8b,0xeb,0x04,0x54,0x3f,0x0e,0xcd,0xe2,0x85, - 0xab,0x94,0x3e,0x91,0x6c,0x18,0x6f,0x96,0x5d,0xf2,0x8b,0x10,0xe9,0x90,0x43,0xb0, - 0x61,0x52,0xac,0xcf,0x75,0x02,0x03,0x01,0x00,0x01,0x30,0x0d,0x06,0x09,0x2a,0x86, - 0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x09,0x63, - 0x42,0xad,0xe5,0xa3,0xf6,0xc9,0x5d,0x08,0xf2,0x78,0x7b,0xeb,0x8a,0xef,0x50,0x00, - 0xc8,0xeb,0xe9,0x26,0x94,0xcb,0x84,0x10,0x7e,0x42,0x6b,0x86,0x38,0x57,0xa6,0x02, - 0x98,0x5a,0x2c,0x8f,0x44,0x32,0x1b,0x97,0x8c,0x7e,0x4b,0xd8,0xe8,0xe8,0x0f,0x4a, - 0xb9,0x31,0x9f,0xf6,0x9f,0x0e,0x67,0x26,0x05,0x2a,0x99,0x14,0x35,0x41,0x47,0x9a, - 0xfa,0x12,0x94,0x0b,0xe9,0x27,0x7c,0x71,0x20,0xd7,0x8d,0x3b,0x97,0x19,0x2d,0x15, - 0xff,0xa4,0xf3,0x89,0x8d,0x29,0x5f,0xf6,0x3f,0x93,0xaf,0x78,0x61,0xe4,0xe1,0x2e, - 0x75,0xc1,0x2c,0xc4,0x76,0x95,0x19,0xf8,0x37,0xdc,0xd8,0x00,0x7a,0x3c,0x0f,0x49, - 0x2e,0x88,0x09,0x16,0xb3,0x92,0x33,0xdf,0x77,0x83,0x4f,0xb5,0x9e,0x30,0x8c,0x48, - 0x1d,0xd8,0x84,0xfb,0xf1,0xb9,0xa0,0xbe,0x25,0xff,0x4c,0xeb,0xef,0x2b,0xcd,0xfa, - 0x0b,0x94,0x66,0x3b,0x28,0x08,0x3f,0x3a,0xda,0x41,0xd0,0x6b,0xab,0x5e,0xbb,0x8a, - 0x9f,0xdc,0x98,0x3e,0x59,0x37,0x48,0xbe,0x69,0xde,0x85,0x82,0xf2,0x53,0x8b,0xe4, - 0x44,0xe4,0x71,0x91,0x14,0x85,0x0e,0x1e,0x79,0xdd,0x62,0xf5,0xdc,0x25,0x89,0xab, - 0x50,0x5b,0xaa,0xae,0xe3,0x64,0x6a,0x23,0x34,0xd7,0x30,0xe2,0x2a,0xc8,0x81,0x0c, - 0xec,0xd2,0x31,0xc6,0x1e,0xb6,0xc0,0x57,0xd9,0xe1,0x14,0x06,0x9b,0xf8,0x51,0x69, - 0x47,0xf0,0x9c,0xcd,0x69,0xef,0x8e,0x5f,0x62,0xda,0x10,0xf7,0x3c,0x6d,0x0f,0x33, - 0xec,0x6f,0xfd,0x94,0x07,0x16,0x41,0x32,0x06,0xa4,0xe1,0x08,0x31,0x87, -); - -/******************************************************************************* - * auth info test - ******************************************************************************/ -bool test_auth_cfg() -{ - auth_cfg_t *auth = auth_cfg_create(), *auth2; - certificate_t *c1, *c2; - enumerator_t *enumerator; - int round = 0; - void *value; - auth_rule_t type; - - c1 = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_BLOB_ASN1_DER, certchunk, - BUILD_END); - if (!c1) - { - return FALSE; - } - - auth->add(auth, AUTH_RULE_SUBJECT_CERT, c1->get_ref(c1)); - c2 = auth->get(auth, AUTH_RULE_SUBJECT_CERT); - if (!c2) - { - return FALSE; - } - if (!c1->equals(c1, c2)) - { - return FALSE; - } - - enumerator = auth->create_enumerator(auth); - while (enumerator->enumerate(enumerator, &type, &value)) - { - round++; - if (round == 1 && type == AUTH_RULE_SUBJECT_CERT && value == c1) - { - continue; - } - return FALSE; - } - enumerator->destroy(enumerator); - - auth2 = auth_cfg_create(); - auth2->add(auth2, AUTH_RULE_CA_CERT, c1->get_ref(c1)); - auth2->merge(auth2, auth, FALSE); - - round = 0; - enumerator = auth2->create_enumerator(auth2); - while (enumerator->enumerate(enumerator, &type, &value)) - { - round++; - if (round == 1 && type == AUTH_RULE_CA_CERT && value == c1) - { - continue; - } - if (round == 2 && type == AUTH_RULE_SUBJECT_CERT && value == c1) - { - continue; - } - return FALSE; - } - enumerator->destroy(enumerator); - auth->destroy(auth); - auth2->destroy(auth2); - c1->destroy(c1); - return TRUE; -} - diff --git a/src/libcharon/plugins/unit_tester/tests/test_cert.c b/src/libcharon/plugins/unit_tester/tests/test_cert.c deleted file mode 100644 index f4410a688..000000000 --- a/src/libcharon/plugins/unit_tester/tests/test_cert.c +++ /dev/null @@ -1,108 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include -#include - -/******************************************************************************* - * X509 certificate generation and parsing - ******************************************************************************/ -bool test_cert_x509() -{ - private_key_t *ca_key, *peer_key; - public_key_t *public; - certificate_t *ca_cert, *peer_cert, *parsed; - identification_t *issuer, *subject; - u_int32_t serial = htonl(0); - chunk_t encoding; - - issuer = identification_create_from_string("CN=CA, OU=Test, O=strongSwan"); - subject = identification_create_from_string("CN=Peer, OU=Test, O=strongSwan"); - - ca_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, - BUILD_KEY_SIZE, 1024, BUILD_END); - peer_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, - BUILD_KEY_SIZE, 1024, BUILD_END); - if (!ca_key) - { - return FALSE; - } - ca_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_SIGNING_KEY, ca_key, - BUILD_SUBJECT, issuer, - BUILD_SERIAL, chunk_from_thing(serial), - BUILD_X509_FLAG, X509_CA, - BUILD_END); - if (!ca_cert) - { - return FALSE; - } - - ca_cert->get_encoding(ca_cert, CERT_ASN1_DER, &encoding); - parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_BLOB_ASN1_DER, encoding, - BUILD_END); - chunk_free(&encoding); - if (!parsed) - { - return FALSE; - } - if (!parsed->issued_by(parsed, ca_cert, NULL)) - { - return FALSE; - } - parsed->destroy(parsed); - - serial = htonl(ntohl(serial) + 1); - public = peer_key->get_public_key(peer_key); - peer_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_SIGNING_KEY, ca_key, - BUILD_SIGNING_CERT, ca_cert, - BUILD_PUBLIC_KEY, public, - BUILD_SUBJECT, subject, - BUILD_SERIAL, chunk_from_thing(serial), - BUILD_END); - public->destroy(public); - if (!peer_cert) - { - return FALSE; - } - - peer_cert->get_encoding(peer_cert, CERT_ASN1_DER, &encoding); - parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_BLOB_ASN1_DER, encoding, - BUILD_END); - chunk_free(&encoding); - if (!parsed) - { - return FALSE; - } - if (!parsed->issued_by(parsed, ca_cert, NULL)) - { - return FALSE; - } - parsed->destroy(parsed); - - ca_cert->destroy(ca_cert); - ca_key->destroy(ca_key); - peer_cert->destroy(peer_cert); - peer_key->destroy(peer_key); - issuer->destroy(issuer); - subject->destroy(subject); - return TRUE; -} - - diff --git a/src/libcharon/plugins/unit_tester/tests/test_curl.c b/src/libcharon/plugins/unit_tester/tests/test_curl.c deleted file mode 100644 index 21656a94e..000000000 --- a/src/libcharon/plugins/unit_tester/tests/test_curl.c +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include -#include -#include - -/******************************************************************************* - * curl get test - ******************************************************************************/ - -bool test_curl_get() -{ - chunk_t chunk; - - if (lib->fetcher->fetch(lib->fetcher, "http://www.strongswan.org", - &chunk, FETCH_END) != SUCCESS) - { - return FALSE; - } - free(chunk.ptr); - - if (lib->fetcher->fetch(lib->fetcher, "http://www.google.com", - &chunk, FETCH_END) != SUCCESS) - { - return FALSE; - } - free(chunk.ptr); - return TRUE; -} - diff --git a/src/libcharon/plugins/unit_tester/tests/test_med_db.c b/src/libcharon/plugins/unit_tester/tests/test_med_db.c deleted file mode 100644 index 75244ab8f..000000000 --- a/src/libcharon/plugins/unit_tester/tests/test_med_db.c +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include -#include - -#include - -/******************************************************************************* - * fetch public key from mediation database - ******************************************************************************/ - -bool test_med_db() -{ - chunk_t found, keyid = chunk_from_chars( - 0xed,0x90,0xe6,0x4f,0xec,0xa2,0x1f,0x4b, - 0x68,0x97,0x99,0x24,0x22,0xe0,0xde,0x21, - 0xb9,0xd6,0x26,0x29 - ); - identification_t *id; - enumerator_t *enumerator; - public_key_t *public; - auth_cfg_t *auth; - bool good = FALSE; - - id = identification_create_from_encoding(ID_KEY_ID, keyid); - enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, - KEY_ANY, id, NULL); - while (enumerator->enumerate(enumerator, &public, &auth)) - { - good = public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &found); - if (good) - { - good = chunk_equals(id->get_encoding(id), found); - } - } - enumerator->destroy(enumerator); - id->destroy(id); - return good; -} - diff --git a/src/libcharon/plugins/unit_tester/tests/test_mysql.c b/src/libcharon/plugins/unit_tester/tests/test_mysql.c deleted file mode 100644 index eda238623..000000000 --- a/src/libcharon/plugins/unit_tester/tests/test_mysql.c +++ /dev/null @@ -1,89 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include -#include - -/******************************************************************************* - * mysql simple test - ******************************************************************************/ -bool test_mysql() -{ - database_t *db; - char *txt = "I'm a superduper test"; - chunk_t data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08); - int row; - chunk_t qdata; - char *qtxt; - bool good = FALSE; - enumerator_t *enumerator; - - db = lib->db->create(lib->db, "mysql://testuser:testpass@localhost/test"); - if (!db) - { - return FALSE; - } - if (db->execute(db, NULL, "CREATE TABLE test (" - "id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, " - "txt TEXT, data BLOB)") < 0) - { - return FALSE; - } - if (db->execute(db, &row, "INSERT INTO test (txt, data) VALUES (?,?)", - DB_TEXT, txt, DB_BLOB, data) < 0) - { - return FALSE; - } - if (row != 1) - { - return FALSE; - } - enumerator = db->query(db, "SELECT txt, data FROM test WHERE id = ?", - DB_INT, row, - DB_TEXT, DB_BLOB); - if (!enumerator) - { - return FALSE; - } - while (enumerator->enumerate(enumerator, &qtxt, &qdata)) - { - if (good) - { /* only one row */ - good = FALSE; - break; - } - if (streq(qtxt, txt) && chunk_equals(data, qdata)) - { - good = TRUE; - } - } - enumerator->destroy(enumerator); - if (!good) - { - return FALSE; - } - if (db->execute(db, NULL, "DELETE FROM test WHERE id = ?", DB_INT, row) != 1) - { - return FALSE; - } - if (db->execute(db, NULL, "DROP TABLE test") < 0) - { - return FALSE; - } - db->destroy(db); - return TRUE; -} - diff --git a/src/libcharon/plugins/unit_tester/tests/test_pool.c b/src/libcharon/plugins/unit_tester/tests/test_pool.c deleted file mode 100644 index f36953f3a..000000000 --- a/src/libcharon/plugins/unit_tester/tests/test_pool.c +++ /dev/null @@ -1,100 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include - -#include -#include -#include - -#define ALLOCS 1000 -#define THREADS 20 - -static void* testing(void *thread) -{ - int i; - host_t *addr[ALLOCS]; - identification_t *id[ALLOCS]; - linked_list_t *pools; - - /* prepare identities */ - for (i = 0; i < ALLOCS; i++) - { - char buf[256]; - - snprintf(buf, sizeof(buf), "%d-%d@strongswan.org", (uintptr_t)thread, i); - id[i] = identification_create_from_string(buf); - } - - pools = linked_list_create(); - pools->insert_last(pools, "test"); - - /* allocate addresses */ - for (i = 0; i < ALLOCS; i++) - { - addr[i] = hydra->attributes->acquire_address(hydra->attributes, - pools, id[i], NULL); - if (!addr[i]) - { - pools->destroy(pools); - return (void*)FALSE; - } - } - - /* release addresses */ - for (i = 0; i < ALLOCS; i++) - { - hydra->attributes->release_address(hydra->attributes, - pools, addr[i], id[i]); - } - - pools->destroy(pools); - - /* cleanup */ - for (i = 0; i < ALLOCS; i++) - { - addr[i]->destroy(addr[i]); - id[i]->destroy(id[i]); - } - return (void*)TRUE; -} - - -/******************************************************************************* - * SQL pool performance test - ******************************************************************************/ -bool test_pool() -{ - thread_t *threads[THREADS]; - uintptr_t i; - - for (i = 0; i < THREADS; i++) - { - if (!(threads[i] = thread_create((thread_main_t)testing, (void*)i))) - { - return FALSE; - } - } - for (i = 0; i < THREADS; i++) - { - bool *res = threads[i]->join(threads[i]); - if (!res) - { - return FALSE; - } - } - return TRUE; -} - diff --git a/src/libcharon/plugins/unit_tester/tests/test_sqlite.c b/src/libcharon/plugins/unit_tester/tests/test_sqlite.c deleted file mode 100644 index 99490b566..000000000 --- a/src/libcharon/plugins/unit_tester/tests/test_sqlite.c +++ /dev/null @@ -1,93 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include -#include - -#include - - -#define DBFILE "/tmp/strongswan-test.db" - -/******************************************************************************* - * sqlite simple test - ******************************************************************************/ -bool test_sqlite() -{ - database_t *db; - char *txt = "I'm a superduper test"; - chunk_t data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08); - int row; - chunk_t qdata; - char *qtxt; - bool good = FALSE; - enumerator_t *enumerator; - - db = lib->db->create(lib->db, "sqlite://" DBFILE); - if (!db) - { - return FALSE; - } - if (db->execute(db, NULL, "CREATE TABLE test (txt TEXT, data BLOB)") < 0) - { - return FALSE; - } - if (db->execute(db, &row, "INSERT INTO test (txt, data) VALUES (?,?)", - DB_TEXT, txt, DB_BLOB, data) < 0) - { - return FALSE; - } - if (row != 1) - { - return FALSE; - } - enumerator = db->query(db, "SELECT txt, data FROM test WHERE oid = ?", - DB_INT, row, - DB_TEXT, DB_BLOB); - if (!enumerator) - { - return FALSE; - } - while (enumerator->enumerate(enumerator, &qtxt, &qdata)) - { - if (good) - { /* only one row */ - good = FALSE; - break; - } - if (streq(qtxt, txt) && chunk_equals(data, qdata)) - { - good = TRUE; - } - } - enumerator->destroy(enumerator); - if (!good) - { - return FALSE; - } - if (db->execute(db, NULL, "DELETE FROM test WHERE oid = ?", DB_INT, row) != 1) - { - return FALSE; - } - if (db->execute(db, NULL, "DROP TABLE test") < 0) - { - return FALSE; - } - db->destroy(db); - unlink(DBFILE); - return TRUE; -} - diff --git a/src/libcharon/plugins/unit_tester/unit_tester.c b/src/libcharon/plugins/unit_tester/unit_tester.c deleted file mode 100644 index ea7ffca04..000000000 --- a/src/libcharon/plugins/unit_tester/unit_tester.c +++ /dev/null @@ -1,152 +0,0 @@ -/* - * Copyright (C) 2013 Tobias Brunner - * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "unit_tester.h" - -#include - -typedef struct private_unit_tester_t private_unit_tester_t; -typedef struct unit_test_t unit_test_t; -typedef enum test_status_t test_status_t; - -/** - * private data of unit_tester - */ -struct private_unit_tester_t { - - /** - * public functions - */ - unit_tester_t public; -}; - -struct unit_test_t { - - /** - * name of the test - */ - char *name; - - /** - * test function - */ - bool (*test)(void); - - /** - * run the test? - */ - bool enabled; -}; - -#undef DEFINE_TEST -#define DEFINE_TEST(name, function, enabled) bool function(); -#include -#undef DEFINE_TEST -#define DEFINE_TEST(name, function, enabled) {name, function, enabled}, -static unit_test_t tests[] = { -#include -}; - -static void run_tests(private_unit_tester_t *this) -{ - int i, run = 0, failed = 0, success = 0, skipped = 0; - - DBG1(DBG_CFG, "running unit tests, %d tests registered", - sizeof(tests)/sizeof(unit_test_t)); - - for (i = 0; i < sizeof(tests)/sizeof(unit_test_t); i++) - { - if (tests[i].enabled) - { - run++; - if (tests[i].test()) - { - DBG1(DBG_CFG, "test '%s' successful", tests[i].name); - success++; - } - else - { - DBG1(DBG_CFG, "test '%s' failed", tests[i].name); - failed++; - } - } - else - { - DBG1(DBG_CFG, "test '%s' disabled", tests[i].name); - skipped++; - } - } - DBG1(DBG_CFG, "%d/%d tests successful (%d failed, %d disabled)", - success, run, failed, skipped); -} - -METHOD(plugin_t, get_name, char*, - private_unit_tester_t *this) -{ - return "unit-tester"; -} - -/** - * We currently don't depend explicitly on any plugin features. But in case - * activated tests depend on such features we at least try to run them in plugin - * order. - */ -static bool plugin_cb(private_unit_tester_t *this, - plugin_feature_t *feature, bool reg, void *cb_data) -{ - if (reg) - { - run_tests(this); - } - return TRUE; -} - -METHOD(plugin_t, get_features, int, - private_unit_tester_t *this, plugin_feature_t *features[]) -{ - static plugin_feature_t f[] = { - PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL), - PLUGIN_PROVIDE(CUSTOM, "unit-tester"), - }; - *features = f; - return countof(f); -} - -METHOD(plugin_t, destroy, void, - private_unit_tester_t *this) -{ - free(this); -} - -/* - * see header file - */ -plugin_t *unit_tester_plugin_create() -{ - private_unit_tester_t *this; - - INIT(this, - .public = { - .plugin = { - .get_name = _get_name, - .get_features = _get_features, - .destroy = _destroy, - }, - }, - ); - - return &this->public.plugin; -} diff --git a/src/libcharon/plugins/unit_tester/unit_tester.h b/src/libcharon/plugins/unit_tester/unit_tester.h deleted file mode 100644 index 08784f6f4..000000000 --- a/src/libcharon/plugins/unit_tester/unit_tester.h +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup unit_tester unit_tester - * @{ @ingroup cplugins - */ - -#ifndef UNIT_TESTER_H_ -#define UNIT_TESTER_H_ - -#include - -typedef struct unit_tester_t unit_tester_t; - -/** - * Unit testing plugin. - * - * The unit testing plugin runs tests on plugin initialization. Tests are - * defined in tests.h using the DEFINE_TEST macro. Implementation of the - * tests is done in the tests folder. Each test has uses a function which - * returns TRUE for success or FALSE for failure. - */ -struct unit_tester_t { - - /** - * Implements the plugin interface. - */ - plugin_t plugin; -}; - -#endif /** UNIT_TESTER_H_ @}*/ diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in index 1e04ebced..4f0a7e736 100644 --- a/src/libcharon/plugins/unity/Makefile.in +++ b/src/libcharon/plugins/unity/Makefile.in @@ -228,6 +228,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/unity/unity_handler.c b/src/libcharon/plugins/unity/unity_handler.c index bcef0dc25..9fc9be61a 100644 --- a/src/libcharon/plugins/unity/unity_handler.c +++ b/src/libcharon/plugins/unity/unity_handler.c @@ -50,8 +50,8 @@ struct private_unity_handler_t { * Traffic selector entry for networks to include under a given IKE_SA */ typedef struct { - /** associated IKE_SA, unique ID */ - u_int32_t sa; + /** associated IKE_SA COOKIEs */ + ike_sa_id_t *id; /** traffic selector to include/exclude */ traffic_selector_t *ts; } entry_t; @@ -61,6 +61,7 @@ typedef struct { */ static void entry_destroy(entry_t *this) { + this->id->destroy(this->id); this->ts->destroy(this->ts); free(this); } @@ -131,9 +132,10 @@ static bool add_include(private_unity_handler_t *this, chunk_t data) while (list->remove_first(list, (void**)&ts) == SUCCESS) { INIT(entry, - .sa = ike_sa->get_unique_id(ike_sa), + .id = ike_sa->get_id(ike_sa), .ts = ts, ); + entry->id = entry->id->clone(entry->id); this->mutex->lock(this->mutex); this->include->insert_last(this->include, entry); @@ -171,7 +173,7 @@ static bool remove_include(private_unity_handler_t *this, chunk_t data) enumerator = this->include->create_enumerator(this->include); while (enumerator->enumerate(enumerator, &entry)) { - if (entry->sa == ike_sa->get_unique_id(ike_sa) && + if (entry->id->equals(entry->id, ike_sa->get_id(ike_sa)) && ts->equals(ts, entry->ts)) { this->include->remove_at(this->include, enumerator); @@ -209,8 +211,7 @@ static job_requeue_t add_exclude_async(entry_t *entry) char name[128]; host_t *host; - ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, - entry->sa, FALSE); + ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, entry->id); if (ike_sa) { create_shunt_name(ike_sa, entry->ts, name, sizeof(name)); @@ -267,9 +268,10 @@ static bool add_exclude(private_unity_handler_t *this, chunk_t data) while (list->remove_first(list, (void**)&ts) == SUCCESS) { INIT(entry, - .sa = ike_sa->get_unique_id(ike_sa), + .id = ike_sa->get_id(ike_sa), .ts = ts, ); + entry->id = entry->id->clone(entry->id); /* we can't install the shunt policy yet, as we don't know the virtual IP. * Defer installation using an async callback. */ @@ -315,7 +317,7 @@ static bool remove_exclude(private_unity_handler_t *this, chunk_t data) } METHOD(attribute_handler_t, handle, bool, - private_unity_handler_t *this, identification_t *id, + private_unity_handler_t *this, ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data) { switch (type) @@ -330,7 +332,7 @@ METHOD(attribute_handler_t, handle, bool, } METHOD(attribute_handler_t, release, void, - private_unity_handler_t *this, identification_t *server, + private_unity_handler_t *this, ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data) { switch (type) @@ -378,10 +380,9 @@ METHOD(enumerator_t, enumerate_attributes, bool, } METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *, - unity_handler_t *this, identification_t *id, linked_list_t *vips) + unity_handler_t *this, ike_sa_t *ike_sa, linked_list_t *vips) { attribute_enumerator_t *enumerator; - ike_sa_t *ike_sa; ike_sa = charon->bus->get_sa(charon->bus); if (!ike_sa || ike_sa->get_version(ike_sa) != IKEV1 || @@ -402,7 +403,7 @@ typedef struct { /** mutex to unlock */ mutex_t *mutex; /** IKE_SA ID to filter for */ - u_int32_t id; + ike_sa_id_t *id; } include_filter_t; /** @@ -411,7 +412,7 @@ typedef struct { static bool include_filter(include_filter_t *data, entry_t **entry, traffic_selector_t **ts) { - if ((*entry)->sa == data->id) + if (data->id->equals(data->id, (*entry)->id)) { *ts = (*entry)->ts; return TRUE; @@ -429,7 +430,7 @@ static void destroy_filter(include_filter_t *data) } METHOD(unity_handler_t, create_include_enumerator, enumerator_t*, - private_unity_handler_t *this, u_int32_t id) + private_unity_handler_t *this, ike_sa_id_t *id) { include_filter_t *data; diff --git a/src/libcharon/plugins/unity/unity_handler.h b/src/libcharon/plugins/unity/unity_handler.h index 8656fd372..18efe293b 100644 --- a/src/libcharon/plugins/unity/unity_handler.h +++ b/src/libcharon/plugins/unity/unity_handler.h @@ -21,6 +21,7 @@ #ifndef UNITY_HANDLER_H_ #define UNITY_HANDLER_H_ +#include #include typedef struct unity_handler_t unity_handler_t; @@ -38,11 +39,11 @@ struct unity_handler_t { /** * Create an enumerator over Split-Include attributes received for an IKE_SA. * - * @param id IKE_SA unique ID to get Split-Includes for + * @param id IKE_SA ID to get Split-Includes for * @return enumerator over traffic_selector_t* */ enumerator_t* (*create_include_enumerator)(unity_handler_t *this, - u_int32_t id); + ike_sa_id_t *id); /** * Destroy a unity_handler_t. diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c index 52a2c7f24..227d24be8 100644 --- a/src/libcharon/plugins/unity/unity_narrow.c +++ b/src/libcharon/plugins/unity/unity_narrow.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2014 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * * Copyright (C) 2012 Martin Willi * Copyright (C) 2012 revosec AG * @@ -16,6 +19,8 @@ #include "unity_narrow.h" #include +#include +#include typedef struct private_unity_narrow_t private_unity_narrow_t; @@ -33,6 +38,11 @@ struct private_unity_narrow_t { * Unity attribute handler */ unity_handler_t *handler; + + /** + * IKE_SAs for which we received 0.0.0.0/0 as remote traffic selector + */ + hashtable_t *wildcard_ts; }; /** @@ -65,7 +75,7 @@ static void narrow_initiator(private_unity_narrow_t *this, ike_sa_t *ike_sa, enumerator_t *enumerator; enumerator = this->handler->create_include_enumerator(this->handler, - ike_sa->get_unique_id(ike_sa)); + ike_sa->get_id(ike_sa)); while (enumerator->enumerate(enumerator, ¤t)) { if (orig == NULL) @@ -149,7 +159,7 @@ static bool has_split_includes(private_unity_narrow_t *this, ike_sa_t *ike_sa) bool has; enumerator = this->handler->create_include_enumerator(this->handler, - ike_sa->get_unique_id(ike_sa)); + ike_sa->get_id(ike_sa)); has = enumerator->enumerate(enumerator, &ts); enumerator->destroy(enumerator); @@ -191,11 +201,19 @@ METHOD(listener_t, narrow, bool, { case NARROW_INITIATOR_PRE_AUTH: case NARROW_RESPONDER: - narrow_pre(local, "us"); + if (this->wildcard_ts->get(this->wildcard_ts, ike_sa)) + { + narrow_pre(local, "us"); + + } break; case NARROW_INITIATOR_POST_AUTH: case NARROW_RESPONDER_POST: - narrow_responder_post(child_sa->get_config(child_sa), local); + if (this->wildcard_ts->get(this->wildcard_ts, ike_sa)) + { + narrow_responder_post(child_sa->get_config(child_sa), + local); + } break; default: break; @@ -205,9 +223,69 @@ METHOD(listener_t, narrow, bool, return TRUE; } +METHOD(listener_t, message, bool, + private_unity_narrow_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming, bool plain) +{ + traffic_selector_t *tsr = NULL, *wildcard; + enumerator_t *enumerator; + id_payload_t *id_payload; + payload_t *payload; + bool first = TRUE; + + if (!incoming || !plain || + message->get_exchange_type(message) != QUICK_MODE || + !ike_sa || !ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY)) + { + return TRUE; + } + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == PLV1_ID) + { + if (!first) + { + id_payload = (id_payload_t*)payload; + tsr = id_payload->get_ts(id_payload); + break; + } + first = FALSE; + } + } + enumerator->destroy(enumerator); + if (!tsr) + { + return TRUE; + } + wildcard = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535); + if (tsr->equals(tsr, wildcard)) + { + this->wildcard_ts->put(this->wildcard_ts, ike_sa, ike_sa); + } + else + { + this->wildcard_ts->remove(this->wildcard_ts, ike_sa); + } + wildcard->destroy(wildcard); + tsr->destroy(tsr); + return TRUE; +} + +METHOD(listener_t, ike_updown, bool, + private_unity_narrow_t *this, ike_sa_t *ike_sa, bool up) +{ + if (!up) + { + this->wildcard_ts->remove(this->wildcard_ts, ike_sa); + } + return TRUE; +} + METHOD(unity_narrow_t, destroy, void, private_unity_narrow_t *this) { + this->wildcard_ts->destroy(this->wildcard_ts); free(this); } @@ -222,10 +300,14 @@ unity_narrow_t *unity_narrow_create(unity_handler_t *handler) .public = { .listener = { .narrow = _narrow, + .message = _message, + .ike_updown = _ike_updown, }, .destroy = _destroy, }, .handler = handler, + .wildcard_ts = hashtable_create(hashtable_hash_ptr, + hashtable_equals_ptr, 4), ); return &this->public; diff --git a/src/libcharon/plugins/unity/unity_plugin.c b/src/libcharon/plugins/unity/unity_plugin.c index 9e4571d34..b7a3fee2e 100644 --- a/src/libcharon/plugins/unity/unity_plugin.c +++ b/src/libcharon/plugins/unity/unity_plugin.c @@ -19,7 +19,6 @@ #include "unity_provider.h" #include -#include typedef struct private_unity_plugin_t private_unity_plugin_t; @@ -63,19 +62,19 @@ static bool plugin_cb(private_unity_plugin_t *this, { if (reg) { - hydra->attributes->add_handler(hydra->attributes, - &this->handler->handler); - hydra->attributes->add_provider(hydra->attributes, - &this->provider->provider); + charon->attributes->add_handler(charon->attributes, + &this->handler->handler); + charon->attributes->add_provider(charon->attributes, + &this->provider->provider); charon->bus->add_listener(charon->bus, &this->narrower->listener); } else { charon->bus->remove_listener(charon->bus, &this->narrower->listener); - hydra->attributes->remove_handler(hydra->attributes, - &this->handler->handler); - hydra->attributes->remove_provider(hydra->attributes, - &this->provider->provider); + charon->attributes->remove_handler(charon->attributes, + &this->handler->handler); + charon->attributes->remove_provider(charon->attributes, + &this->provider->provider); } return TRUE; diff --git a/src/libcharon/plugins/unity/unity_provider.c b/src/libcharon/plugins/unity/unity_provider.c index 86f81fcfb..1e297a39e 100644 --- a/src/libcharon/plugins/unity/unity_provider.c +++ b/src/libcharon/plugins/unity/unity_provider.c @@ -135,19 +135,17 @@ static bool use_ts(traffic_selector_t *ts) } METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*, - private_unity_provider_t *this, linked_list_t *pools, identification_t *id, + private_unity_provider_t *this, linked_list_t *pools, ike_sa_t *ike_sa, linked_list_t *vips) { attribute_enumerator_t *attr_enum; enumerator_t *enumerator; linked_list_t *list, *current; traffic_selector_t *ts; - ike_sa_t *ike_sa; peer_cfg_t *peer_cfg; child_cfg_t *child_cfg; - ike_sa = charon->bus->get_sa(charon->bus); - if (!ike_sa || ike_sa->get_version(ike_sa) != IKEV1 || + if (ike_sa->get_version(ike_sa) != IKEV1 || !ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY) || !vips->get_count(vips)) { diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in index 834d373f3..619d17a0e 100644 --- a/src/libcharon/plugins/updown/Makefile.in +++ b/src/libcharon/plugins/updown/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/updown/updown_handler.c b/src/libcharon/plugins/updown/updown_handler.c index 0894d2d07..72d7f7da3 100644 --- a/src/libcharon/plugins/updown/updown_handler.c +++ b/src/libcharon/plugins/updown/updown_handler.c @@ -62,19 +62,13 @@ static void attributes_destroy(attributes_t *this) } METHOD(attribute_handler_t, handle, bool, - private_updown_handler_t *this, identification_t *server, + private_updown_handler_t *this, ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data) { attributes_t *current, *attr = NULL; enumerator_t *enumerator; - ike_sa_t *ike_sa; host_t *host; - ike_sa = charon->bus->get_sa(charon->bus); - if (!ike_sa) - { - return FALSE; - } switch (type) { case INTERNAL_IP4_DNS: @@ -117,12 +111,11 @@ METHOD(attribute_handler_t, handle, bool, } METHOD(attribute_handler_t, release, void, - private_updown_handler_t *this, identification_t *server, + private_updown_handler_t *this, ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data) { attributes_t *attr; enumerator_t *enumerator, *servers; - ike_sa_t *ike_sa; host_t *host; bool found = FALSE; int family; @@ -139,43 +132,39 @@ METHOD(attribute_handler_t, release, void, return; } - ike_sa = charon->bus->get_sa(charon->bus); - if (ike_sa) + this->lock->write_lock(this->lock); + enumerator = this->attrs->create_enumerator(this->attrs); + while (enumerator->enumerate(enumerator, &attr)) { - this->lock->write_lock(this->lock); - enumerator = this->attrs->create_enumerator(this->attrs); - while (enumerator->enumerate(enumerator, &attr)) + if (attr->id == ike_sa->get_unique_id(ike_sa)) { - if (attr->id == ike_sa->get_unique_id(ike_sa)) + servers = attr->dns->create_enumerator(attr->dns); + while (servers->enumerate(servers, &host)) { - servers = attr->dns->create_enumerator(attr->dns); - while (servers->enumerate(servers, &host)) + if (host->get_family(host) == family && + chunk_equals(data, host->get_address(host))) { - if (host->get_family(host) == family && - chunk_equals(data, host->get_address(host))) - { - attr->dns->remove_at(attr->dns, servers); - host->destroy(host); - found = TRUE; - break; - } - } - servers->destroy(servers); - if (attr->dns->get_count(attr->dns) == 0) - { - this->attrs->remove_at(this->attrs, enumerator); - attributes_destroy(attr); + attr->dns->remove_at(attr->dns, servers); + host->destroy(host); + found = TRUE; break; } } - if (found) + servers->destroy(servers); + if (attr->dns->get_count(attr->dns) == 0) { + this->attrs->remove_at(this->attrs, enumerator); + attributes_destroy(attr); break; } } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); + if (found) + { + break; + } } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); } METHOD(updown_handler_t, create_dns_enumerator, enumerator_t*, diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c index 1d15cc55e..be65d599f 100644 --- a/src/libcharon/plugins/updown/updown_listener.c +++ b/src/libcharon/plugins/updown/updown_listener.c @@ -243,6 +243,7 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa, me = ike_sa->get_my_host(ike_sa); other = ike_sa->get_other_host(ike_sa); + push_env(envp, countof(envp), "PATH=%s", getenv("PATH")); push_env(envp, countof(envp), "PLUTO_VERSION=1.1"); is_host = my_ts->is_host(my_ts, me); if (is_host) diff --git a/src/libcharon/plugins/updown/updown_plugin.c b/src/libcharon/plugins/updown/updown_plugin.c index d30267dee..60ecfcce6 100644 --- a/src/libcharon/plugins/updown/updown_plugin.c +++ b/src/libcharon/plugins/updown/updown_plugin.c @@ -18,7 +18,6 @@ #include "updown_handler.h" #include -#include typedef struct private_updown_plugin_t private_updown_plugin_t; @@ -61,8 +60,8 @@ static bool plugin_cb(private_updown_plugin_t *this, "%s.plugins.updown.dns_handler", FALSE, lib->ns)) { this->handler = updown_handler_create(); - hydra->attributes->add_handler(hydra->attributes, - &this->handler->handler); + charon->attributes->add_handler(charon->attributes, + &this->handler->handler); } this->listener = updown_listener_create(this->handler); charon->bus->add_listener(charon->bus, &this->listener->listener); @@ -74,8 +73,8 @@ static bool plugin_cb(private_updown_plugin_t *this, if (this->handler) { this->handler->destroy(this->handler); - hydra->attributes->remove_handler(hydra->attributes, - &this->handler->handler); + charon->attributes->remove_handler(charon->attributes, + &this->handler->handler); } } return TRUE; diff --git a/src/libcharon/plugins/vici/Makefile.am b/src/libcharon/plugins/vici/Makefile.am index da71de394..b25396085 100644 --- a/src/libcharon/plugins/vici/Makefile.am +++ b/src/libcharon/plugins/vici/Makefile.am @@ -74,3 +74,7 @@ SUBDIRS = if USE_RUBY_GEMS SUBDIRS += ruby endif + +if USE_PYTHON_EGGS +SUBDIRS += python +endif diff --git a/src/libcharon/plugins/vici/Makefile.in b/src/libcharon/plugins/vici/Makefile.in index 34546b905..b63226daa 100644 --- a/src/libcharon/plugins/vici/Makefile.in +++ b/src/libcharon/plugins/vici/Makefile.in @@ -81,6 +81,7 @@ host_triplet = @host@ TESTS = vici_tests$(EXEEXT) check_PROGRAMS = $(am__EXEEXT_1) @USE_RUBY_GEMS_TRUE@am__append_1 = ruby +@USE_PYTHON_EGGS_TRUE@am__append_2 = python subdir = src/libcharon/plugins/vici DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp @@ -269,7 +270,7 @@ am__tty_colors = { \ std=''; \ fi; \ } -DIST_SUBDIRS = ruby +DIST_SUBDIRS = ruby python DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -321,6 +322,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -381,10 +383,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -458,6 +462,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -571,7 +577,7 @@ vici_tests_LDADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ $(top_builddir)/src/libstrongswan/tests/libtest.la -SUBDIRS = $(am__append_1) +SUBDIRS = $(am__append_1) $(am__append_2) all: all-recursive .SUFFIXES: diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md index 272491052..0ce4271b0 100644 --- a/src/libcharon/plugins/vici/README.md +++ b/src/libcharon/plugins/vici/README.md @@ -145,25 +145,25 @@ the following C array: char msg[] = { /* key1 = value1 */ - 2, 4,'k','e','y','1', 0,6,'v','a','l','u','e','1', + 3, 4,'k','e','y','1', 0,6,'v','a','l','u','e','1', /* section1 */ - 0, 8,'s','e','c','t','i','o','n','1', + 1, 8,'s','e','c','t','i','o','n','1', /* sub-section */ - 0, 11,'s','u','b','-','s','e','c','t','i','o','n', + 1, 11,'s','u','b','-','s','e','c','t','i','o','n', /* key2 = value2 */ - 2, 4,'k','e','y','2', 0,6,'v','a','l','u','e','2', + 3, 4,'k','e','y','2', 0,6,'v','a','l','u','e','2', /* sub-section end */ - 1, + 2, /* list1 */ - 3, 5, 'l','i','s','t','1', + 4, 5, 'l','i','s','t','1', /* item1 */ - 4, 0,5,'i','t','e','m','1', + 5, 0,5,'i','t','e','m','1', /* item2 */ - 4, 0,5,'i','t','e','m','2', + 5, 0,5,'i','t','e','m','2', /* list1 end */ - 5, + 6, /* section1 end */ - 1, + 2, }; ## Client-initiated commands ## @@ -559,6 +559,7 @@ command. ] child-sas = { * = { + uniqueid = reqid = state = mode = @@ -820,9 +821,9 @@ during encoding. ## Connecting to the daemon ## -To create a connection to the daemon, a socket must be passed to the -_Connection_ constructor. There is no default, but on Unix systems usually -a Unix socket over _/var/run/charon.vici_ is used: +To create a connection to the daemon, a socket can be passed to the +_Connection_ constructor. If none is passed, a default Unix socket at +_/var/run/charon.vici_ is used: require "vici" require "socket" @@ -854,3 +855,73 @@ _list-conns_ command and implicitly the _list-conn_ event: For more details about the ruby gem refer to the comments in the gem source code or the generated documentation. + +# vici Python egg # + +The _vici Python egg_ is a pure Python implementation of the VICI protocol to +implement client applications. It is provided in the _python_ subdirectory, and +gets built and installed if strongSwan has been _./configure_'d with +_--enable-vici_ and _--enable-python-eggs_. + +The _vici_ module provides a _Session()_ constructor for a high level interface, +the underlying classes are usually not required to build Python applications +using VICI. The _Session_ class provides methods for the supported VICI +commands. + +To represent the VICI message data tree, the library converts the binary +encoding to Python data types. The _Session_ class takes and returns Python +objects for the exchanged message data: + * Sections get encoded as OrderedDict, containing other sections, or + * Key/Values, where the values are strings as dictionary values + * Lists get encoded as Python Lists with string values +Values that do not conform to Python dict or list get converted to strings using +str(). + +## Connecting to the daemon ## + +To create a connection to the daemon, a socket can be passed to the _Session_ +constructor. If none is passed, a default Unix socket at _/var/run/charon.vici_ +is used: + + import vici + import socket + + s = socket.socket(socket.AF_UNIX) + s.connect("/var/run/charon.vici") + v = vici.Session(s) + +## A simple client request ## + +An example to print the daemon version information is as simple as: + + ver = v.version() + + print "{daemon} {version} ({sysname}, {release}, {machine})".format(**ver) + +## A request with response iteration ## + +The _Session_ class returns an iterable Python generator for streamed events to +continuously stream objects to the caller. The following example lists all +loaded connections using the _list-conns_ command and implicitly the _list-conn_ +event: + + for conn in v.list_conns(): + for key in conn: + print key + +Please note that if the returned generator is not iterated completely, it must +be closed using _close()_. This is implicitly done when breaking from a loop, +but an explicit call may be required when directly iterating the generator with +_next()_. + +## Sorting in dictionaries ## + +In VICI, in some message trees the order of objects in dictionary matters. In +contrast to ruby Hashes, Python dictionaries do not preserve order of added +objects. It is therefore recommended to use OrderedDicts instead of the default +dictionaries. Objects returned by the library use OrderedDicts. + +## API documentation ## + +For more details about the Python egg refer to the comments in the Python source +code. diff --git a/src/libcharon/plugins/vici/libvici.c b/src/libcharon/plugins/vici/libvici.c index c0205ccb6..7c98c8b69 100644 --- a/src/libcharon/plugins/vici/libvici.c +++ b/src/libcharon/plugins/vici/libvici.c @@ -427,14 +427,8 @@ vici_res_t* vici_submit(vici_req_t *req, vici_conn_t *conn) void vici_free_req(vici_req_t *req) { - vici_message_t *message; - free(req->name); - message = req->b->finalize(req->b); - if (message) - { - message->destroy(message); - } + req->b->destroy(req->b); free(req); } diff --git a/src/libcharon/plugins/vici/python/LICENSE b/src/libcharon/plugins/vici/python/LICENSE new file mode 100644 index 000000000..111523ca8 --- /dev/null +++ b/src/libcharon/plugins/vici/python/LICENSE @@ -0,0 +1,19 @@ +Copyright (c) 2015 Björn Schuberg + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/src/libcharon/plugins/vici/python/MANIFEST.in b/src/libcharon/plugins/vici/python/MANIFEST.in new file mode 100644 index 000000000..1aba38f67 --- /dev/null +++ b/src/libcharon/plugins/vici/python/MANIFEST.in @@ -0,0 +1 @@ +include LICENSE diff --git a/src/libcharon/plugins/vici/python/Makefile.am b/src/libcharon/plugins/vici/python/Makefile.am new file mode 100644 index 000000000..f51737870 --- /dev/null +++ b/src/libcharon/plugins/vici/python/Makefile.am @@ -0,0 +1,33 @@ +EXTRA_DIST = LICENSE MANIFEST.in \ + setup.py.in \ + vici/test/__init__.py \ + vici/test/test_protocol.py \ + vici/__init__.py \ + vici/compat.py \ + vici/exception.py \ + vici/protocol.py \ + vici/session.py + +setup.py: $(srcdir)/setup.py.in + $(AM_V_GEN) sed \ + -e "s:@EGG_VERSION@:$(PACKAGE_VERSION):" \ + $(srcdir)/setup.py.in > $@ + +all-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg + +dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg: $(EXTRA_DIST) setup.py + (cd $(srcdir); $(PYTHON) setup.py bdist_egg \ + -b $(shell readlink -f $(builddir))/build \ + -d $(shell readlink -f $(builddir))/dist) + +clean-local: setup.py + $(PYTHON) setup.py clean -a + rm -rf vici.egg-info dist setup.py + +install-exec-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg + $(EASY_INSTALL) $(PYTHONEGGINSTALLDIR) \ + dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg + +if USE_PY_TEST + TESTS = $(PY_TEST) +endif diff --git a/src/libcharon/plugins/vici/python/Makefile.in b/src/libcharon/plugins/vici/python/Makefile.in new file mode 100644 index 000000000..3a5e5ea72 --- /dev/null +++ b/src/libcharon/plugins/vici/python/Makefile.in @@ -0,0 +1,686 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/vici/python +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +SOURCES = +DIST_SOURCES = +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__tty_colors_dummy = \ + mgn= red= grn= lgn= blu= brg= std=; \ + am__color_tests=no +am__tty_colors = { \ + $(am__tty_colors_dummy); \ + if test "X$(AM_COLOR_TESTS)" = Xno; then \ + am__color_tests=no; \ + elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ + am__color_tests=yes; \ + elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ + am__color_tests=yes; \ + fi; \ + if test $$am__color_tests = yes; then \ + red=''; \ + grn=''; \ + lgn=''; \ + blu=''; \ + mgn=''; \ + brg=''; \ + std=''; \ + fi; \ +} +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +EXTRA_DIST = LICENSE MANIFEST.in \ + setup.py.in \ + vici/test/__init__.py \ + vici/test/test_protocol.py \ + vici/__init__.py \ + vici/compat.py \ + vici/exception.py \ + vici/protocol.py \ + vici/session.py + +@USE_PY_TEST_TRUE@TESTS = $(PY_TEST) +all: all-am + +.SUFFIXES: +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/vici/python/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/vici/python/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +tags TAGS: + +ctags CTAGS: + +cscope cscopelist: + + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + $(am__tty_colors); \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + col=$$red; res=XPASS; \ + ;; \ + *) \ + col=$$grn; res=PASS; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xfail=`expr $$xfail + 1`; \ + col=$$lgn; res=XFAIL; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + col=$$red; res=FAIL; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + col=$$blu; res=SKIP; \ + fi; \ + echo "$${col}$$res$${std}: $$tst"; \ + done; \ + if test "$$all" -eq 1; then \ + tests="test"; \ + All=""; \ + else \ + tests="tests"; \ + All="All "; \ + fi; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="$$All$$all $$tests passed"; \ + else \ + if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ + banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all $$tests failed"; \ + else \ + if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ + banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + if test "$$skip" -eq 1; then \ + skipped="($$skip test was not run)"; \ + else \ + skipped="($$skip tests were not run)"; \ + fi; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + if test "$$failed" -eq 0; then \ + col="$$grn"; \ + else \ + col="$$red"; \ + fi; \ + echo "$${col}$$dashes$${std}"; \ + echo "$${col}$$banner$${std}"; \ + test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \ + test -z "$$report" || echo "$${col}$$report$${std}"; \ + echo "$${col}$$dashes$${std}"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile all-local +installdirs: +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-local mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-generic + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-exec-local + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-generic mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: + +.MAKE: check-am install-am install-strip + +.PHONY: all all-am all-local check check-TESTS check-am clean \ + clean-generic clean-libtool clean-local cscopelist-am ctags-am \ + distclean distclean-generic distclean-libtool distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-exec-local install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags-am uninstall uninstall-am + + +setup.py: $(srcdir)/setup.py.in + $(AM_V_GEN) sed \ + -e "s:@EGG_VERSION@:$(PACKAGE_VERSION):" \ + $(srcdir)/setup.py.in > $@ + +all-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg + +dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg: $(EXTRA_DIST) setup.py + (cd $(srcdir); $(PYTHON) setup.py bdist_egg \ + -b $(shell readlink -f $(builddir))/build \ + -d $(shell readlink -f $(builddir))/dist) + +clean-local: setup.py + $(PYTHON) setup.py clean -a + rm -rf vici.egg-info dist setup.py + +install-exec-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg + $(EASY_INSTALL) $(PYTHONEGGINSTALLDIR) \ + dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/vici/python/setup.py.in b/src/libcharon/plugins/vici/python/setup.py.in new file mode 100644 index 000000000..0e4ad8236 --- /dev/null +++ b/src/libcharon/plugins/vici/python/setup.py.in @@ -0,0 +1,34 @@ +from setuptools import setup + + +long_description = ( + "The strongSwan VICI protocol allows external application to monitor, " + "configure and control the IKE daemon charon. This python package provides " + "a native client side implementation of the VICI protocol, well suited to " + "script automated tasks in a reliable way." +) + +setup( + name="vici", + version="@EGG_VERSION@", + description="Native python interface for strongSwan VICI", + author="Bjorn Schuberg", + url="https://wiki.strongswan.org/projects/strongswan/wiki/Vici", + license="MIT", + packages=["vici"], + long_description=long_description, + include_package_data=True, + classifiers=( + "Development Status :: 3 - Alpha", + "Intended Audience :: Developers", + "Intended Audience :: System Administrators", + "License :: OSI Approved :: MIT License", + "Natural Language :: English", + "Programming Language :: Python :: 2.7", + "Programming Language :: Python :: 3.2", + "Programming Language :: Python :: 3.3", + "Programming Language :: Python :: 3.4", + "Topic :: Security", + "Topic :: Software Development :: Libraries", + ) +) diff --git a/src/libcharon/plugins/vici/python/vici/__init__.py b/src/libcharon/plugins/vici/python/vici/__init__.py new file mode 100644 index 000000000..d314325b6 --- /dev/null +++ b/src/libcharon/plugins/vici/python/vici/__init__.py @@ -0,0 +1 @@ +from .session import Session diff --git a/src/libcharon/plugins/vici/python/vici/compat.py b/src/libcharon/plugins/vici/python/vici/compat.py new file mode 100644 index 000000000..b5f46992e --- /dev/null +++ b/src/libcharon/plugins/vici/python/vici/compat.py @@ -0,0 +1,14 @@ +# Help functions for compatibility between python version 2 and 3 + + +# From http://legacy.python.org/dev/peps/pep-0469 +try: + dict.iteritems +except AttributeError: + # python 3 + def iteritems(d): + return iter(d.items()) +else: + # python 2 + def iteritems(d): + return d.iteritems() diff --git a/src/libcharon/plugins/vici/python/vici/exception.py b/src/libcharon/plugins/vici/python/vici/exception.py new file mode 100644 index 000000000..36384e556 --- /dev/null +++ b/src/libcharon/plugins/vici/python/vici/exception.py @@ -0,0 +1,10 @@ +"""Exception types that may be thrown by this library.""" + +class DeserializationException(Exception): + """Encountered an unexpected byte sequence or missing element type.""" + +class SessionException(Exception): + """Session request exception.""" + +class CommandException(Exception): + """Command result exception.""" diff --git a/src/libcharon/plugins/vici/python/vici/protocol.py b/src/libcharon/plugins/vici/python/vici/protocol.py new file mode 100644 index 000000000..855a7b2e2 --- /dev/null +++ b/src/libcharon/plugins/vici/python/vici/protocol.py @@ -0,0 +1,196 @@ +import io +import socket +import struct + +from collections import namedtuple +from collections import OrderedDict + +from .compat import iteritems +from .exception import DeserializationException + + +class Transport(object): + HEADER_LENGTH = 4 + MAX_SEGMENT = 512 * 1024 + + def __init__(self, sock): + self.socket = sock + + def send(self, packet): + self.socket.sendall(struct.pack("!I", len(packet)) + packet) + + def receive(self): + raw_length = self.socket.recv(self.HEADER_LENGTH) + length, = struct.unpack("!I", raw_length) + payload = self.socket.recv(length) + return payload + + def close(self): + self.socket.shutdown(socket.SHUT_RDWR) + self.socket.close() + + +class Packet(object): + CMD_REQUEST = 0 # Named request message + CMD_RESPONSE = 1 # Unnamed response message for a request + CMD_UNKNOWN = 2 # Unnamed response if requested command is unknown + EVENT_REGISTER = 3 # Named event registration request + EVENT_UNREGISTER = 4 # Named event de-registration request + EVENT_CONFIRM = 5 # Unnamed confirmation for event (de-)registration + EVENT_UNKNOWN = 6 # Unnamed response if event (de-)registration failed + EVENT = 7 # Named event message + + ParsedPacket = namedtuple( + "ParsedPacket", + ["response_type", "payload"] + ) + + ParsedEventPacket = namedtuple( + "ParsedEventPacket", + ["response_type", "event_type", "payload"] + ) + + @classmethod + def _named_request(cls, request_type, request, message=None): + request = request.encode() + payload = struct.pack("!BB", request_type, len(request)) + request + if message is not None: + return payload + message + else: + return payload + + @classmethod + def request(cls, command, message=None): + return cls._named_request(cls.CMD_REQUEST, command, message) + + @classmethod + def register_event(cls, event_type): + return cls._named_request(cls.EVENT_REGISTER, event_type) + + @classmethod + def unregister_event(cls, event_type): + return cls._named_request(cls.EVENT_UNREGISTER, event_type) + + @classmethod + def parse(cls, packet): + stream = FiniteStream(packet) + response_type, = struct.unpack("!B", stream.read(1)) + + if response_type == cls.EVENT: + length, = struct.unpack("!B", stream.read(1)) + event_type = stream.read(length) + return cls.ParsedEventPacket(response_type, event_type, stream) + else: + return cls.ParsedPacket(response_type, stream) + + +class Message(object): + SECTION_START = 1 # Begin a new section having a name + SECTION_END = 2 # End a previously started section + KEY_VALUE = 3 # Define a value for a named key in the section + LIST_START = 4 # Begin a named list for list items + LIST_ITEM = 5 # Define an unnamed item value in the current list + LIST_END = 6 # End a previously started list + + @classmethod + def serialize(cls, message): + def encode_named_type(marker, name): + name = name.encode() + return struct.pack("!BB", marker, len(name)) + name + + def encode_blob(value): + if not isinstance(value, bytes): + value = str(value).encode() + return struct.pack("!H", len(value)) + value + + def serialize_list(lst): + segment = bytes() + for item in lst: + segment += struct.pack("!B", cls.LIST_ITEM) + encode_blob(item) + return segment + + def serialize_dict(d): + segment = bytes() + for key, value in iteritems(d): + if isinstance(value, dict): + segment += ( + encode_named_type(cls.SECTION_START, key) + + serialize_dict(value) + + struct.pack("!B", cls.SECTION_END) + ) + elif isinstance(value, list): + segment += ( + encode_named_type(cls.LIST_START, key) + + serialize_list(value) + + struct.pack("!B", cls.LIST_END) + ) + else: + segment += ( + encode_named_type(cls.KEY_VALUE, key) + + encode_blob(value) + ) + return segment + + return serialize_dict(message) + + @classmethod + def deserialize(cls, stream): + def decode_named_type(stream): + length, = struct.unpack("!B", stream.read(1)) + return stream.read(length).decode() + + def decode_blob(stream): + length, = struct.unpack("!H", stream.read(2)) + return stream.read(length) + + def decode_list_item(stream): + marker, = struct.unpack("!B", stream.read(1)) + while marker == cls.LIST_ITEM: + yield decode_blob(stream) + marker, = struct.unpack("!B", stream.read(1)) + + if marker != cls.LIST_END: + raise DeserializationException( + "Expected end of list at {pos}".format(pos=stream.tell()) + ) + + section = OrderedDict() + section_stack = [] + while stream.has_more(): + element_type, = struct.unpack("!B", stream.read(1)) + if element_type == cls.SECTION_START: + section_name = decode_named_type(stream) + new_section = OrderedDict() + section[section_name] = new_section + section_stack.append(section) + section = new_section + + elif element_type == cls.LIST_START: + list_name = decode_named_type(stream) + section[list_name] = [item for item in decode_list_item(stream)] + + elif element_type == cls.KEY_VALUE: + key = decode_named_type(stream) + section[key] = decode_blob(stream) + + elif element_type == cls.SECTION_END: + if len(section_stack): + section = section_stack.pop() + else: + raise DeserializationException( + "Unexpected end of section at {pos}".format( + pos=stream.tell() + ) + ) + + if len(section_stack): + raise DeserializationException("Expected end of section") + return section + + +class FiniteStream(io.BytesIO): + def __len__(self): + return len(self.getvalue()) + + def has_more(self): + return self.tell() < len(self) diff --git a/src/libcharon/plugins/vici/python/vici/session.py b/src/libcharon/plugins/vici/python/vici/session.py new file mode 100644 index 000000000..dee58699d --- /dev/null +++ b/src/libcharon/plugins/vici/python/vici/session.py @@ -0,0 +1,327 @@ +import collections +import socket + +from .exception import SessionException, CommandException +from .protocol import Transport, Packet, Message + + +class Session(object): + def __init__(self, sock=None): + if sock is None: + sock = socket.socket(socket.AF_UNIX) + sock.connect("/var/run/charon.vici") + self.handler = SessionHandler(Transport(sock)) + + def version(self): + """Retrieve daemon and system specific version information. + + :return: daemon and system specific version information + :rtype: dict + """ + return self.handler.request("version") + + def stats(self): + """Retrieve IKE daemon statistics and load information. + + :return: IKE daemon statistics and load information + :rtype: dict + """ + return self.handler.request("stats") + + def reload_settings(self): + """Reload strongswan.conf settings and any plugins supporting reload. + """ + self.handler.request("reload-settings") + + def initiate(self, sa): + """Initiate an SA. + + :param sa: the SA to initiate + :type sa: dict + :return: generator for logs emitted as dict + :rtype: generator + """ + return self.handler.streamed_request("initiate", "control-log", sa) + + def terminate(self, sa): + """Terminate an SA. + + :param sa: the SA to terminate + :type sa: dict + :return: generator for logs emitted as dict + :rtype: generator + """ + return self.handler.streamed_request("terminate", "control-log", sa) + + def install(self, policy): + """Install a trap, drop or bypass policy defined by a CHILD_SA config. + + :param policy: policy to install + :type policy: dict + """ + self.handler.request("install", policy) + + def uninstall(self, policy): + """Uninstall a trap, drop or bypass policy defined by a CHILD_SA config. + + :param policy: policy to uninstall + :type policy: dict + """ + self.handler.request("uninstall", policy) + + def list_sas(self, filters=None): + """Retrieve active IKE_SAs and associated CHILD_SAs. + + :param filters: retrieve only matching IKE_SAs (optional) + :type filters: dict + :return: generator for active IKE_SAs and associated CHILD_SAs as dict + :rtype: generator + """ + return self.handler.streamed_request("list-sas", "list-sa", filters) + + def list_policies(self, filters=None): + """Retrieve installed trap, drop and bypass policies. + + :param filters: retrieve only matching policies (optional) + :type filters: dict + :return: generator for installed trap, drop and bypass policies as dict + :rtype: generator + """ + return self.handler.streamed_request("list-policies", "list-policy", + filters) + + def list_conns(self, filters=None): + """Retrieve loaded connections. + + :param filters: retrieve only matching configuration names (optional) + :type filters: dict + :return: generator for loaded connections as dict + :rtype: generator + """ + return self.handler.streamed_request("list-conns", "list-conn", + filters) + + def get_conns(self): + """Retrieve connection names loaded exclusively over vici. + + :return: connection names + :rtype: dict + """ + return self.handler.request("get-conns") + + def list_certs(self, filters=None): + """Retrieve loaded certificates. + + :param filters: retrieve only matching certificates (optional) + :type filters: dict + :return: generator for loaded certificates as dict + :rtype: generator + """ + return self.handler.streamed_request("list-certs", "list-cert", filters) + + def load_conn(self, connection): + """Load a connection definition into the daemon. + + :param connection: connection definition + :type connection: dict + """ + self.handler.request("load-conn", connection) + + def unload_conn(self, name): + """Unload a connection definition. + + :param name: connection definition name + :type name: dict + """ + self.handler.request("unload-conn", name) + + def load_cert(self, certificate): + """Load a certificate into the daemon. + + :param certificate: PEM or DER encoded certificate + :type certificate: dict + """ + self.handler.request("load-cert", certificate) + + def load_key(self, private_key): + """Load a private key into the daemon. + + :param private_key: PEM or DER encoded key + """ + self.handler.request("load-key", private_key) + + def load_shared(self, secret): + """Load a shared IKE PSK, EAP or XAuth secret into the daemon. + + :param secret: shared IKE PSK, EAP or XAuth secret + :type secret: dict + """ + self.handler.request("load-shared", secret) + + def clear_creds(self): + """Clear credentials loaded over vici. + + Clear all loaded certificate, private key and shared key credentials. + This affects only credentials loaded over vici, but additionally + flushes the credential cache. + """ + self.handler.request("clear-creds") + + def load_pool(self, pool): + """Load a virtual IP pool. + + Load an in-memory virtual IP and configuration attribute pool. + Existing pools with the same name get updated, if possible. + + :param pool: virtual IP and configuration attribute pool + :type pool: dict + """ + return self.handler.request("load-pool", pool) + + def unload_pool(self, pool_name): + """Unload a virtual IP pool. + + Unload a previously loaded virtual IP and configuration attribute pool. + Unloading fails for pools with leases currently online. + + :param pool_name: pool by name + :type pool_name: dict + """ + self.handler.request("unload-pool", pool_name) + + def get_pools(self): + """Retrieve loaded pools. + + :return: loaded pools + :rtype: dict + """ + return self.handler.request("get-pools") + + +class SessionHandler(object): + """Handles client command execution requests over vici.""" + + def __init__(self, transport): + self.transport = transport + + def _communicate(self, packet): + """Send packet over transport and parse response. + + :param packet: packet to send + :type packet: :py:class:`vici.protocol.Packet` + :return: parsed packet in a tuple with message type and payload + :rtype: :py:class:`collections.namedtuple` + """ + self.transport.send(packet) + return Packet.parse(self.transport.receive()) + + def request(self, command, message=None): + """Send request with an optional message. + + :param command: command to send + :type command: str + :param message: message (optional) + :type message: str + :return: command result + :rtype: dict + """ + if message is not None: + message = Message.serialize(message) + packet = Packet.request(command, message) + response = self._communicate(packet) + + if response.response_type != Packet.CMD_RESPONSE: + raise SessionException( + "Unexpected response type {type}, " + "expected '{response}' (CMD_RESPONSE)".format( + type=response.response_type, + response=Packet.CMD_RESPONSE + ) + ) + + command_response = Message.deserialize(response.payload) + if "success" in command_response: + if command_response["success"] != b"yes": + raise CommandException( + "Command failed: {errmsg}".format( + errmsg=command_response["errmsg"] + ) + ) + + return command_response + + def streamed_request(self, command, event_stream_type, message=None): + """Send command request and collect and return all emitted events. + + :param command: command to send + :type command: str + :param event_stream_type: event type emitted on command execution + :type event_stream_type: str + :param message: message (optional) + :type message: str + :return: generator for streamed event responses as dict + :rtype: generator + """ + if message is not None: + message = Message.serialize(message) + + # subscribe to event stream + packet = Packet.register_event(event_stream_type) + response = self._communicate(packet) + + if response.response_type != Packet.EVENT_CONFIRM: + raise SessionException( + "Unexpected response type {type}, " + "expected '{confirm}' (EVENT_CONFIRM)".format( + type=response.response_type, + confirm=Packet.EVENT_CONFIRM, + ) + ) + + # issue command, and read any event messages + packet = Packet.request(command, message) + self.transport.send(packet) + exited = False + while True: + response = Packet.parse(self.transport.receive()) + if response.response_type == Packet.EVENT: + if not exited: + try: + yield Message.deserialize(response.payload) + except GeneratorExit: + exited = True + pass + else: + break + + if response.response_type == Packet.CMD_RESPONSE: + command_response = Message.deserialize(response.payload) + else: + raise SessionException( + "Unexpected response type {type}, " + "expected '{response}' (CMD_RESPONSE)".format( + type=response.response_type, + response=Packet.CMD_RESPONSE + ) + ) + + # unsubscribe from event stream + packet = Packet.unregister_event(event_stream_type) + response = self._communicate(packet) + if response.response_type != Packet.EVENT_CONFIRM: + raise SessionException( + "Unexpected response type {type}, " + "expected '{confirm}' (EVENT_CONFIRM)".format( + type=response.response_type, + confirm=Packet.EVENT_CONFIRM, + ) + ) + + # evaluate command result, if any + if "success" in command_response: + if command_response["success"] != b"yes": + raise CommandException( + "Command failed: {errmsg}".format( + errmsg=command_response["errmsg"] + ) + ) diff --git a/src/libcharon/plugins/vici/python/vici/test/__init__.py b/src/libcharon/plugins/vici/python/vici/test/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/src/libcharon/plugins/vici/python/vici/test/test_protocol.py b/src/libcharon/plugins/vici/python/vici/test/test_protocol.py new file mode 100644 index 000000000..a1f202d79 --- /dev/null +++ b/src/libcharon/plugins/vici/python/vici/test/test_protocol.py @@ -0,0 +1,144 @@ +import pytest + +from ..protocol import Packet, Message, FiniteStream +from ..exception import DeserializationException + + +class TestPacket(object): + # test data definitions for outgoing packet types + cmd_request = b"\x00\x0c" b"command_type" + cmd_request_msg = b"\x00\x07" b"command" b"payload" + event_register = b"\x03\x0a" b"event_type" + event_unregister = b"\x04\x0a" b"event_type" + + # test data definitions for incoming packet types + cmd_response = b"\x01" b"reply" + cmd_unknown = b"\x02" + event_confirm = b"\x05" + event_unknown = b"\x06" + event = b"\x07\x03" b"log" b"message" + + def test_request(self): + assert Packet.request("command_type") == self.cmd_request + assert Packet.request("command", b"payload") == self.cmd_request_msg + + def test_register_event(self): + assert Packet.register_event("event_type") == self.event_register + + def test_unregister_event(self): + assert Packet.unregister_event("event_type") == self.event_unregister + + def test_parse(self): + parsed_cmd_response = Packet.parse(self.cmd_response) + assert parsed_cmd_response.response_type == Packet.CMD_RESPONSE + assert parsed_cmd_response.payload.getvalue() == self.cmd_response + + parsed_cmd_unknown = Packet.parse(self.cmd_unknown) + assert parsed_cmd_unknown.response_type == Packet.CMD_UNKNOWN + assert parsed_cmd_unknown.payload.getvalue() == self.cmd_unknown + + parsed_event_confirm = Packet.parse(self.event_confirm) + assert parsed_event_confirm.response_type == Packet.EVENT_CONFIRM + assert parsed_event_confirm.payload.getvalue() == self.event_confirm + + parsed_event_unknown = Packet.parse(self.event_unknown) + assert parsed_event_unknown.response_type == Packet.EVENT_UNKNOWN + assert parsed_event_unknown.payload.getvalue() == self.event_unknown + + parsed_event = Packet.parse(self.event) + assert parsed_event.response_type == Packet.EVENT + assert parsed_event.payload.getvalue() == self.event + + +class TestMessage(object): + """Message (de)serialization test.""" + + # data definitions for test of de(serialization) + # serialized messages holding a section + ser_sec_unclosed = b"\x01\x08unclosed" + ser_sec_single = b"\x01\x07section\x02" + ser_sec_nested = b"\x01\x05outer\x01\x0asubsection\x02\x02" + + # serialized messages holding a list + ser_list_invalid = b"\x04\x07invalid\x05\x00\x02e1\x02\x03sec\x06" + ser_list_0_item = b"\x04\x05empty\x06" + ser_list_1_item = b"\x04\x01l\x05\x00\x02e1\x06" + ser_list_2_item = b"\x04\x01l\x05\x00\x02e1\x05\x00\x02e2\x06" + + # serialized messages with key value pairs + ser_kv_pair = b"\x03\x03key\x00\x05value" + ser_kv_zero = b"\x03\x0azerolength\x00\x00" + + # deserialized messages holding a section + des_sec_single = { "section": {} } + des_sec_nested = { "outer": { "subsection": {} } } + + # deserialized messages holding a list + des_list_0_item = { "empty": [] } + des_list_1_item = { "l": [ b"e1" ] } + des_list_2_item = { "l": [ b"e1", b"e2" ] } + + # deserialized messages with key value pairs + des_kv_pair = { "key": b"value" } + des_kv_zero = { "zerolength": b"" } + + def test_section_serialization(self): + assert Message.serialize(self.des_sec_single) == self.ser_sec_single + assert Message.serialize(self.des_sec_nested) == self.ser_sec_nested + + def test_list_serialization(self): + assert Message.serialize(self.des_list_0_item) == self.ser_list_0_item + assert Message.serialize(self.des_list_1_item) == self.ser_list_1_item + assert Message.serialize(self.des_list_2_item) == self.ser_list_2_item + + def test_key_serialization(self): + assert Message.serialize(self.des_kv_pair) == self.ser_kv_pair + assert Message.serialize(self.des_kv_zero) == self.ser_kv_zero + + def test_section_deserialization(self): + single = Message.deserialize(FiniteStream(self.ser_sec_single)) + nested = Message.deserialize(FiniteStream(self.ser_sec_nested)) + + assert single == self.des_sec_single + assert nested == self.des_sec_nested + + with pytest.raises(DeserializationException): + Message.deserialize(FiniteStream(self.ser_sec_unclosed)) + + def test_list_deserialization(self): + l0 = Message.deserialize(FiniteStream(self.ser_list_0_item)) + l1 = Message.deserialize(FiniteStream(self.ser_list_1_item)) + l2 = Message.deserialize(FiniteStream(self.ser_list_2_item)) + + assert l0 == self.des_list_0_item + assert l1 == self.des_list_1_item + assert l2 == self.des_list_2_item + + with pytest.raises(DeserializationException): + Message.deserialize(FiniteStream(self.ser_list_invalid)) + + def test_key_deserialization(self): + pair = Message.deserialize(FiniteStream(self.ser_kv_pair)) + zerolength = Message.deserialize(FiniteStream(self.ser_kv_zero)) + + assert pair == self.des_kv_pair + assert zerolength == self.des_kv_zero + + def test_roundtrip(self): + message = { + "key1": "value1", + "section1": { + "sub-section": { + "key2": b"value2", + }, + "list1": [ "item1", "item2" ], + }, + } + serialized_message = FiniteStream(Message.serialize(message)) + deserialized_message = Message.deserialize(serialized_message) + + # ensure that list items and key values remain as undecoded bytes + deserialized_section = deserialized_message["section1"] + assert deserialized_message["key1"] == b"value1" + assert deserialized_section["sub-section"]["key2"] == b"value2" + assert deserialized_section["list1"] == [ b"item1", b"item2" ] diff --git a/src/libcharon/plugins/vici/ruby/Makefile.am b/src/libcharon/plugins/vici/ruby/Makefile.am index ce38e1c3d..3e12f86cc 100644 --- a/src/libcharon/plugins/vici/ruby/Makefile.am +++ b/src/libcharon/plugins/vici/ruby/Makefile.am @@ -5,8 +5,10 @@ vici.gemspec: $(srcdir)/vici.gemspec.in -e "s:@GEM_VERSION@:$(PACKAGE_VERSION):" \ $(srcdir)/vici.gemspec.in > $@ -vici-$(PACKAGE_VERSION).gem: vici.gemspec - $(GEM) build vici.gemspec +vici-$(PACKAGE_VERSION).gem: vici.gemspec $(EXTRA_DIST) + (cd $(srcdir); $(GEM) build $(abs_builddir)/vici.gemspec) + [ "$(srcdir)" = "$(builddir)" ] || \ + mv $(srcdir)/vici-$(PACKAGE_VERSION).gem $(builddir) all-local: vici-$(PACKAGE_VERSION).gem diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in index c8a8c11fb..f37c09ea2 100644 --- a/src/libcharon/plugins/vici/ruby/Makefile.in +++ b/src/libcharon/plugins/vici/ruby/Makefile.in @@ -142,6 +142,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -202,10 +203,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -279,6 +282,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -535,8 +540,10 @@ vici.gemspec: $(srcdir)/vici.gemspec.in -e "s:@GEM_VERSION@:$(PACKAGE_VERSION):" \ $(srcdir)/vici.gemspec.in > $@ -vici-$(PACKAGE_VERSION).gem: vici.gemspec - $(GEM) build vici.gemspec +vici-$(PACKAGE_VERSION).gem: vici.gemspec $(EXTRA_DIST) + (cd $(srcdir); $(GEM) build $(abs_builddir)/vici.gemspec) + [ "$(srcdir)" = "$(builddir)" ] || \ + mv $(srcdir)/vici-$(PACKAGE_VERSION).gem $(builddir) all-local: vici-$(PACKAGE_VERSION).gem diff --git a/src/libcharon/plugins/vici/ruby/lib/vici.rb b/src/libcharon/plugins/vici/ruby/lib/vici.rb index e8a9ddca9..f87e46e69 100644 --- a/src/libcharon/plugins/vici/ruby/lib/vici.rb +++ b/src/libcharon/plugins/vici/ruby/lib/vici.rb @@ -242,6 +242,25 @@ module Vici @events = Hash.new end + ## + # Receive data from socket, until len bytes read + def recv_all(len) + encoding = "" + while encoding.length < len do + encoding << @socket.recv(len - encoding.length) + end + encoding + end + + ## + # Send data to socket, until all bytes sent + def send_all(encoding) + len = 0 + while len < encoding.length do + len += @socket.send(encoding[len..-1], 0) + end + end + ## # Write a packet prefixed by its length over the transport socket. Type # specifies the message, the optional label and message get appended. @@ -253,15 +272,15 @@ module Vici if message encoding << message.encoding end - @socket.send([encoding.length + 1, type].pack("Nc") + encoding, 0) + send_all([encoding.length + 1, type].pack("Nc") + encoding) end ## # Read a packet from the transport socket. Returns the packet type, and # if available in the packet a label and the contained message. def read - len = @socket.recv(4).unpack("N")[0] - encoding = @socket.recv(len) + len = recv_all(4).unpack("N")[0] + encoding = recv_all(len) type = encoding.unpack("c")[0] len = 1 case type @@ -371,7 +390,10 @@ module Vici # during encoding. class Connection - def initialize(socket) + def initialize(socket = nil) + if socket == nil + socket = UNIXSocket.new("/var/run/charon.vici") + end @transp = Transport.new(socket) end diff --git a/src/libcharon/plugins/vici/ruby/vici.gemspec.in b/src/libcharon/plugins/vici/ruby/vici.gemspec.in index 5ad61c0a0..2bd2b3d88 100644 --- a/src/libcharon/plugins/vici/ruby/vici.gemspec.in +++ b/src/libcharon/plugins/vici/ruby/vici.gemspec.in @@ -2,7 +2,7 @@ Gem::Specification.new do |s| s.name = "vici" s.version = "@GEM_VERSION@" s.authors = ["Martin Willi"] - s.email = ["martin@strongswan.ch"] + s.email = ["martin@strongswan.org"] s.description = %q{ The strongSwan VICI protocol allows external application to monitor, configure and control the IKE daemon charon. This ruby gem provides a diff --git a/src/libcharon/plugins/vici/vici_attribute.c b/src/libcharon/plugins/vici/vici_attribute.c index 2178116c9..f04bae774 100644 --- a/src/libcharon/plugins/vici/vici_attribute.c +++ b/src/libcharon/plugins/vici/vici_attribute.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2014 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * @@ -93,7 +96,8 @@ static void pool_destroy(pool_t *pool) * Find an existing or not yet existing lease */ static host_t *find_addr(private_vici_attribute_t *this, linked_list_t *pools, - identification_t *id, host_t *requested, mem_pool_op_t op) + identification_t *id, host_t *requested, + mem_pool_op_t op, host_t *peer) { enumerator_t *enumerator; host_t *addr = NULL; @@ -106,7 +110,8 @@ static host_t *find_addr(private_vici_attribute_t *this, linked_list_t *pools, pool = this->pools->get(this->pools, name); if (pool) { - addr = pool->vips->acquire_address(pool->vips, id, requested, op); + addr = pool->vips->acquire_address(pool->vips, id, requested, + op, peer); if (addr) { break; @@ -119,20 +124,24 @@ static host_t *find_addr(private_vici_attribute_t *this, linked_list_t *pools, } METHOD(attribute_provider_t, acquire_address, host_t*, - private_vici_attribute_t *this, linked_list_t *pools, identification_t *id, + private_vici_attribute_t *this, linked_list_t *pools, ike_sa_t *ike_sa, host_t *requested) { - host_t *addr; + identification_t *id; + host_t *addr, *peer; + + id = ike_sa->get_other_eap_id(ike_sa); + peer = ike_sa->get_other_host(ike_sa); this->lock->read_lock(this->lock); - addr = find_addr(this, pools, id, requested, MEM_POOL_EXISTING); + addr = find_addr(this, pools, id, requested, MEM_POOL_EXISTING, peer); if (!addr) { - addr = find_addr(this, pools, id, requested, MEM_POOL_NEW); + addr = find_addr(this, pools, id, requested, MEM_POOL_NEW, peer); if (!addr) { - addr = find_addr(this, pools, id, requested, MEM_POOL_REASSIGN); + addr = find_addr(this, pools, id, requested, MEM_POOL_REASSIGN, peer); } } @@ -143,13 +152,16 @@ METHOD(attribute_provider_t, acquire_address, host_t*, METHOD(attribute_provider_t, release_address, bool, private_vici_attribute_t *this, linked_list_t *pools, host_t *address, - identification_t *id) + ike_sa_t *ike_sa) { enumerator_t *enumerator; + identification_t *id; bool found = FALSE; pool_t *pool; char *name; + id = ike_sa->get_other_eap_id(ike_sa); + this->lock->read_lock(this->lock); enumerator = pools->create_enumerator(pools); @@ -256,7 +268,7 @@ static bool have_vips_from_pool(mem_pool_t *pool, linked_list_t *vips) METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*, private_vici_attribute_t *this, linked_list_t *pools, - identification_t *id, linked_list_t *vips) + ike_sa_t *ike_sa, linked_list_t *vips) { enumerator_t *enumerator; nested_data_t *data; @@ -354,6 +366,24 @@ static vici_message_t* create_reply(char *fmt, ...) return builder->finalize(builder); } +/** + * Parse a range definition of an address pool + */ +static mem_pool_t *create_pool_range(char *name, char *buf) +{ + mem_pool_t *pool; + host_t *from, *to; + + if (!host_create_from_range(buf, &from, &to)) + { + return NULL; + } + pool = mem_pool_create_range(name, from, to); + from->destroy(from); + to->destroy(to); + return pool; +} + /** * Parse callback data, passed to each callback */ @@ -490,7 +520,8 @@ CALLBACK(pool_kv, bool, if (streq(name, "addrs")) { char buf[128]; - host_t *base; + mem_pool_t *pool; + host_t *base = NULL; int bits; if (data->pool->vips) @@ -503,14 +534,22 @@ CALLBACK(pool_kv, bool, data->request->reply = create_reply("invalid addrs value"); return FALSE; } - base = host_create_from_subnet(buf, &bits); - if (!base) + pool = create_pool_range(data->name, buf); + if (!pool) + { + base = host_create_from_subnet(buf, &bits); + if (base) + { + pool = mem_pool_create(data->name, base, bits); + base->destroy(base); + } + } + if (!pool) { data->request->reply = create_reply("invalid addrs value: %s", buf); return FALSE; } - data->pool->vips = mem_pool_create(data->name, base, bits); - base->destroy(base); + data->pool->vips = pool; return TRUE; } data->request->reply = create_reply("invalid attribute: %s", name); diff --git a/src/libcharon/plugins/vici/vici_builder.c b/src/libcharon/plugins/vici/vici_builder.c index 561632049..82f12c9da 100644 --- a/src/libcharon/plugins/vici/vici_builder.c +++ b/src/libcharon/plugins/vici/vici_builder.c @@ -84,6 +84,8 @@ METHOD(vici_builder_t, add, void, if (value.len > 0xffff) { + DBG1(DBG_ENC, "vici value exceeds size limit (%zu > %u)", + value.len, 0xffff); this->error++; return; } @@ -125,24 +127,58 @@ METHOD(vici_builder_t, add, void, } } -METHOD(vici_builder_t, vadd_kv, void, - private_vici_builder_t *this, char *key, char *fmt, va_list args) +/** + * Add a list item or a key/value, if key given + */ +static void vadd_kv_or_li(private_vici_builder_t *this, char *key, + char *fmt, va_list args) { - char buf[2048]; + u_char buf[512]; + chunk_t value; ssize_t len; + va_list copy; - len = vsnprintf(buf, sizeof(buf), fmt, args); - if (len < 0 || len >= sizeof(buf)) + va_copy(copy, args); + len = vsnprintf(buf, sizeof(buf), fmt, copy); + va_end(copy); + if (len >= sizeof(buf)) { - DBG1(DBG_ENC, "vici builder format buffer exceeds limit"); + value = chunk_alloc(len + 1); + len = vsnprintf(value.ptr, value.len, fmt, args); + } + else + { + value = chunk_create(buf, len); + } + + if (len < 0) + { + DBG1(DBG_ENC, "vici builder format print failed"); this->error++; } else { - add(this, VICI_KEY_VALUE, key, chunk_create(buf, len)); + if (key) + { + add(this, VICI_KEY_VALUE, key, value); + } + else + { + add(this, VICI_LIST_ITEM, value); + } + } + if (value.ptr != buf) + { + free(value.ptr); } } +METHOD(vici_builder_t, vadd_kv, void, + private_vici_builder_t *this, char *key, char *fmt, va_list args) +{ + vadd_kv_or_li(this, key, fmt, args); +} + METHOD(vici_builder_t, add_kv, void, private_vici_builder_t *this, char *key, char *fmt, ...) { @@ -153,23 +189,10 @@ METHOD(vici_builder_t, add_kv, void, va_end(args); } - METHOD(vici_builder_t, vadd_li, void, private_vici_builder_t *this, char *fmt, va_list args) { - char buf[2048]; - ssize_t len; - - len = vsnprintf(buf, sizeof(buf), fmt, args); - if (len < 0 || len >= sizeof(buf)) - { - DBG1(DBG_ENC, "vici builder format buffer exceeds limit"); - this->error++; - } - else - { - add(this, VICI_LIST_ITEM, chunk_create(buf, len)); - } + vadd_kv_or_li(this, NULL, fmt, args); } METHOD(vici_builder_t, add_li, void, @@ -206,6 +229,13 @@ METHOD(vici_builder_t, end_list, void, add(this, VICI_LIST_END); } +METHOD(vici_builder_t, destroy, void, + private_vici_builder_t *this) +{ + this->writer->destroy(this->writer); + free(this); +} + METHOD(vici_builder_t, finalize, vici_message_t*, private_vici_builder_t *this) { @@ -215,14 +245,12 @@ METHOD(vici_builder_t, finalize, vici_message_t*, { DBG1(DBG_ENC, "vici builder error: %u errors (section: %u, list %u)", this->error, this->section, this->list); - this->writer->destroy(this->writer); - free(this); + destroy(this); return NULL; } product = vici_message_create_from_data( this->writer->extract_buf(this->writer), TRUE); - this->writer->destroy(this->writer); - free(this); + destroy(this); return product; } @@ -245,6 +273,7 @@ vici_builder_t *vici_builder_create() .begin_list = _begin_list, .end_list = _end_list, .finalize = _finalize, + .destroy = _destroy, }, .writer = bio_writer_create(0), ); diff --git a/src/libcharon/plugins/vici/vici_builder.h b/src/libcharon/plugins/vici/vici_builder.h index 5a5cc8a03..f7d21eb8f 100644 --- a/src/libcharon/plugins/vici/vici_builder.h +++ b/src/libcharon/plugins/vici/vici_builder.h @@ -119,6 +119,14 @@ struct vici_builder_t { * @return vici message, NULL on error */ vici_message_t* (*finalize)(vici_builder_t *this); + + /** + * Destroy a vici builder without finalization. + * + * Note that finalize() already destroys the message, and calling destroy() + * is required only if the message does not get finalize()d. + */ + void (*destroy)(vici_builder_t *this); }; /** diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 113d48084..649161020 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -1551,8 +1551,8 @@ static void clear_start_action(private_vici_config_t *this, enumerator_t *enumerator, *children; child_sa_t *child_sa; ike_sa_t *ike_sa; - u_int32_t reqid = 0, *del; - array_t *reqids = NULL; + u_int32_t id = 0, *del; + array_t *ids = NULL; char *name; name = child_cfg->get_name(child_cfg); @@ -1568,23 +1568,23 @@ static void clear_start_action(private_vici_config_t *this, { if (streq(name, child_sa->get_name(child_sa))) { - reqid = child_sa->get_reqid(child_sa); - array_insert_create(&reqids, ARRAY_TAIL, &reqid); + id = child_sa->get_unique_id(child_sa); + array_insert_create(&ids, ARRAY_TAIL, &id); } } children->destroy(children); } enumerator->destroy(enumerator); - if (array_count(reqids)) + if (array_count(ids)) { - while (array_remove(reqids, ARRAY_HEAD, &del)) + while (array_remove(ids, ARRAY_HEAD, &del)) { DBG1(DBG_CFG, "closing '%s' #%u", name, *del); charon->controller->terminate_child(charon->controller, *del, NULL, NULL, 0); } - array_destroy(reqids); + array_destroy(ids); } break; case ACTION_ROUTE: @@ -1601,14 +1601,14 @@ static void clear_start_action(private_vici_config_t *this, { if (streq(name, child_sa->get_name(child_sa))) { - reqid = child_sa->get_reqid(child_sa); + id = child_sa->get_reqid(child_sa); break; } } enumerator->destroy(enumerator); - if (reqid) + if (id) { - charon->traps->uninstall(charon->traps, reqid); + charon->traps->uninstall(charon->traps, id); } break; } @@ -1751,7 +1751,8 @@ CALLBACK(config_sn, bool, .fragmentation = FRAGMENTATION_NO, .unique = UNIQUE_NO, .keyingtries = 1, - .rekey_time = LFT_DEFAULT_IKE_REKEY, + .rekey_time = LFT_UNDEFINED, + .reauth_time = LFT_UNDEFINED, .over_time = LFT_UNDEFINED, .rand_time = LFT_UNDEFINED, }; @@ -1809,6 +1810,20 @@ CALLBACK(config_sn, bool, peer.local_port = charon->socket->get_port(charon->socket, FALSE); } + if (peer.rekey_time == LFT_UNDEFINED && peer.reauth_time == LFT_UNDEFINED) + { + /* apply a default rekey time if no rekey/reauth time set */ + peer.rekey_time = LFT_DEFAULT_IKE_REKEY; + peer.reauth_time = 0; + } + if (peer.rekey_time == LFT_UNDEFINED) + { + peer.rekey_time = 0; + } + if (peer.reauth_time == LFT_UNDEFINED) + { + peer.reauth_time = 0; + } if (peer.over_time == LFT_UNDEFINED) { /* default over_time to 10% of rekey/reauth time if not given */ @@ -1816,9 +1831,17 @@ CALLBACK(config_sn, bool, } if (peer.rand_time == LFT_UNDEFINED) { - /* default rand_time to over_time if not given */ - peer.rand_time = min(peer.over_time, - max(peer.rekey_time, peer.reauth_time) / 2); + /* default rand_time to over_time if not given, but don't make it + * longer than half of rekey/rauth time */ + if (peer.rekey_time && peer.reauth_time) + { + peer.rand_time = min(peer.rekey_time, peer.reauth_time); + } + else + { + peer.rand_time = max(peer.rekey_time, peer.reauth_time); + } + peer.rand_time = min(peer.over_time, peer.rand_time / 2); } log_peer_data(&peer); diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c index 292a40032..01d503644 100644 --- a/src/libcharon/plugins/vici/vici_control.c +++ b/src/libcharon/plugins/vici/vici_control.c @@ -264,11 +264,11 @@ CALLBACK(terminate, vici_message_t*, { continue; } - if (child_id && child_sa->get_reqid(child_sa) != child_id) + if (child_id && child_sa->get_unique_id(child_sa) != child_id) { continue; } - current = child_sa->get_reqid(child_sa); + current = child_sa->get_unique_id(child_sa); array_insert(ids, ARRAY_TAIL, ¤t); } csas->destroy(csas); diff --git a/src/libcharon/plugins/vici/vici_plugin.c b/src/libcharon/plugins/vici/vici_plugin.c index 8881feca9..af8bd283b 100644 --- a/src/libcharon/plugins/vici/vici_plugin.c +++ b/src/libcharon/plugins/vici/vici_plugin.c @@ -23,7 +23,6 @@ #include "vici_logger.h" #include -#include #include typedef struct private_vici_plugin_t private_vici_plugin_t; @@ -104,8 +103,8 @@ static bool register_vici(private_vici_plugin_t *this, charon->backends->add_backend(charon->backends, &this->config->backend); - hydra->attributes->add_provider(hydra->attributes, - &this->attrs->provider); + charon->attributes->add_provider(charon->attributes, + &this->attrs->provider); charon->bus->add_logger(charon->bus, &this->logger->logger); return TRUE; } @@ -114,8 +113,8 @@ static bool register_vici(private_vici_plugin_t *this, else { charon->bus->remove_logger(charon->bus, &this->logger->logger); - hydra->attributes->remove_provider(hydra->attributes, - &this->attrs->provider); + charon->attributes->remove_provider(charon->attributes, + &this->attrs->provider); charon->backends->remove_backend(charon->backends, &this->config->backend); diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c index 54833abde..3e0d73cdf 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -63,11 +63,13 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b, enumerator_t *enumerator; traffic_selector_t *ts; + b->add_kv(b, "uniqueid", "%u", child->get_unique_id(child)); b->add_kv(b, "reqid", "%u", child->get_reqid(child)); b->add_kv(b, "state", "%N", child_sa_state_names, child->get_state(child)); b->add_kv(b, "mode", "%N", ipsec_mode_names, child->get_mode(child)); if (child->get_state(child) == CHILD_INSTALLED || - child->get_state(child) == CHILD_REKEYING) + child->get_state(child) == CHILD_REKEYING || + child->get_state(child) == CHILD_REKEYED) { b->add_kv(b, "protocol", "%N", protocol_id_names, child->get_protocol(child)); @@ -507,11 +509,14 @@ static void build_auth_cfgs(peer_cfg_t *peer_cfg, bool local, vici_builder_t *b) certificate_t *cert; char *str; } v; + char buf[32]; + int i = 0; enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local); while (enumerator->enumerate(enumerator, &auth)) { - b->begin_section(b, local ? "local" : "remote"); + snprintf(buf, sizeof(buf), "%s-%d", local ? "local" : "remote", ++i); + b->begin_section(b, buf); rules = auth->create_enumerator(auth); while (rules->enumerate(rules, &rule, &v)) @@ -976,10 +981,10 @@ CALLBACK(stats, vici_message_t*, struct mallinfo mi = mallinfo(); b->begin_section(b, "mallinfo"); - b->add_kv(b, "sbrk", "%d", mi.arena); - b->add_kv(b, "mmap", "%d", mi.hblkhd); - b->add_kv(b, "used", "%d", mi.uordblks); - b->add_kv(b, "free", "%d", mi.fordblks); + b->add_kv(b, "sbrk", "%u", mi.arena); + b->add_kv(b, "mmap", "%u", mi.hblkhd); + b->add_kv(b, "used", "%u", mi.uordblks); + b->add_kv(b, "free", "%u", mi.fordblks); b->end_section(b); } #endif /* HAVE_MALLINFO */ diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in index b1cc1d118..e400d9f35 100644 --- a/src/libcharon/plugins/whitelist/Makefile.in +++ b/src/libcharon/plugins/whitelist/Makefile.in @@ -236,6 +236,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -296,10 +297,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -373,6 +376,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in index e393ee163..a9684455d 100644 --- a/src/libcharon/plugins/xauth_eap/Makefile.in +++ b/src/libcharon/plugins/xauth_eap/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in index f0e772700..5170c924f 100644 --- a/src/libcharon/plugins/xauth_generic/Makefile.in +++ b/src/libcharon/plugins/xauth_generic/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in index a4c1aaeb2..087f5b350 100644 --- a/src/libcharon/plugins/xauth_noauth/Makefile.in +++ b/src/libcharon/plugins/xauth_noauth/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in index 296ccaa1c..29441bcb5 100644 --- a/src/libcharon/plugins/xauth_pam/Makefile.in +++ b/src/libcharon/plugins/xauth_pam/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libcharon/processing/jobs/adopt_children_job.c b/src/libcharon/processing/jobs/adopt_children_job.c index fb480eee2..c8a9c17de 100644 --- a/src/libcharon/processing/jobs/adopt_children_job.c +++ b/src/libcharon/processing/jobs/adopt_children_job.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * * Copyright (C) 2012 Martin Willi * Copyright (C) 2012 revosec AG * @@ -54,10 +57,10 @@ METHOD(job_t, execute, job_requeue_t, private_adopt_children_job_t *this) { identification_t *my_id, *other_id, *xauth; - host_t *me, *other; + host_t *me, *other, *vip; peer_cfg_t *cfg; - linked_list_t *children; - enumerator_t *enumerator, *childenum; + linked_list_t *children, *vips; + enumerator_t *enumerator, *subenum; ike_sa_id_t *id; ike_sa_t *ike_sa; child_sa_t *child_sa; @@ -81,7 +84,8 @@ METHOD(job_t, execute, job_requeue_t, charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - /* find old SA to adopt children from */ + /* find old SA to adopt children and virtual IPs from */ + vips = linked_list_create(); children = linked_list_create(); enumerator = charon->ike_sa_manager->create_id_enumerator( charon->ike_sa_manager, my_id, xauth, @@ -102,18 +106,29 @@ METHOD(job_t, execute, job_requeue_t, other_id->equals(other_id, ike_sa->get_other_id(ike_sa)) && cfg->equals(cfg, ike_sa->get_peer_cfg(ike_sa))) { - childenum = ike_sa->create_child_sa_enumerator(ike_sa); - while (childenum->enumerate(childenum, &child_sa)) + subenum = ike_sa->create_child_sa_enumerator(ike_sa); + while (subenum->enumerate(subenum, &child_sa)) { - ike_sa->remove_child_sa(ike_sa, childenum); + ike_sa->remove_child_sa(ike_sa, subenum); children->insert_last(children, child_sa); } - childenum->destroy(childenum); - if (children->get_count(children)) + subenum->destroy(subenum); + + subenum = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE); + while (subenum->enumerate(subenum, &vip)) + { + vips->insert_last(vips, vip->clone(vip)); + } + subenum->destroy(subenum); + /* this does not release the addresses, which is good, but + * it does trigger an assign_vips(FALSE) event, so we also + * trigger one below */ + ike_sa->clear_virtual_ips(ike_sa, FALSE); + if (children->get_count(children) || vips->get_count(vips)) { DBG1(DBG_IKE, "detected reauth of existing IKE_SA, " - "adopting %d children", - children->get_count(children)); + "adopting %d children and %d virtual IPs", + children->get_count(children), vips->get_count(vips)); } ike_sa->set_state(ike_sa, IKE_DELETING); charon->bus->ike_updown(charon->bus, ike_sa, FALSE); @@ -125,7 +140,7 @@ METHOD(job_t, execute, job_requeue_t, charon->ike_sa_manager->checkin( charon->ike_sa_manager, ike_sa); } - if (children->get_count(children)) + if (children->get_count(children) || vips->get_count(vips)) { break; } @@ -140,7 +155,7 @@ METHOD(job_t, execute, job_requeue_t, xauth->destroy(xauth); cfg->destroy(cfg); - if (children->get_count(children)) + if (children->get_count(children) || vips->get_count(vips)) { /* adopt children by new SA */ ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, @@ -152,10 +167,27 @@ METHOD(job_t, execute, job_requeue_t, { ike_sa->add_child_sa(ike_sa, child_sa); } + if (vips->get_count(vips)) + { + while (vips->remove_first(vips, (void**)&vip) == SUCCESS) + { + ike_sa->add_virtual_ip(ike_sa, FALSE, vip); + vip->destroy(vip); + } + charon->bus->assign_vips(charon->bus, ike_sa, TRUE); + } charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); } } children->destroy_offset(children, offsetof(child_sa_t, destroy)); + /* FIXME: If we still have addresses here it means we weren't able to + * find the new SA anymore (while not very likely during a proper + * reauthentication, this theoretically could happen because the SA is + * not locked while we search for the old one). So the addresses here + * should be released properly to avoid leaking these leases. This is + * currently not possible, though, due to the changed interface of + * release_address(), which now takes a complete IKE_SA object. */ + vips->destroy_offset(vips, offsetof(host_t, destroy)); if (array_count(this->tasks)) { diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.c b/src/libcharon/processing/jobs/delete_child_sa_job.c index 9afbac02b..0d85883be 100644 --- a/src/libcharon/processing/jobs/delete_child_sa_job.c +++ b/src/libcharon/processing/jobs/delete_child_sa_job.c @@ -30,11 +30,6 @@ struct private_delete_child_sa_job_t { */ delete_child_sa_job_t public; - /** - * reqid of the CHILD_SA - */ - u_int32_t reqid; - /** * protocol of the CHILD_SA (ESP/AH) */ @@ -45,6 +40,11 @@ struct private_delete_child_sa_job_t { */ u_int32_t spi; + /** + * SA destination address + */ + host_t *dst; + /** * Delete for an expired CHILD_SA */ @@ -54,6 +54,7 @@ struct private_delete_child_sa_job_t { METHOD(job_t, destroy, void, private_delete_child_sa_job_t *this) { + this->dst->destroy(this->dst); free(this); } @@ -62,12 +63,12 @@ METHOD(job_t, execute, job_requeue_t, { ike_sa_t *ike_sa; - ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, - this->reqid, TRUE); + ike_sa = charon->child_sa_manager->checkout(charon->child_sa_manager, + this->protocol, this->spi, this->dst, NULL); if (ike_sa == NULL) { - DBG1(DBG_JOB, "CHILD_SA with reqid %d not found for delete", - this->reqid); + DBG1(DBG_JOB, "CHILD_SA %N/0x%08x/%H not found for delete", + protocol_id_names, this->protocol, htonl(this->spi), this->dst); } else { @@ -87,8 +88,8 @@ METHOD(job_t, get_priority, job_priority_t, /* * Described in header */ -delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid, - protocol_id_t protocol, u_int32_t spi, bool expired) +delete_child_sa_job_t *delete_child_sa_job_create(protocol_id_t protocol, + u_int32_t spi, host_t *dst, bool expired) { private_delete_child_sa_job_t *this; @@ -100,12 +101,11 @@ delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid, .destroy = _destroy, }, }, - .reqid = reqid, .protocol = protocol, .spi = spi, + .dst = dst->clone(dst), .expired = expired, ); return &this->public; } - diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.h b/src/libcharon/processing/jobs/delete_child_sa_job.h index be6d578bc..6fa53644c 100644 --- a/src/libcharon/processing/jobs/delete_child_sa_job.h +++ b/src/libcharon/processing/jobs/delete_child_sa_job.h @@ -44,16 +44,13 @@ struct delete_child_sa_job_t { /** * Creates a job of type DELETE_CHILD_SA. * - * The CHILD_SA is identified by its reqid, protocol (AH/ESP) and its - * inbound SPI. - * - * @param reqid reqid of the CHILD_SA, as used in kernel * @param protocol protocol of the CHILD_SA * @param spi security parameter index of the CHILD_SA + * @param dst SA destination address * @param expired TRUE if CHILD_SA already expired * @return delete_child_sa_job_t object */ -delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid, - protocol_id_t protocol, u_int32_t spi, bool expired); +delete_child_sa_job_t *delete_child_sa_job_create(protocol_id_t protocol, + u_int32_t spi, host_t *dst, bool expired); #endif /** DELETE_CHILD_SA_JOB_H_ @}*/ diff --git a/src/libcharon/processing/jobs/dpd_timeout_job.c b/src/libcharon/processing/jobs/dpd_timeout_job.c index 9cdce5cab..4c88c13e2 100644 --- a/src/libcharon/processing/jobs/dpd_timeout_job.c +++ b/src/libcharon/processing/jobs/dpd_timeout_job.c @@ -63,6 +63,12 @@ METHOD(job_t, execute, job_requeue_t, this->ike_sa_id); if (ike_sa) { + if (ike_sa->get_state(ike_sa) == IKE_PASSIVE) + { + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + return JOB_REQUEUE_NONE; + } + use_time = ike_sa->get_statistic(ike_sa, STAT_INBOUND); enumerator = ike_sa->create_child_sa_enumerator(ike_sa); diff --git a/src/libcharon/processing/jobs/inactivity_job.c b/src/libcharon/processing/jobs/inactivity_job.c index 197733979..f0f90eedf 100644 --- a/src/libcharon/processing/jobs/inactivity_job.c +++ b/src/libcharon/processing/jobs/inactivity_job.c @@ -30,9 +30,9 @@ struct private_inactivity_job_t { inactivity_job_t public; /** - * Reqid of CHILD_SA to check + * Unique CHILD_SA identifier to check */ - u_int32_t reqid; + u_int32_t id; /** * Inactivity timeout @@ -57,8 +57,8 @@ METHOD(job_t, execute, job_requeue_t, ike_sa_t *ike_sa; u_int32_t reschedule = 0; - ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, - this->reqid, TRUE); + ike_sa = charon->child_sa_manager->checkout_by_id(charon->child_sa_manager, + this->id, NULL); if (ike_sa) { enumerator_t *enumerator; @@ -69,9 +69,9 @@ METHOD(job_t, execute, job_requeue_t, status_t status = SUCCESS; enumerator = ike_sa->create_child_sa_enumerator(ike_sa); - while (enumerator->enumerate(enumerator, (void**)&child_sa)) + while (enumerator->enumerate(enumerator, &child_sa)) { - if (child_sa->get_reqid(child_sa) == this->reqid) + if (child_sa->get_unique_id(child_sa) == this->id) { time_t in, out, install, diff; @@ -136,7 +136,7 @@ METHOD(job_t, get_priority, job_priority_t, /** * See header */ -inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout, +inactivity_job_t *inactivity_job_create(u_int32_t unique_id, u_int32_t timeout, bool close_ike) { private_inactivity_job_t *this; @@ -149,7 +149,7 @@ inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout, .destroy = _destroy, }, }, - .reqid = reqid, + .id = unique_id, .timeout = timeout, .close_ike = close_ike, ); diff --git a/src/libcharon/processing/jobs/inactivity_job.h b/src/libcharon/processing/jobs/inactivity_job.h index 890f7704b..ff19fe560 100644 --- a/src/libcharon/processing/jobs/inactivity_job.h +++ b/src/libcharon/processing/jobs/inactivity_job.h @@ -42,12 +42,12 @@ struct inactivity_job_t { /** * Create a inactivity_job instance. * - * @param reqid reqid of CHILD_SA to check for inactivity + * @param unique_id unique CHILD_SA identifier to check for inactivity * @param timeout inactivity timeout in s * @param close_ike close IKE_SA if the last remaining CHILD_SA is inactive? * @return inactivity checking job */ -inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout, +inactivity_job_t *inactivity_job_create(u_int32_t unique_id, u_int32_t timeout, bool close_ike); #endif /** INACTIVITY_JOB_H_ @}*/ diff --git a/src/libcharon/processing/jobs/initiate_tasks_job.c b/src/libcharon/processing/jobs/initiate_tasks_job.c new file mode 100644 index 000000000..001e71fd1 --- /dev/null +++ b/src/libcharon/processing/jobs/initiate_tasks_job.c @@ -0,0 +1,96 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include "initiate_tasks_job.h" + +#include +#include + + +typedef struct private_initiate_tasks_job_t private_initiate_tasks_job_t; + +/** + * Private data of an initiate_tasks_job_t Object + */ +struct private_initiate_tasks_job_t { + + /** + * Public initiate_tasks_job_t interface + */ + initiate_tasks_job_t public; + + /** + * ID of the IKE_SA to trigger task initiation + */ + ike_sa_id_t *ike_sa_id; +}; + +METHOD(job_t, destroy, void, + private_initiate_tasks_job_t *this) +{ + this->ike_sa_id->destroy(this->ike_sa_id); + free(this); +} + +METHOD(job_t, execute, job_requeue_t, + private_initiate_tasks_job_t *this) +{ + ike_sa_t *ike_sa; + + ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, + this->ike_sa_id); + if (ike_sa) + { + if (ike_sa->initiate(ike_sa, NULL, 0, NULL, NULL) == DESTROY_ME) + { + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, + ike_sa); + } + else + { + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + } + } + return JOB_REQUEUE_NONE; +} + +METHOD(job_t, get_priority, job_priority_t, + private_initiate_tasks_job_t *this) +{ + return JOB_PRIO_MEDIUM; +} + +/* + * Described in header + */ +initiate_tasks_job_t *initiate_tasks_job_create(ike_sa_id_t *ike_sa_id) +{ + private_initiate_tasks_job_t *this; + + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .get_priority = _get_priority, + .destroy = _destroy, + }, + }, + .ike_sa_id = ike_sa_id->clone(ike_sa_id), + ); + + return &this->public; +} diff --git a/src/libcharon/processing/jobs/initiate_tasks_job.h b/src/libcharon/processing/jobs/initiate_tasks_job.h new file mode 100644 index 000000000..071497843 --- /dev/null +++ b/src/libcharon/processing/jobs/initiate_tasks_job.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup initiate_tasks_job initiate_tasks_job + * @{ @ingroup cjobs + */ + +#ifndef INITIATE_TASKS_JOB_H_ +#define INITIATE_TASKS_JOB_H_ + +typedef struct initiate_tasks_job_t initiate_tasks_job_t; + +#include +#include +#include + +/** + * Job triggering initiation of any queued IKE_SA tasks. + */ +struct initiate_tasks_job_t { + + /** + * Implements job_t interface + */ + job_t job_interface; +}; + +/** + * Creates a job to trigger IKE_SA task initiation. + * + * @param ike_sa_id ID of IKE_SA to trigger tasks for (gets cloned) + * @return job instance + */ +initiate_tasks_job_t *initiate_tasks_job_create(ike_sa_id_t *ike_sa_id); + +#endif /** INITIATE_TASKS_JOB_H_ @}*/ diff --git a/src/libcharon/processing/jobs/migrate_job.c b/src/libcharon/processing/jobs/migrate_job.c index 2ebfc6714..097dbdffd 100644 --- a/src/libcharon/processing/jobs/migrate_job.c +++ b/src/libcharon/processing/jobs/migrate_job.c @@ -70,29 +70,34 @@ METHOD(job_t, destroy, void, METHOD(job_t, execute, job_requeue_t, private_migrate_job_t *this) { - ike_sa_t *ike_sa = NULL; + enumerator_t *ike_sas, *children; + ike_sa_t *ike_sa; - if (this->reqid) + ike_sas = charon->ike_sa_manager->create_enumerator(charon->ike_sa_manager, + TRUE); + while (ike_sas->enumerate(ike_sas, &ike_sa)) { - ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, - this->reqid, TRUE); - } - if (ike_sa) - { - enumerator_t *children, *enumerator; - child_sa_t *child_sa; - host_t *host; + child_sa_t *current, *child_sa = NULL; linked_list_t *vips; + status_t status; + host_t *host; children = ike_sa->create_child_sa_enumerator(ike_sa); - while (children->enumerate(children, (void**)&child_sa)) + while (children->enumerate(children, ¤t)) { - if (child_sa->get_reqid(child_sa) == this->reqid) + if (current->get_reqid(current) == this->reqid) { + child_sa = current; break; } } children->destroy(children); + + if (!child_sa) + { + continue; + } + DBG2(DBG_JOB, "found CHILD_SA with reqid {%d}", this->reqid); ike_sa->set_kmaddress(ike_sa, this->local, this->remote); @@ -105,27 +110,28 @@ METHOD(job_t, execute, job_requeue_t, host->set_port(host, IKEV2_UDP_PORT); ike_sa->set_other_host(ike_sa, host); - vips = linked_list_create(); - enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE); - while (enumerator->enumerate(enumerator, &host)) - { - vips->insert_last(vips, host); - } - enumerator->destroy(enumerator); + vips = linked_list_create_from_enumerator( + ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE)); - if (child_sa->update(child_sa, this->local, this->remote, vips, - ike_sa->has_condition(ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED) + status = child_sa->update(child_sa, this->local, this->remote, vips, + ike_sa->has_condition(ike_sa, COND_NAT_ANY)); + switch (status) { - ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa), - child_sa->get_spi(child_sa, TRUE)); + case NOT_SUPPORTED: + ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa), + child_sa->get_spi(child_sa, TRUE)); + break; + case SUCCESS: + charon->child_sa_manager->remove(charon->child_sa_manager, + child_sa); + charon->child_sa_manager->add(charon->child_sa_manager, + child_sa, ike_sa); + default: + break; } - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); vips->destroy(vips); } - else - { - DBG1(DBG_JOB, "no CHILD_SA found with reqid {%d}", this->reqid); - } + ike_sas->destroy(ike_sas); return JOB_REQUEUE_NONE; } diff --git a/src/libcharon/processing/jobs/migrate_job.h b/src/libcharon/processing/jobs/migrate_job.h index 30c0ad0ac..0f2b9aaad 100644 --- a/src/libcharon/processing/jobs/migrate_job.h +++ b/src/libcharon/processing/jobs/migrate_job.h @@ -46,7 +46,7 @@ struct migrate_job_t { * * We use the reqid or the traffic selectors to find a matching CHILD_SA. * - * @param reqid reqid of the CHILD_SA to acquire + * @param reqid reqid of the CHILD_SA to migrate * @param src_ts source traffic selector to be used in the policy * @param dst_ts destination traffic selector to be used in the policy * @param dir direction of the policy (in|out) diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.c b/src/libcharon/processing/jobs/rekey_child_sa_job.c index 1bf8dc0cb..8f17d39ab 100644 --- a/src/libcharon/processing/jobs/rekey_child_sa_job.c +++ b/src/libcharon/processing/jobs/rekey_child_sa_job.c @@ -24,16 +24,12 @@ typedef struct private_rekey_child_sa_job_t private_rekey_child_sa_job_t; * Private data of an rekey_child_sa_job_t object. */ struct private_rekey_child_sa_job_t { + /** * Public rekey_child_sa_job_t interface. */ rekey_child_sa_job_t public; - /** - * reqid of the child to rekey - */ - u_int32_t reqid; - /** * protocol of the CHILD_SA (ESP/AH) */ @@ -43,11 +39,17 @@ struct private_rekey_child_sa_job_t { * inbound SPI of the CHILD_SA */ u_int32_t spi; + + /** + * SA destination address + */ + host_t *dst; }; METHOD(job_t, destroy, void, private_rekey_child_sa_job_t *this) { + this->dst->destroy(this->dst); free(this); } @@ -56,12 +58,12 @@ METHOD(job_t, execute, job_requeue_t, { ike_sa_t *ike_sa; - ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, - this->reqid, TRUE); + ike_sa = charon->child_sa_manager->checkout(charon->child_sa_manager, + this->protocol, this->spi, this->dst, NULL); if (ike_sa == NULL) { - DBG2(DBG_JOB, "CHILD_SA with reqid %d not found for rekeying", - this->reqid); + DBG1(DBG_JOB, "CHILD_SA %N/0x%08x/%H not found for rekey", + protocol_id_names, this->protocol, htonl(this->spi), this->dst); } else { @@ -80,9 +82,8 @@ METHOD(job_t, get_priority, job_priority_t, /* * Described in header */ -rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid, - protocol_id_t protocol, - u_int32_t spi) +rekey_child_sa_job_t *rekey_child_sa_job_create(protocol_id_t protocol, + u_int32_t spi, host_t *dst) { private_rekey_child_sa_job_t *this; @@ -94,9 +95,9 @@ rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid, .destroy = _destroy, }, }, - .reqid = reqid, .protocol = protocol, .spi = spi, + .dst = dst->clone(dst), ); return &this->public; diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.h b/src/libcharon/processing/jobs/rekey_child_sa_job.h index fcbe65a06..364bb5ae7 100644 --- a/src/libcharon/processing/jobs/rekey_child_sa_job.h +++ b/src/libcharon/processing/jobs/rekey_child_sa_job.h @@ -43,15 +43,11 @@ struct rekey_child_sa_job_t { /** * Creates a job of type REKEY_CHILD_SA. * - * The CHILD_SA is identified by its protocol (AH/ESP) and its - * inbound SPI. - * - * @param reqid reqid of the CHILD_SA to rekey * @param protocol protocol of the CHILD_SA * @param spi security parameter index of the CHILD_SA + * @param dst SA destination address * @return rekey_child_sa_job_t object */ -rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid, - protocol_id_t protocol, - u_int32_t spi); +rekey_child_sa_job_t *rekey_child_sa_job_create(protocol_id_t protocol, + u_int32_t spi, host_t *dst); #endif /** REKEY_CHILD_SA_JOB_H_ @}*/ diff --git a/src/libcharon/processing/jobs/rekey_ike_sa_job.c b/src/libcharon/processing/jobs/rekey_ike_sa_job.c index 516dc5dd5..403d826a3 100644 --- a/src/libcharon/processing/jobs/rekey_ike_sa_job.c +++ b/src/libcharon/processing/jobs/rekey_ike_sa_job.c @@ -67,7 +67,8 @@ static u_int32_t get_retry_delay(ike_sa_t *ike_sa) enumerator = ike_sa->create_child_sa_enumerator(ike_sa); while (enumerator->enumerate(enumerator, &child_sa)) { - if (child_sa->get_state(child_sa) != CHILD_INSTALLED) + if (child_sa->get_state(child_sa) != CHILD_INSTALLED && + child_sa->get_state(child_sa) != CHILD_REKEYED) { retry = RETRY_INTERVAL - (random() % RETRY_JITTER); DBG1(DBG_IKE, "unable to reauthenticate in CHILD_SA %N state, " diff --git a/src/libcharon/processing/jobs/update_sa_job.c b/src/libcharon/processing/jobs/update_sa_job.c index e6d7da2c6..862506d90 100644 --- a/src/libcharon/processing/jobs/update_sa_job.c +++ b/src/libcharon/processing/jobs/update_sa_job.c @@ -27,15 +27,26 @@ typedef struct private_update_sa_job_t private_update_sa_job_t; * Private data of an update_sa_job_t Object */ struct private_update_sa_job_t { + /** * public update_sa_job_t interface */ update_sa_job_t public; /** - * reqid of the CHILD_SA + * protocol of the CHILD_SA (ESP/AH) + */ + protocol_id_t protocol; + + /** + * SPI of the CHILD_SA */ - u_int32_t reqid; + u_int32_t spi; + + /** + * Old SA destination address + */ + host_t *dst; /** * New SA address and port @@ -46,6 +57,7 @@ struct private_update_sa_job_t { METHOD(job_t, destroy, void, private_update_sa_job_t *this) { + this->dst->destroy(this->dst); this->new->destroy(this->new); free(this); } @@ -55,11 +67,12 @@ METHOD(job_t, execute, job_requeue_t, { ike_sa_t *ike_sa; - ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, - this->reqid, TRUE); + ike_sa = charon->child_sa_manager->checkout(charon->child_sa_manager, + this->protocol, this->spi, this->dst, NULL); if (ike_sa == NULL) { - DBG1(DBG_JOB, "CHILD_SA with reqid %d not found for update", this->reqid); + DBG1(DBG_JOB, "CHILD_SA %N/0x%08x/%H not found for update", + protocol_id_names, this->protocol, htonl(this->spi), this->dst); } else { @@ -78,7 +91,8 @@ METHOD(job_t, get_priority, job_priority_t, /* * Described in header */ -update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new) +update_sa_job_t *update_sa_job_create(protocol_id_t protocol, + u_int32_t spi, host_t *dst, host_t *new) { private_update_sa_job_t *this; @@ -90,10 +104,11 @@ update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new) .destroy = _destroy, }, }, - .reqid = reqid, - .new = new, + .protocol = protocol, + .spi = spi, + .dst = dst->clone(dst), + .new = new->clone(new), ); return &this->public; } - diff --git a/src/libcharon/processing/jobs/update_sa_job.h b/src/libcharon/processing/jobs/update_sa_job.h index 55a3df83e..9c19f5b6e 100644 --- a/src/libcharon/processing/jobs/update_sa_job.h +++ b/src/libcharon/processing/jobs/update_sa_job.h @@ -26,6 +26,7 @@ typedef struct update_sa_job_t update_sa_job_t; #include #include #include +#include /** * Update the addresses of an IKE and its CHILD_SAs. @@ -41,10 +42,13 @@ struct update_sa_job_t { /** * Creates a job to update IKE and CHILD_SA addresses. * - * @param reqid reqid of the CHILD_SA + * @param protocol IPsec protocol of SA to update + * @param spi SPI of SA to update + * @param dst old destination host of SA to update * @param new new address and port * @return update_sa_job_t object */ -update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new); +update_sa_job_t *update_sa_job_create(protocol_id_t protocol, + u_int32_t spi, host_t *dst, host_t *new); #endif /** UPDATE_SA_JOB_H_ @}*/ diff --git a/src/libcharon/sa/authenticator.c b/src/libcharon/sa/authenticator.c index 8571274ac..6c3681a2d 100644 --- a/src/libcharon/sa/authenticator.c +++ b/src/libcharon/sa/authenticator.c @@ -31,12 +31,14 @@ ENUM_BEGIN(auth_method_names, AUTH_RSA, AUTH_DSS, "RSA signature", "pre-shared key", "DSS signature"); -ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_GSPM, AUTH_DSS, +ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_DS, AUTH_DSS, "ECDSA-256 signature", "ECDSA-384 signature", "ECDSA-521 signature", - "secure password method"); -ENUM_NEXT(auth_method_names, AUTH_XAUTH_INIT_PSK, AUTH_HYBRID_RESP_RSA, AUTH_GSPM, + "secure password method", + "NULL authentication", + "digital signature"); +ENUM_NEXT(auth_method_names, AUTH_XAUTH_INIT_PSK, AUTH_HYBRID_RESP_RSA, AUTH_DS, "XAuthInitPSK", "XAuthRespPSK", "XAuthInitRSA", @@ -99,6 +101,7 @@ authenticator_t *authenticator_create_verifier( case AUTH_ECDSA_256: case AUTH_ECDSA_384: case AUTH_ECDSA_521: + case AUTH_DS: return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa, sent_nonce, received_init, reserved); case AUTH_PSK: diff --git a/src/libcharon/sa/authenticator.h b/src/libcharon/sa/authenticator.h index 914f42d9d..97c042e71 100644 --- a/src/libcharon/sa/authenticator.h +++ b/src/libcharon/sa/authenticator.h @@ -79,6 +79,16 @@ enum auth_method_t { */ AUTH_GSPM = 12, + /** + * NULL Authentication Method as specified in draft-ietf-ipsecme-ikev2-null-auth + */ + AUTH_NULL = 13, + + /** + * Digital Signature as specified in RFC 7427 + */ + AUTH_DS = 14, + /** * IKEv1 initiator XAUTH with PSK, outside of IANA range */ diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index a96ab4e90..e0db2e655 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -34,6 +34,8 @@ ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DESTROYING, "INSTALLED", "UPDATING", "REKEYING", + "REKEYED", + "RETRYING", "DELETING", "DESTROYING", ); @@ -99,6 +101,16 @@ struct private_child_sa_t { */ u_int32_t reqid; + /** + * Did we allocate/confirm and must release the reqid? + */ + bool reqid_allocated; + + /* + * Unique CHILD_SA identifier + */ + u_int32_t unique_id; + /** * inbound mark used for this child_sa */ @@ -228,6 +240,12 @@ METHOD(child_sa_t, get_reqid, u_int32_t, return this->reqid; } +METHOD(child_sa_t, get_unique_id, u_int32_t, + private_child_sa_t *this) +{ + return this->unique_id; +} + METHOD(child_sa_t, get_config, child_cfg_t*, private_child_sa_t *this) { @@ -602,7 +620,7 @@ METHOD(child_sa_t, alloc_spi, u_int32_t, { if (hydra->kernel_interface->get_spi(hydra->kernel_interface, this->other_addr, this->my_addr, - proto_ike2ip(protocol), this->reqid, + proto_ike2ip(protocol), &this->my_spi) == SUCCESS) { /* if we allocate a SPI, but then are unable to establish the SA, we @@ -618,7 +636,7 @@ METHOD(child_sa_t, alloc_cpi, u_int16_t, { if (hydra->kernel_interface->get_cpi(hydra->kernel_interface, this->other_addr, this->my_addr, - this->reqid, &this->my_cpi) == SUCCESS) + &this->my_cpi) == SUCCESS) { return this->my_cpi; } @@ -632,7 +650,7 @@ METHOD(child_sa_t, install, status_t, { u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size; u_int16_t esn = NO_EXT_SEQ_NUMBERS; - traffic_selector_t *src_ts = NULL, *dst_ts = NULL; + linked_list_t *src_ts = NULL, *dst_ts = NULL; time_t now; lifetime_cfg_t *lifetime; u_int32_t tfc = 0; @@ -680,6 +698,18 @@ METHOD(child_sa_t, install, status_t, this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS, &esn, NULL); + if (!this->reqid_allocated) + { + status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface, + my_ts, other_ts, this->mark_in, this->mark_out, + &this->reqid); + if (status != SUCCESS) + { + return status; + } + this->reqid_allocated = TRUE; + } + lifetime = this->config->get_lifetime(this->config); now = time_monotonic(NULL); @@ -704,18 +734,16 @@ METHOD(child_sa_t, install, status_t, lifetime->time.rekey = 0; } - /* BEET requires the bound address from the traffic selectors. - * TODO: We add just the first traffic selector for now, as the - * kernel accepts a single TS per SA only */ + /* BEET requires the bound address from the traffic selectors */ if (inbound) { - my_ts->get_first(my_ts, (void**)&dst_ts); - other_ts->get_first(other_ts, (void**)&src_ts); + dst_ts = my_ts; + src_ts = other_ts; } else { - my_ts->get_first(my_ts, (void**)&src_ts); - other_ts->get_first(other_ts, (void**)&dst_ts); + src_ts = my_ts; + dst_ts = other_ts; } status = hydra->kernel_interface->add_sa(hydra->kernel_interface, @@ -723,7 +751,7 @@ METHOD(child_sa_t, install, status_t, inbound ? this->mark_in : this->mark_out, tfc, lifetime, enc_alg, encr, int_alg, integ, this->mode, this->ipcomp, cpi, this->config->get_replay_window(this->config), - initiator, this->encap, esn, update, src_ts, dst_ts); + initiator, this->encap, esn, inbound, update, src_ts, dst_ts); free(lifetime); @@ -798,6 +826,19 @@ METHOD(child_sa_t, add_policies, status_t, traffic_selector_t *my_ts, *other_ts; status_t status = SUCCESS; + if (!this->reqid_allocated) + { + /* trap policy, get or confirm reqid */ + status = hydra->kernel_interface->alloc_reqid( + hydra->kernel_interface, my_ts_list, other_ts_list, + this->mark_in, this->mark_out, &this->reqid); + if (status != SUCCESS) + { + return status; + } + this->reqid_allocated = TRUE; + } + /* apply traffic selectors */ enumerator = my_ts_list->create_enumerator(my_ts_list); while (enumerator->enumerate(enumerator, &my_ts)) @@ -805,12 +846,15 @@ METHOD(child_sa_t, add_policies, status_t, array_insert(this->my_ts, ARRAY_TAIL, my_ts->clone(my_ts)); } enumerator->destroy(enumerator); + array_sort(this->my_ts, (void*)traffic_selector_cmp, NULL); + enumerator = other_ts_list->create_enumerator(other_ts_list); while (enumerator->enumerate(enumerator, &other_ts)) { array_insert(this->other_ts, ARRAY_TAIL, other_ts->clone(other_ts)); } enumerator->destroy(enumerator); + array_sort(this->other_ts, (void*)traffic_selector_cmp, NULL); if (this->config->install_policy(this->config)) { @@ -1071,6 +1115,22 @@ METHOD(child_sa_t, destroy, void, set_state(this, CHILD_DESTROYING); + if (this->config->install_policy(this->config)) + { + /* delete all policies in the kernel */ + enumerator = create_policy_enumerator(this); + while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) + { + del_policies_internal(this, my_ts, other_ts, priority); + if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update()) + { + del_policies_internal(this, my_ts, other_ts, + POLICY_PRIORITY_FALLBACK); + } + } + enumerator->destroy(enumerator); + } + /* delete SAs in the kernel, if they are set up */ if (this->my_spi) { @@ -1087,20 +1147,13 @@ METHOD(child_sa_t, destroy, void, this->mark_out); } - if (this->config->install_policy(this->config)) + if (this->reqid_allocated) { - /* delete all policies in the kernel */ - enumerator = create_policy_enumerator(this); - while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) + if (hydra->kernel_interface->release_reqid(hydra->kernel_interface, + this->reqid, this->mark_in, this->mark_out) != SUCCESS) { - del_policies_internal(this, my_ts, other_ts, priority); - if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update()) - { - del_policies_internal(this, my_ts, other_ts, - POLICY_PRIORITY_FALLBACK); - } + DBG1(DBG_CHD, "releasing reqid %u failed", this->reqid); } - enumerator->destroy(enumerator); } array_destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy)); @@ -1151,15 +1204,17 @@ static host_t* get_proxy_addr(child_cfg_t *config, host_t *ike, bool local) * Described in header. */ child_sa_t * child_sa_create(host_t *me, host_t* other, - child_cfg_t *config, u_int32_t rekey, bool encap) + child_cfg_t *config, u_int32_t rekey, bool encap, + u_int mark_in, u_int mark_out) { - static refcount_t reqid = 0; private_child_sa_t *this; + static refcount_t unique_id = 0, unique_mark = 0, mark; INIT(this, .public = { .get_name = _get_name, .get_reqid = _get_reqid, + .get_unique_id = _get_unique_id, .get_config = _get_config, .get_state = _get_state, .set_state = _set_state, @@ -1201,6 +1256,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, .close_action = config->get_close_action(config), .dpd_action = config->get_dpd_action(config), .reqid = config->get_reqid(config), + .unique_id = ref_get(&unique_id), .mark_in = config->get_mark(config, TRUE), .mark_out = config->get_mark(config, FALSE), .install_time = time_monotonic(NULL), @@ -1209,9 +1265,37 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, this->config = config; config->get_ref(config); + if (mark_in) + { + this->mark_in.value = mark_in; + } + if (mark_out) + { + this->mark_out.value = mark_out; + } + if (this->mark_in.value == MARK_UNIQUE || + this->mark_out.value == MARK_UNIQUE) + { + mark = ref_get(&unique_mark); + if (this->mark_in.value == MARK_UNIQUE) + { + this->mark_in.value = mark; + } + if (this->mark_out.value == MARK_UNIQUE) + { + this->mark_out.value = mark; + } + } + if (!this->reqid) { - /* reuse old reqid if we are rekeying an existing CHILD_SA */ + /* reuse old reqid if we are rekeying an existing CHILD_SA. While the + * reqid cache would find the same reqid for our selectors, this does + * not work in a special case: If an SA is triggered by a trap policy, + * but the negotiated SA gets narrowed, we still must reuse the same + * reqid to successfully "trigger" the SA on the kernel level. Rekeying + * such an SA requires an explicit reqid, as the cache currently knows + * the original selectors only for that reqid. */ if (rekey) { this->reqid = rekey; @@ -1219,22 +1303,9 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, else { this->reqid = charon->traps->find_reqid(charon->traps, config); - if (!this->reqid) - { - this->reqid = ref_get(&reqid); - } } } - if (this->mark_in.value == MARK_REQID) - { - this->mark_in.value = this->reqid; - } - if (this->mark_out.value == MARK_REQID) - { - this->mark_out.value = this->reqid; - } - /* MIPv6 proxy transport mode sets SA endpoints to TS hosts */ if (config->get_mode(config) == MODE_TRANSPORT && config->use_proxy_mode(config)) diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h index a0c6c357f..debe8eb2c 100644 --- a/src/libcharon/sa/child_sa.h +++ b/src/libcharon/sa/child_sa.h @@ -67,6 +67,16 @@ enum child_sa_state_t { */ CHILD_REKEYING, + /** + * CHILD_SA that was rekeyed, but stays installed + */ + CHILD_REKEYED, + + /** + * CHILD_SA negotiation failed, but gets retried + */ + CHILD_RETRYING, + /** * CHILD_SA in progress of delete */ @@ -120,6 +130,16 @@ struct child_sa_t { */ u_int32_t (*get_reqid)(child_sa_t *this); + /** + * Get the unique numerical identifier for this CHILD_SA. + * + * While the same reqid might be shared between multiple SAs, the unique_id + * is truly unique for all CHILD_SA instances. + * + * @return unique CHILD_SA identifier + */ + u_int32_t (*get_unique_id)(child_sa_t *this); + /** * Get the config used to set up this child sa. * @@ -379,9 +399,12 @@ struct child_sa_t { * @param config config to use for this CHILD_SA * @param reqid reqid of old CHILD_SA when rekeying, 0 otherwise * @param encap TRUE to enable UDP encapsulation (NAT traversal) + * @param mark_in explicit inbound mark value to use, 0 for config + * @param mark_out explicit outbound mark value to use, 0 for config * @return child_sa_t object */ child_sa_t * child_sa_create(host_t *me, host_t *other, child_cfg_t *config, - u_int32_t reqid, bool encap); + u_int32_t reqid, bool encap, + u_int mark_in, u_int mark_out); #endif /** CHILD_SA_H_ @}*/ diff --git a/src/libcharon/sa/child_sa_manager.c b/src/libcharon/sa/child_sa_manager.c new file mode 100644 index 000000000..071a119da --- /dev/null +++ b/src/libcharon/sa/child_sa_manager.c @@ -0,0 +1,333 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "child_sa_manager.h" + +#include +#include +#include + +typedef struct private_child_sa_manager_t private_child_sa_manager_t; + +/** + * Private data of an child_sa_manager_t object. + */ +struct private_child_sa_manager_t { + + /** + * Public child_sa_manager_t interface. + */ + child_sa_manager_t public; + + /** + * CHILD_SAs by inbound SPI/dst, child_entry_t => child_entry_t + */ + hashtable_t *in; + + /** + * CHILD_SAs by outbound SPI/dst, child_entry_t => child_entry_t + */ + hashtable_t *out; + + /** + * CHILD_SAs by unique ID, child_entry_t => child_entry_t + */ + hashtable_t *ids; + + /** + * Mutex to access any hashtable + */ + mutex_t *mutex; +}; + +/** + * Hashtable entry for a known CHILD_SA + */ +typedef struct { + /** the associated IKE_SA */ + ike_sa_id_t *ike_id; + /** unique CHILD_SA identifier */ + u_int32_t unique_id; + /** inbound SPI */ + u_int32_t spi_in; + /** outbound SPI */ + u_int32_t spi_out; + /** inbound host address */ + host_t *host_in; + /** outbound host address and port */ + host_t *host_out; + /** IPsec protocol, AH|ESP */ + protocol_id_t proto; +} child_entry_t; + +/** + * Destroy a CHILD_SA entry + */ +static void child_entry_destroy(child_entry_t *entry) +{ + entry->ike_id->destroy(entry->ike_id); + entry->host_in->destroy(entry->host_in); + entry->host_out->destroy(entry->host_out); + free(entry); +} + +/** + * Hashtable hash function for inbound SAs + */ +static u_int hash_in(child_entry_t *entry) +{ + return chunk_hash_inc(chunk_from_thing(entry->spi_in), + chunk_hash_inc(entry->host_in->get_address(entry->host_in), + chunk_hash(chunk_from_thing(entry->proto)))); +} + +/** + * Hashtable equals function for inbound SAs + */ +static bool equals_in(child_entry_t *a, child_entry_t *b) +{ + return a->spi_in == b->spi_in && + a->proto == b->proto && + a->host_in->ip_equals(a->host_in, b->host_in); +} + +/** + * Hashtable hash function for outbound SAs + */ +static u_int hash_out(child_entry_t *entry) +{ + return chunk_hash_inc(chunk_from_thing(entry->spi_out), + chunk_hash_inc(entry->host_out->get_address(entry->host_out), + chunk_hash(chunk_from_thing(entry->proto)))); +} + +/** + * Hashtable equals function for outbound SAs + */ +static bool equals_out(child_entry_t *a, child_entry_t *b) +{ + return a->spi_out == b->spi_out && + a->proto == b->proto && + a->host_out->ip_equals(a->host_out, b->host_out); +} + +/** + * Hashtable hash function for SAs by unique ID + */ +static u_int hash_id(child_entry_t *entry) +{ + return chunk_hash(chunk_from_thing(entry->unique_id)); +} + +/** + * Hashtable equals function for SAs by unique ID + */ +static bool equals_id(child_entry_t *a, child_entry_t *b) +{ + return a->unique_id == b->unique_id; +} + +METHOD(child_sa_manager_t, add, void, + private_child_sa_manager_t *this, child_sa_t *child_sa, ike_sa_t *ike_sa) +{ + child_entry_t *entry; + host_t *in, *out; + ike_sa_id_t *id; + + id = ike_sa->get_id(ike_sa); + in = ike_sa->get_my_host(ike_sa); + out = ike_sa->get_other_host(ike_sa); + + INIT(entry, + .ike_id = id->clone(id), + .unique_id = child_sa->get_unique_id(child_sa), + .proto = child_sa->get_protocol(child_sa), + .spi_in = child_sa->get_spi(child_sa, TRUE), + .spi_out = child_sa->get_spi(child_sa, FALSE), + .host_in = in->clone(in), + .host_out = out->clone(out), + ); + + this->mutex->lock(this->mutex); + if (!this->in->get(this->in, entry) && + !this->out->get(this->out, entry)) + { + this->in->put(this->in, entry, entry); + this->out->put(this->out, entry, entry); + entry = this->ids->put(this->ids, entry, entry); + } + this->mutex->unlock(this->mutex); + + if (entry) + { + child_entry_destroy(entry); + } +} + +METHOD(child_sa_manager_t, remove_, void, + private_child_sa_manager_t *this, child_sa_t *child_sa) +{ + child_entry_t *entry, key = { + .unique_id = child_sa->get_unique_id(child_sa), + }; + + this->mutex->lock(this->mutex); + entry = this->ids->remove(this->ids, &key); + if (entry) + { + this->in->remove(this->in, entry); + this->out->remove(this->out, entry); + } + this->mutex->unlock(this->mutex); + + if (entry) + { + child_entry_destroy(entry); + } +} + +/** + * Check out an IKE_SA for a given CHILD_SA + */ +static ike_sa_t *checkout_ikesa(private_child_sa_manager_t *this, + ike_sa_id_t *id, u_int32_t unique_id, child_sa_t **child_sa) +{ + enumerator_t *enumerator; + child_sa_t *current; + ike_sa_t *ike_sa; + bool found = FALSE; + + ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id); + id->destroy(id); + if (ike_sa) + { + enumerator = ike_sa->create_child_sa_enumerator(ike_sa); + while (enumerator->enumerate(enumerator, ¤t)) + { + found = current->get_unique_id(current) == unique_id; + if (found) + { + if (child_sa) + { + *child_sa = current; + } + break; + } + } + enumerator->destroy(enumerator); + + if (found) + { + return ike_sa; + } + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + } + return NULL; +} + +METHOD(child_sa_manager_t, checkout_by_id, ike_sa_t*, + private_child_sa_manager_t *this, u_int32_t unique_id, + child_sa_t **child_sa) +{ + ike_sa_id_t *id; + child_entry_t *entry, key = { + .unique_id = unique_id, + }; + + this->mutex->lock(this->mutex); + entry = this->ids->get(this->ids, &key); + if (entry) + { + id = entry->ike_id->clone(entry->ike_id); + } + this->mutex->unlock(this->mutex); + + if (entry) + { + return checkout_ikesa(this, id, unique_id, child_sa); + } + return NULL; +} + +METHOD(child_sa_manager_t, checkout, ike_sa_t*, + private_child_sa_manager_t *this, protocol_id_t protocol, u_int32_t spi, + host_t *dst, child_sa_t **child_sa) +{ + ike_sa_id_t *id; + u_int32_t unique_id; + child_entry_t *entry, key = { + .spi_in = spi, + .spi_out = spi, + .host_in = dst, + .host_out = dst, + .proto = protocol, + }; + + this->mutex->lock(this->mutex); + entry = this->in->get(this->in, &key); + if (!entry) + { + entry = this->out->get(this->out, &key); + } + if (entry) + { + unique_id = entry->unique_id; + id = entry->ike_id->clone(entry->ike_id); + } + this->mutex->unlock(this->mutex); + + if (entry) + { + return checkout_ikesa(this, id, unique_id, child_sa); + } + return NULL; +} + +METHOD(child_sa_manager_t, destroy, void, + private_child_sa_manager_t *this) +{ + this->in->destroy(this->in); + this->out->destroy(this->out); + this->ids->destroy(this->ids); + this->mutex->destroy(this->mutex); + free(this); +} + +/** + * See header + */ +child_sa_manager_t *child_sa_manager_create() +{ + private_child_sa_manager_t *this; + + INIT(this, + .public = { + .add = _add, + .remove = _remove_, + .checkout = _checkout, + .checkout_by_id = _checkout_by_id, + .destroy = _destroy, + }, + .in = hashtable_create((hashtable_hash_t)hash_in, + (hashtable_equals_t)equals_in, 8), + .out = hashtable_create((hashtable_hash_t)hash_out, + (hashtable_equals_t)equals_out, 8), + .ids = hashtable_create((hashtable_hash_t)hash_id, + (hashtable_equals_t)equals_id, 8), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + ); + + return &this->public; +} diff --git a/src/libcharon/sa/child_sa_manager.h b/src/libcharon/sa/child_sa_manager.h new file mode 100644 index 000000000..4d57528e8 --- /dev/null +++ b/src/libcharon/sa/child_sa_manager.h @@ -0,0 +1,89 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup child_sa_manager child_sa_manager + * @{ @ingroup sa + */ + +#ifndef CHILD_SA_MANAGER_H_ +#define CHILD_SA_MANAGER_H_ + +#include +#include + +typedef struct child_sa_manager_t child_sa_manager_t; + +/** + * Handle CHILD_SA to IKE_SA relations + */ +struct child_sa_manager_t { + + /** + * Register a CHILD_SA/IKE_SA relation. + * + * @param child_sa CHILD_SA to register + * @param ike_sa IKE_SA owning the CHILD_SA + */ + void (*add)(child_sa_manager_t *this, child_sa_t *child_sa, ike_sa_t *ike_sa); + + /** + * Unregister a CHILD_SA/IKE_SA relation. + * + * @param child_sa CHILD_SA to unregister + */ + void (*remove)(child_sa_manager_t *this, child_sa_t *child_sa); + + /** + * Find a CHILD_SA and check out the associated IKE_SA by SPI. + * + * On success, the returned IKE_SA must be checked in after use to + * the IKE_SA manager. + * + * @param protocol IPsec protocol, AH|ESP + * @param spi SPI of CHILD_SA to check out + * @param dst SA destination host related to SPI + * @param child_sa returns CHILD_SA managed by IKE_SA + * @return IKE_SA, NULL if not found + */ + ike_sa_t *(*checkout)(child_sa_manager_t *this, + protocol_id_t protocol, u_int32_t spi, host_t *dst, + child_sa_t **child_sa); + + /** + * Find a CHILD_SA and check out the associated IKE_SA by unique_id. + * + * On success, the returned IKE_SA must be checked in after use to + * the IKE_SA manager. + * + * @param unique_id unique ID of CHILD_SA to check out + * @param child_sa returns CHILD_SA managed by IKE_SA + * @return IKE_SA, NULL if not found + */ + ike_sa_t *(*checkout_by_id)(child_sa_manager_t *this, u_int32_t unique_id, + child_sa_t **child_sa); + + /** + * Destroy a child_sa_manager_t. + */ + void (*destroy)(child_sa_manager_t *this); +}; + +/** + * Create a child_sa_manager instance. + */ +child_sa_manager_t *child_sa_manager_create(); + +#endif /** CHILD_SA_MANAGER_H_ @}*/ diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h index 6242a5a6e..689c0f990 100644 --- a/src/libcharon/sa/eap/eap_method.h +++ b/src/libcharon/sa/eap/eap_method.h @@ -136,6 +136,18 @@ struct eap_method_t { */ void (*set_identifier) (eap_method_t *this, u_int8_t identifier); + /** + * Get authentication details performed by this EAP method. + * + * After EAP completion, the auth data contains additional information + * of the authentication process, used certificates etc. + * This method is optional to implement, but if it is, it must return + * a valid auth_cfg. + * + * @return auth method, internal data + */ + auth_cfg_t* (*get_auth)(eap_method_t *this); + /** * Destroys a eap_method_t object. */ diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index d92b9df8e..3aafa4c13 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -932,6 +932,7 @@ METHOD(ike_sa_t, update_hosts, void, /* update our address in any case */ if (force && !me->equals(me, this->my_host)) { + charon->bus->ike_update(charon->bus, &this->public, TRUE, me); set_my_host(this, me->clone(me)); update = TRUE; } @@ -945,6 +946,7 @@ METHOD(ike_sa_t, update_hosts, void, (!has_condition(this, COND_NAT_HERE) || !has_condition(this, COND_ORIGINAL_INITIATOR))) { + charon->bus->ike_update(charon->bus, &this->public, FALSE, other); set_other_host(this, other->clone(other)); update = TRUE; } @@ -964,6 +966,10 @@ METHOD(ike_sa_t, update_hosts, void, enumerator = array_create_enumerator(this->child_sas); while (enumerator->enumerate(enumerator, &child_sa)) { + charon->child_sa_manager->remove(charon->child_sa_manager, child_sa); + charon->child_sa_manager->add(charon->child_sa_manager, + child_sa, &this->public); + if (child_sa->update(child_sa, this->my_host, this->other_host, vips, has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED) { @@ -971,6 +977,7 @@ METHOD(ike_sa_t, update_hosts, void, child_sa->get_protocol(child_sa), child_sa->get_spi(child_sa, TRUE)); } + } enumerator->destroy(enumerator); @@ -1444,6 +1451,8 @@ METHOD(ike_sa_t, add_child_sa, void, private_ike_sa_t *this, child_sa_t *child_sa) { array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa); + charon->child_sa_manager->add(charon->child_sa_manager, + child_sa, &this->public); } METHOD(ike_sa_t, get_child_sa, child_sa_t*, @@ -1471,16 +1480,58 @@ METHOD(ike_sa_t, get_child_count, int, return array_count(this->child_sas); } +/** + * Private data of a create_child_sa_enumerator() + */ +typedef struct { + /** implements enumerator */ + enumerator_t public; + /** inner array enumerator */ + enumerator_t *inner; + /** current item */ + child_sa_t *current; +} child_enumerator_t; + +METHOD(enumerator_t, child_enumerate, bool, + child_enumerator_t *this, child_sa_t **child_sa) +{ + if (this->inner->enumerate(this->inner, &this->current)) + { + *child_sa = this->current; + return TRUE; + } + return FALSE; +} + +METHOD(enumerator_t, child_enumerator_destroy, void, + child_enumerator_t *this) +{ + this->inner->destroy(this->inner); + free(this); +} + METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*, private_ike_sa_t *this) { - return array_create_enumerator(this->child_sas); + child_enumerator_t *enumerator; + + INIT(enumerator, + .public = { + .enumerate = (void*)_child_enumerate, + .destroy = _child_enumerator_destroy, + }, + .inner = array_create_enumerator(this->child_sas), + ); + return &enumerator->public; } METHOD(ike_sa_t, remove_child_sa, void, private_ike_sa_t *this, enumerator_t *enumerator) { - array_remove_at(this->child_sas, enumerator); + child_enumerator_t *ce = (child_enumerator_t*)enumerator; + + charon->child_sa_manager->remove(charon->child_sa_manager, ce->current); + array_remove_at(this->child_sas, ce->inner); } METHOD(ike_sa_t, rekey_child_sa, status_t, @@ -1513,13 +1564,13 @@ METHOD(ike_sa_t, destroy_child_sa, status_t, child_sa_t *child_sa; status_t status = NOT_FOUND; - enumerator = array_create_enumerator(this->child_sas); + enumerator = create_child_sa_enumerator(this); while (enumerator->enumerate(enumerator, (void**)&child_sa)) { if (child_sa->get_protocol(child_sa) == protocol && child_sa->get_spi(child_sa, TRUE) == spi) { - array_remove_at(this->child_sas, enumerator); + remove_child_sa(this, enumerator); child_sa->destroy(child_sa); status = SUCCESS; break; @@ -1771,7 +1822,7 @@ METHOD(ike_sa_t, reestablish, status_t, #endif /* ME */ { /* handle existing CHILD_SAs */ - enumerator = array_create_enumerator(this->child_sas); + enumerator = create_child_sa_enumerator(this); while (enumerator->enumerate(enumerator, (void**)&child_sa)) { if (has_condition(this, COND_REAUTHENTICATING)) @@ -1780,7 +1831,7 @@ METHOD(ike_sa_t, reestablish, status_t, { case CHILD_ROUTED: { /* move routed child directly */ - array_remove_at(this->child_sas, enumerator); + remove_child_sa(this, enumerator); new->add_child_sa(new, child_sa); action = ACTION_NONE; break; @@ -2209,6 +2260,12 @@ METHOD(ike_sa_t, inherit_post, void, array_insert_create(&this->other_vips, ARRAY_TAIL, vip); } + /* MOBIKE additional addresses */ + while (array_remove(other->peer_addresses, ARRAY_HEAD, &vip)) + { + array_insert_create(&this->peer_addresses, ARRAY_TAIL, vip); + } + /* authentication information */ enumerator = array_create_enumerator(other->my_auths); while (enumerator->enumerate(enumerator, &cfg)) @@ -2251,7 +2308,8 @@ METHOD(ike_sa_t, inherit_post, void, /* adopt all children */ while (array_remove(other->child_sas, ARRAY_HEAD, &child_sa)) { - array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa); + charon->child_sa_manager->remove(charon->child_sa_manager, child_sa); + add_child_sa(this, child_sa); } /* move pending tasks to the new IKE_SA */ @@ -2296,8 +2354,8 @@ METHOD(ike_sa_t, destroy, void, { if (entry.handler) { - hydra->attributes->release(hydra->attributes, entry.handler, - this->other_id, entry.type, entry.data); + charon->attributes->release(charon->attributes, entry.handler, + &this->public, entry.type, entry.data); } free(entry.data.ptr); } @@ -2305,6 +2363,7 @@ METHOD(ike_sa_t, destroy, void, * routes that the CHILD_SA tries to uninstall. */ while (array_remove(this->child_sas, ARRAY_TAIL, &child_sa)) { + charon->child_sa_manager->remove(charon->child_sa_manager, child_sa); child_sa->destroy(child_sa); } while (array_remove(this->my_vips, ARRAY_TAIL, &vip)) @@ -2321,12 +2380,11 @@ METHOD(ike_sa_t, destroy, void, if (this->peer_cfg) { linked_list_t *pools; - identification_t *id; - id = get_other_eap_id(this); pools = linked_list_create_from_enumerator( this->peer_cfg->create_pool_enumerator(this->peer_cfg)); - hydra->attributes->release_address(hydra->attributes, pools, vip, id); + charon->attributes->release_address(charon->attributes, + pools, vip, &this->public); pools->destroy(pools); } vip->destroy(vip); diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index c72d87367..9dbc805c9 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -131,6 +131,11 @@ enum ike_extension_t { * peer supports proprietary IKEv1 or standardized IKEv2 fragmentation */ EXT_IKE_FRAGMENTATION = (1<<11), + + /** + * Signature Authentication, RFC 7427 + */ + EXT_SIGNATURE_AUTH = (1<<12), }; /** @@ -936,8 +941,9 @@ struct ike_sa_t { /** * Reauthenticate the IKE_SA. * - * Create a completely new IKE_SA with authentication, recreates all children - * within the IKE_SA, closes this IKE_SA. + * Triggers a new IKE_SA that replaces this one. IKEv1 implicitly inherits + * all Quick Modes, while IKEv2 recreates all active and queued CHILD_SAs + * in the new IKE_SA. * * @return DESTROY_ME to destroy the IKE_SA */ diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index bdabc59b5..13fc74ff7 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -1184,7 +1184,8 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, DBG2(DBG_MGR, "checkout IKE_SA by message"); - if (id->get_responder_spi(id) == 0) + if (id->get_responder_spi(id) == 0 && + message->get_message_id(message) == 0) { if (message->get_major_version(message) == IKEV2_MAJOR_VERSION) { @@ -1383,54 +1384,35 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, } METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*, - private_ike_sa_manager_t *this, u_int32_t id, bool child) + private_ike_sa_manager_t *this, u_int32_t id) { - enumerator_t *enumerator, *children; + enumerator_t *enumerator; entry_t *entry; ike_sa_t *ike_sa = NULL; - child_sa_t *child_sa; u_int segment; - DBG2(DBG_MGR, "checkout IKE_SA by ID"); + DBG2(DBG_MGR, "checkout IKE_SA by ID %u", id); enumerator = create_table_enumerator(this); while (enumerator->enumerate(enumerator, &entry, &segment)) { if (wait_for_entry(this, entry, segment)) { - /* look for a child with such a reqid ... */ - if (child) - { - children = entry->ike_sa->create_child_sa_enumerator(entry->ike_sa); - while (children->enumerate(children, (void**)&child_sa)) - { - if (child_sa->get_reqid(child_sa) == id) - { - ike_sa = entry->ike_sa; - break; - } - } - children->destroy(children); - } - else /* ... or for a IKE_SA with such a unique id */ - { - if (entry->ike_sa->get_unique_id(entry->ike_sa) == id) - { - ike_sa = entry->ike_sa; - } - } - /* got one, return */ - if (ike_sa) + if (entry->ike_sa->get_unique_id(entry->ike_sa) == id) { + ike_sa = entry->ike_sa; entry->checked_out = TRUE; - DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out", - ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); break; } } } enumerator->destroy(enumerator); + if (ike_sa) + { + DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out", + ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); + } charon->bus->set_sa(charon->bus, ike_sa); return ike_sa; } @@ -1746,29 +1728,45 @@ METHOD(ike_sa_manager_t, create_id_enumerator, enumerator_t*, } /** - * Move all CHILD_SAs from old to new + * Move all CHILD_SAs and virtual IPs from old to new */ -static void adopt_children(ike_sa_t *old, ike_sa_t *new) +static void adopt_children_and_vips(ike_sa_t *old, ike_sa_t *new) { enumerator_t *enumerator; child_sa_t *child_sa; + host_t *vip; + int chcount = 0, vipcount = 0; + enumerator = old->create_child_sa_enumerator(old); while (enumerator->enumerate(enumerator, &child_sa)) { old->remove_child_sa(old, enumerator); new->add_child_sa(new, child_sa); + chcount++; } enumerator->destroy(enumerator); -} -/** - * Check if the replaced IKE_SA might get reauthenticated from host - */ -static bool is_ikev1_reauth(ike_sa_t *duplicate, host_t *host) -{ - return duplicate->get_version(duplicate) == IKEV1 && - host->equals(host, duplicate->get_other_host(duplicate)); + enumerator = old->create_virtual_ip_enumerator(old, FALSE); + while (enumerator->enumerate(enumerator, &vip)) + { + new->add_virtual_ip(new, FALSE, vip); + vipcount++; + } + enumerator->destroy(enumerator); + /* this does not release the addresses, which is good, but it does trigger + * an assign_vips(FALSE) event... */ + old->clear_virtual_ips(old, FALSE); + /* ...trigger the analogous event on the new SA */ + charon->bus->set_sa(charon->bus, new); + charon->bus->assign_vips(charon->bus, new, TRUE); + charon->bus->set_sa(charon->bus, old); + + if (chcount || vipcount) + { + DBG1(DBG_IKE, "detected reauth of existing IKE_SA, adopting %d " + "children and %d virtual IPs", chcount, vipcount); + } } /** @@ -1780,13 +1778,20 @@ static status_t enforce_replace(private_ike_sa_manager_t *this, { charon->bus->alert(charon->bus, ALERT_UNIQUE_REPLACE); - if (is_ikev1_reauth(duplicate, host)) + if (host->equals(host, duplicate->get_other_host(duplicate))) { /* looks like a reauthentication attempt */ - adopt_children(duplicate, new); + if (!new->has_condition(new, COND_INIT_CONTACT_SEEN) && + new->get_version(new) == IKEV1) + { + /* IKEv1 implicitly takes over children, IKEv2 recreates them + * explicitly. */ + adopt_children_and_vips(duplicate, new); + } /* For IKEv1 we have to delay the delete for the old IKE_SA. Some * peers need to complete the new SA first, otherwise the quick modes - * might get lost. */ + * might get lost. For IKEv2 we do the same, as we want overlapping + * CHILD_SAs to keep connectivity up. */ lib->scheduler->schedule_job(lib->scheduler, (job_t*) delete_ike_sa_job_create(duplicate->get_id(duplicate), TRUE), 10); return SUCCESS; @@ -1851,7 +1856,9 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool, other, other_host); break; case UNIQUE_KEEP: - if (!is_ikev1_reauth(duplicate, other_host)) + /* potential reauthentication? */ + if (!other_host->equals(other_host, + duplicate->get_other_host(duplicate))) { cancel = TRUE; /* we keep the first IKE_SA and delete all diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h index a68ae7763..f259d8e56 100644 --- a/src/libcharon/sa/ike_sa_manager.h +++ b/src/libcharon/sa/ike_sa_manager.h @@ -129,19 +129,15 @@ struct ike_sa_manager_t { /** * Check out an IKE_SA a unique ID. * - * Every IKE_SA and every CHILD_SA is uniquely identified by an ID. - * These checkout function uses, depending - * on the child parameter, the unique ID of the IKE_SA or the reqid - * of one of a IKE_SAs CHILD_SA. + * Every IKE_SA is uniquely identified by a numerical ID. This checkout + * function uses the unique ID of the IKE_SA to check it out. * * @param id unique ID of the object - * @param child TRUE to use CHILD, FALSE to use IKE_SA * @return * - checked out IKE_SA, if found * - NULL, if not found */ - ike_sa_t* (*checkout_by_id) (ike_sa_manager_t* this, u_int32_t id, - bool child); + ike_sa_t* (*checkout_by_id) (ike_sa_manager_t* this, u_int32_t id); /** * Check out an IKE_SA by the policy/connection name. diff --git a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c index aa966cd5f..bb187f07c 100644 --- a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c +++ b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c @@ -74,7 +74,10 @@ METHOD(authenticator_t, build, status_t, keymat_v1_t *keymat; chunk_t hash, dh; - this->dh->get_my_public_value(this->dh, &dh); + if (!this->dh->get_my_public_value(this->dh, &dh)) + { + return FAILED; + } keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa); if (!keymat->get_hash(keymat, this->initiator, dh, this->dh_value, this->ike_sa->get_id(this->ike_sa), this->sa_payload, @@ -108,7 +111,10 @@ METHOD(authenticator_t, process, status_t, return FAILED; } - this->dh->get_my_public_value(this->dh, &dh); + if (!this->dh->get_my_public_value(this->dh, &dh)) + { + return FAILED; + } keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa); if (!keymat->get_hash(keymat, !this->initiator, this->dh_value, dh, this->ike_sa->get_id(this->ike_sa), this->sa_payload, diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c index bfe5ff449..52228ef2e 100644 --- a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c +++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c @@ -94,7 +94,11 @@ METHOD(authenticator_t, build, status_t, return NOT_FOUND; } - this->dh->get_my_public_value(this->dh, &dh); + if (!this->dh->get_my_public_value(this->dh, &dh)) + { + private->destroy(private); + return FAILED; + } keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa); if (!keymat->get_hash(keymat, this->initiator, dh, this->dh_value, this->ike_sa->get_id(this->ike_sa), this->sa_payload, @@ -152,7 +156,10 @@ METHOD(authenticator_t, process, status_t, } id = this->ike_sa->get_other_id(this->ike_sa); - this->dh->get_my_public_value(this->dh, &dh); + if (!this->dh->get_my_public_value(this->dh, &dh)) + { + return FAILED; + } keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa); if (!keymat->get_hash(keymat, !this->initiator, this->dh_value, dh, this->ike_sa->get_id(this->ike_sa), this->sa_payload, diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c index 619d197bd..f5a91dbeb 100644 --- a/src/libcharon/sa/ikev1/keymat_v1.c +++ b/src/libcharon/sa/ikev1/keymat_v1.c @@ -425,7 +425,7 @@ METHOD(keymat_v1_t, derive_ike_keys, bool, return FALSE; } - if (dh->get_shared_secret(dh, &g_xy) != SUCCESS) + if (!dh->get_shared_secret(dh, &g_xy)) { return FALSE; } @@ -560,7 +560,10 @@ METHOD(keymat_v1_t, derive_ike_keys, bool, return FALSE; } - dh->get_my_public_value(dh, &dh_me); + if (!dh->get_my_public_value(dh, &dh_me)) + { + return FALSE; + } g_xi = this->initiator ? dh_me : dh_other; g_xr = this->initiator ? dh_other : dh_me; @@ -661,7 +664,7 @@ METHOD(keymat_v1_t, derive_child_keys, bool, protocol = proposal->get_protocol(proposal); if (dh) { - if (dh->get_shared_secret(dh, &secret) != SUCCESS) + if (!dh->get_shared_secret(dh, &secret)) { return FALSE; } diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c index d01a831f8..c968b2a9c 100644 --- a/src/libcharon/sa/ikev1/phase1.c +++ b/src/libcharon/sa/ikev1/phase1.c @@ -694,7 +694,13 @@ METHOD(phase1_t, add_nonce_ke, bool, nonce_gen_t *nonceg; chunk_t nonce; - ke_payload = ke_payload_create_from_diffie_hellman(PLV1_KEY_EXCHANGE, this->dh); + ke_payload = ke_payload_create_from_diffie_hellman(PLV1_KEY_EXCHANGE, + this->dh); + if (!ke_payload) + { + DBG1(DBG_IKE, "creating KE payload failed"); + return FALSE; + } message->add_payload(message, &ke_payload->payload_interface); nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat); @@ -739,7 +745,11 @@ METHOD(phase1_t, get_nonce_ke, bool, return FALSE; } this->dh_value = chunk_clone(ke_payload->get_key_exchange_data(ke_payload)); - this->dh->set_other_public_value(this->dh, this->dh_value); + if (!this->dh->set_other_public_value(this->dh, this->dh_value)) + { + DBG1(DBG_IKE, "unable to apply received KE value"); + return FALSE; + } nonce_payload = (nonce_payload_t*)message->get_payload(message, PLV1_NONCE); if (!nonce_payload) diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c index 0f8e8bc6d..cb22bf606 100644 --- a/src/libcharon/sa/ikev1/task_manager_v1.c +++ b/src/libcharon/sa/ikev1/task_manager_v1.c @@ -1596,7 +1596,8 @@ static bool is_redundant(private_task_manager_t *this, child_sa_t *child_sa) child_sa->get_lifetime(child_sa, FALSE)) { DBG1(DBG_IKE, "deleting redundant CHILD_SA %s{%d}", - child_sa->get_name(child_sa), child_sa->get_reqid(child_sa)); + child_sa->get_name(child_sa), + child_sa->get_unique_id(child_sa)); redundant = TRUE; break; } @@ -1647,6 +1648,8 @@ METHOD(task_manager_t, queue_child_rekey, void, task = quick_mode_create(this->ike_sa, cfg->get_ref(cfg), get_first_ts(child_sa, TRUE), get_first_ts(child_sa, FALSE)); task->use_reqid(task, child_sa->get_reqid(child_sa)); + task->use_marks(task, child_sa->get_mark(child_sa, TRUE).value, + child_sa->get_mark(child_sa, FALSE).value); task->rekey(task, child_sa->get_spi(child_sa, TRUE)); queue_task(this, &task->task); diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c index bea0428c4..a56805afb 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * * Copyright (C) 2011 Martin Willi * Copyright (C) 2011 revosec AG * @@ -74,6 +77,42 @@ METHOD(task_t, process_i, status_t, METHOD(task_t, process_r, status_t, private_isakmp_delete_t *this, message_t *message) { + enumerator_t *payloads; + payload_t *payload; + delete_payload_t *delete_payload; + ike_sa_id_t *id; + u_int64_t spi_i, spi_r; + bool found = FALSE; + + /* some peers send DELETE payloads for other IKE_SAs, e.g. those for expired + * ones after a rekeyeing, make sure the SPIs match */ + id = this->ike_sa->get_id(this->ike_sa); + payloads = message->create_payload_enumerator(message); + while (payloads->enumerate(payloads, &payload)) + { + if (payload->get_type(payload) == PLV1_DELETE) + { + delete_payload = (delete_payload_t*)payload; + if (!delete_payload->get_ike_spi(delete_payload, &spi_i, &spi_r)) + { + continue; + } + if (id->get_initiator_spi(id) == spi_i && + id->get_responder_spi(id) == spi_r) + { + found = TRUE; + break; + } + } + } + payloads->destroy(payloads); + + if (!found) + { + DBG1(DBG_IKE, "received DELETE for different IKE_SA, ignored"); + return SUCCESS; + } + DBG1(DBG_IKE, "received DELETE for IKE_SA %s[%d]", this->ike_sa->get_name(this->ike_sa), this->ike_sa->get_unique_id(this->ike_sa)); diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index 2fb4c6935..3ea4a2a85 100644 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -205,6 +205,43 @@ static status_t send_delete(private_main_mode_t *this) return ALREADY_DONE; } +/** + * Add an INITIAL_CONTACT notify if first contact with peer + */ +static void add_initial_contact(private_main_mode_t *this, message_t *message, + identification_t *idi) +{ + identification_t *idr; + host_t *host; + notify_payload_t *notify; + ike_sa_id_t *ike_sa_id; + u_int64_t spi_i, spi_r; + chunk_t spi; + + idr = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE); + if (idr && !idr->contains_wildcards(idr)) + { + if (this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO && + this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER) + { + host = this->ike_sa->get_other_host(this->ike_sa); + if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager, + idi, idr, host->get_family(host))) + { + notify = notify_payload_create_from_protocol_and_type( + PLV1_NOTIFY, PROTO_IKE, INITIAL_CONTACT_IKEV1); + ike_sa_id = this->ike_sa->get_id(this->ike_sa); + spi_i = ike_sa_id->get_initiator_spi(ike_sa_id); + spi_r = ike_sa_id->get_responder_spi(ike_sa_id); + spi = chunk_cata("cc", chunk_from_thing(spi_i), + chunk_from_thing(spi_r)); + notify->set_spi_data(notify, spi); + message->add_payload(message, (payload_t*)notify); + } + } + } +} + METHOD(task_t, build_i, status_t, private_main_mode_t *this, message_t *message) { @@ -311,6 +348,8 @@ METHOD(task_t, build_i, status_t, return send_notify(this, AUTHENTICATION_FAILED); } + add_initial_contact(this, message, id); + this->state = MM_AUTH; return NEED_MORE; } diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c index 94026b9af..d0994a961 100644 --- a/src/libcharon/sa/ikev1/tasks/mode_config.c +++ b/src/libcharon/sa/ikev1/tasks/mode_config.c @@ -16,7 +16,6 @@ #include "mode_config.h" #include -#include #include typedef struct private_mode_config_t private_mode_config_t; @@ -136,9 +135,8 @@ static void handle_attribute(private_mode_config_t *this, enumerator->destroy(enumerator); /* and pass it to the handle function */ - handler = hydra->attributes->handle(hydra->attributes, - this->ike_sa->get_other_id(this->ike_sa), handler, - ca->get_type(ca), ca->get_chunk(ca)); + handler = charon->attributes->handle(charon->attributes, + this->ike_sa, handler, ca->get_type(ca), ca->get_chunk(ca)); this->ike_sa->add_configuration_attribute(this->ike_sa, handler, ca->get_type(ca), ca->get_chunk(ca)); } @@ -326,9 +324,8 @@ static status_t build_request(private_mode_config_t *this, message_t *message) enumerator->destroy(enumerator); } - enumerator = hydra->attributes->create_initiator_enumerator( - hydra->attributes, - this->ike_sa->get_other_id(this->ike_sa), vips); + enumerator = charon->attributes->create_initiator_enumerator( + charon->attributes, this->ike_sa, vips); while (enumerator->enumerate(enumerator, &handler, &type, &data)) { add_attribute(this, cp, type, data, handler); @@ -353,7 +350,7 @@ static status_t build_set(private_mode_config_t *this, message_t *message) cp_payload_t *cp; peer_cfg_t *config; identification_t *id; - linked_list_t *pools; + linked_list_t *pools, *migrated, *vips; host_t *any4, *any6, *found; char *name; @@ -361,45 +358,62 @@ static status_t build_set(private_mode_config_t *this, message_t *message) id = this->ike_sa->get_other_eap_id(this->ike_sa); config = this->ike_sa->get_peer_cfg(this->ike_sa); - any4 = host_create_any(AF_INET); - any6 = host_create_any(AF_INET6); + /* if we migrated virtual IPs during reauthentication, reassign them */ + migrated = linked_list_create_from_enumerator( + this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, + FALSE)); + vips = migrated->clone_offset(migrated, offsetof(host_t, clone)); + migrated->destroy(migrated); this->ike_sa->clear_virtual_ips(this->ike_sa, FALSE); /* in push mode, we ask each configured pool for an address */ - enumerator = config->create_pool_enumerator(config); - while (enumerator->enumerate(enumerator, &name)) + if (!vips->get_count(vips)) { - pools = linked_list_create_with_items(name, NULL); - /* try IPv4, then IPv6 */ - found = hydra->attributes->acquire_address(hydra->attributes, - pools, id, any4); - if (!found) - { - found = hydra->attributes->acquire_address(hydra->attributes, - pools, id, any6); - } - pools->destroy(pools); - if (found) + any4 = host_create_any(AF_INET); + any6 = host_create_any(AF_INET6); + enumerator = config->create_pool_enumerator(config); + while (enumerator->enumerate(enumerator, &name)) { - DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id); - this->ike_sa->add_virtual_ip(this->ike_sa, FALSE, found); - cp->add_attribute(cp, build_vip(found)); - this->vips->insert_last(this->vips, found); + pools = linked_list_create_with_items(name, NULL); + /* try IPv4, then IPv6 */ + found = charon->attributes->acquire_address(charon->attributes, + pools, this->ike_sa, any4); + if (!found) + { + found = charon->attributes->acquire_address(charon->attributes, + pools, this->ike_sa, any6); + } + pools->destroy(pools); + if (found) + { + vips->insert_last(vips, found); + } } + enumerator->destroy(enumerator); + any4->destroy(any4); + any6->destroy(any6); } - enumerator->destroy(enumerator); - any4->destroy(any4); - any6->destroy(any6); + enumerator = vips->create_enumerator(vips); + while (enumerator->enumerate(enumerator, &found)) + { + DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id); + this->ike_sa->add_virtual_ip(this->ike_sa, FALSE, found); + cp->add_attribute(cp, build_vip(found)); + this->vips->insert_last(this->vips, found); + vips->remove_at(vips, enumerator); + } + enumerator->destroy(enumerator); + vips->destroy(vips); charon->bus->assign_vips(charon->bus, this->ike_sa, TRUE); /* query registered providers for additional attributes to include */ pools = linked_list_create_from_enumerator( config->create_pool_enumerator(config)); - enumerator = hydra->attributes->create_responder_enumerator( - hydra->attributes, pools, id, this->vips); + enumerator = charon->attributes->create_responder_enumerator( + charon->attributes, pools, this->ike_sa, this->vips); while (enumerator->enumerate(enumerator, &type, &value)) { add_attribute(this, cp, type, value, NULL); @@ -457,6 +471,28 @@ METHOD(task_t, process_r, status_t, return NEED_MORE; } +/** + * Assign a migrated virtual IP + */ +static host_t *assign_migrated_vip(linked_list_t *migrated, host_t *requested) +{ + enumerator_t *enumerator; + host_t *found = NULL, *vip; + + enumerator = migrated->create_enumerator(migrated); + while (enumerator->enumerate(enumerator, &vip)) + { + if (vip->ip_equals(vip, requested)) + { + migrated->remove_at(migrated, enumerator); + found = vip; + break; + } + } + enumerator->destroy(enumerator); + return found; +} + /** * Build CFG_REPLY message after receiving CFG_REQUEST */ @@ -468,29 +504,35 @@ static status_t build_reply(private_mode_config_t *this, message_t *message) cp_payload_t *cp; peer_cfg_t *config; identification_t *id; - linked_list_t *vips, *pools; - host_t *requested; + linked_list_t *vips, *pools, *migrated; + host_t *requested, *found; cp = cp_payload_create_type(PLV1_CONFIGURATION, CFG_REPLY); id = this->ike_sa->get_other_eap_id(this->ike_sa); config = this->ike_sa->get_peer_cfg(this->ike_sa); - vips = linked_list_create(); pools = linked_list_create_from_enumerator( config->create_pool_enumerator(config)); - + /* if we migrated virtual IPs during reauthentication, reassign them */ + vips = linked_list_create_from_enumerator( + this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, + FALSE)); + migrated = vips->clone_offset(vips, offsetof(host_t, clone)); + vips->destroy(vips); this->ike_sa->clear_virtual_ips(this->ike_sa, FALSE); + vips = linked_list_create(); enumerator = this->vips->create_enumerator(this->vips); while (enumerator->enumerate(enumerator, &requested)) { - host_t *found = NULL; - - /* query all pools until we get an address */ DBG1(DBG_IKE, "peer requested virtual IP %H", requested); - found = hydra->attributes->acquire_address(hydra->attributes, - pools, id, requested); + found = assign_migrated_vip(migrated, requested); + if (!found) + { + found = charon->attributes->acquire_address(charon->attributes, + pools, this->ike_sa, requested); + } if (found) { DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id); @@ -509,8 +551,8 @@ static status_t build_reply(private_mode_config_t *this, message_t *message) charon->bus->assign_vips(charon->bus, this->ike_sa, TRUE); /* query registered providers for additional attributes to include */ - enumerator = hydra->attributes->create_responder_enumerator( - hydra->attributes, pools, id, vips); + enumerator = charon->attributes->create_responder_enumerator( + charon->attributes, pools, this->ike_sa, vips); while (enumerator->enumerate(enumerator, &type, &value)) { cp->add_attribute(cp, @@ -518,6 +560,15 @@ static status_t build_reply(private_mode_config_t *this, message_t *message) type, value)); } enumerator->destroy(enumerator); + /* if a client did not re-request all adresses, release them */ + enumerator = migrated->create_enumerator(migrated); + while (enumerator->enumerate(enumerator, &found)) + { + charon->attributes->release_address(charon->attributes, + pools, found, this->ike_sa); + } + enumerator->destroy(enumerator); + migrated->destroy_offset(migrated, offsetof(host_t, destroy)); vips->destroy_offset(vips, offsetof(host_t, destroy)); pools->destroy(pools); diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.c b/src/libcharon/sa/ikev1/tasks/quick_delete.c index 499081caa..1b95a8b11 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_delete.c +++ b/src/libcharon/sa/ikev1/tasks/quick_delete.c @@ -105,7 +105,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol, this->spi = spi = child_sa->get_spi(child_sa, TRUE); } - rekeyed = child_sa->get_state(child_sa) == CHILD_REKEYING; + rekeyed = child_sa->get_state(child_sa) == CHILD_REKEYED; child_sa->set_state(child_sa, CHILD_DELETING); my_ts = linked_list_create_from_enumerator( @@ -116,7 +116,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol, { DBG0(DBG_IKE, "closing expired CHILD_SA %s{%d} " "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", - child_sa->get_name(child_sa), child_sa->get_reqid(child_sa), + child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), ntohl(child_sa->get_spi(child_sa, TRUE)), ntohl(child_sa->get_spi(child_sa, FALSE)), my_ts, other_ts); } @@ -127,7 +127,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol, DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs " "%.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R", - child_sa->get_name(child_sa), child_sa->get_reqid(child_sa), + child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in, ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out, my_ts, other_ts); diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index 1133aab65..96edfd8d8 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -155,6 +155,16 @@ struct private_quick_mode_t { */ u_int32_t reqid; + /** + * Explicit inbound mark value to use, if any + */ + u_int mark_in; + + /** + * Explicit inbound mark value to use, if any + */ + u_int mark_out; + /** * SPI of SA we rekey */ @@ -196,8 +206,8 @@ static void schedule_inactivity_timeout(private_quick_mode_t *this) close_ike = lib->settings->get_bool(lib->settings, "%s.inactivity_close_ike", FALSE, lib->ns); lib->scheduler->schedule_job(lib->scheduler, (job_t*) - inactivity_job_create(this->child_sa->get_reqid(this->child_sa), - timeout, close_ike), timeout); + inactivity_job_create(this->child_sa->get_unique_id(this->child_sa), + timeout, close_ike), timeout); } } @@ -375,7 +385,7 @@ static bool install(private_quick_mode_t *this) DBG0(DBG_IKE, "CHILD_SA %s{%d} established " "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", this->child_sa->get_name(this->child_sa), - this->child_sa->get_reqid(this->child_sa), + this->child_sa->get_unique_id(this->child_sa), ntohl(this->child_sa->get_spi(this->child_sa, TRUE)), ntohl(this->child_sa->get_spi(this->child_sa, FALSE)), my_ts, other_ts); @@ -391,15 +401,14 @@ static bool install(private_quick_mode_t *this) if (old) { charon->bus->child_rekey(charon->bus, old, this->child_sa); + /* rekeyed CHILD_SAs stay installed until they expire */ + old->set_state(old, CHILD_REKEYED); } else { charon->bus->child_updown(charon->bus, this->child_sa, TRUE); } - if (!this->rekey) - { - schedule_inactivity_timeout(this); - } + schedule_inactivity_timeout(this); this->child_sa = NULL; return TRUE; } @@ -456,12 +465,19 @@ static bool get_nonce(private_quick_mode_t *this, chunk_t *nonce, /** * Add KE payload to message */ -static void add_ke(private_quick_mode_t *this, message_t *message) +static bool add_ke(private_quick_mode_t *this, message_t *message) { ke_payload_t *ke_payload; - ke_payload = ke_payload_create_from_diffie_hellman(PLV1_KEY_EXCHANGE, this->dh); + ke_payload = ke_payload_create_from_diffie_hellman(PLV1_KEY_EXCHANGE, + this->dh); + if (!ke_payload) + { + DBG1(DBG_IKE, "creating KE payload failed"); + return FALSE; + } message->add_payload(message, &ke_payload->payload_interface); + return TRUE; } /** @@ -477,8 +493,12 @@ static bool get_ke(private_quick_mode_t *this, message_t *message) DBG1(DBG_IKE, "KE payload missing"); return FALSE; } - this->dh->set_other_public_value(this->dh, - ke_payload->get_key_exchange_data(ke_payload)); + if (!this->dh->set_other_public_value(this->dh, + ke_payload->get_key_exchange_data(ke_payload))) + { + DBG1(DBG_IKE, "unable to apply received KE value"); + return FALSE; + } return TRUE; } @@ -788,7 +808,8 @@ METHOD(task_t, build_i, status_t, this->child_sa = child_sa_create( this->ike_sa->get_my_host(this->ike_sa), this->ike_sa->get_other_host(this->ike_sa), - this->config, this->reqid, this->udp); + this->config, this->reqid, this->udp, + this->mark_in, this->mark_out); if (this->udp && this->mode == MODE_TRANSPORT) { @@ -870,7 +891,10 @@ METHOD(task_t, build_i, status_t, } if (group != MODP_NONE) { - add_ke(this, message); + if (!add_ke(this, message)) + { + return FAILED; + } } if (!this->tsi) { @@ -964,6 +988,7 @@ static void check_for_rekeyed_child(private_quick_mode_t *this) { case CHILD_INSTALLED: case CHILD_REKEYING: + case CHILD_REKEYED: policies = child_sa->create_policy_enumerator(child_sa); if (policies->enumerate(policies, &local, &remote) && local->equals(local, this->tsr) && @@ -972,9 +997,14 @@ static void check_for_rekeyed_child(private_quick_mode_t *this) { this->reqid = child_sa->get_reqid(child_sa); this->rekey = child_sa->get_spi(child_sa, TRUE); + this->mark_in = child_sa->get_mark(child_sa, + TRUE).value; + this->mark_out = child_sa->get_mark(child_sa, + FALSE).value; child_sa->set_state(child_sa, CHILD_REKEYING); DBG1(DBG_IKE, "detected rekeying of CHILD_SA %s{%u}", - child_sa->get_name(child_sa), this->reqid); + child_sa->get_name(child_sa), + child_sa->get_unique_id(child_sa)); } policies->destroy(policies); break; @@ -1097,7 +1127,8 @@ METHOD(task_t, process_r, status_t, this->child_sa = child_sa_create( this->ike_sa->get_my_host(this->ike_sa), this->ike_sa->get_other_host(this->ike_sa), - this->config, this->reqid, this->udp); + this->config, this->reqid, this->udp, + this->mark_in, this->mark_out); tsi = linked_list_create_with_items(this->tsi, NULL); tsr = linked_list_create_with_items(this->tsr, NULL); @@ -1202,7 +1233,10 @@ METHOD(task_t, build_r, status_t, } if (this->dh) { - add_ke(this, message); + if (!add_ke(this, message)) + { + return FAILED; + } } add_ts(this, message); @@ -1307,6 +1341,13 @@ METHOD(quick_mode_t, use_reqid, void, this->reqid = reqid; } +METHOD(quick_mode_t, use_marks, void, + private_quick_mode_t *this, u_int in, u_int out) +{ + this->mark_in = in; + this->mark_out = out; +} + METHOD(quick_mode_t, rekey, void, private_quick_mode_t *this, u_int32_t spi) { @@ -1334,6 +1375,8 @@ METHOD(task_t, migrate, void, this->dh = NULL; this->spi_i = 0; this->spi_r = 0; + this->mark_in = 0; + this->mark_out = 0; if (!this->initiator) { @@ -1372,6 +1415,7 @@ quick_mode_t *quick_mode_create(ike_sa_t *ike_sa, child_cfg_t *config, .destroy = _destroy, }, .use_reqid = _use_reqid, + .use_marks = _use_marks, .rekey = _rekey, }, .ike_sa = ike_sa, diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.h b/src/libcharon/sa/ikev1/tasks/quick_mode.h index 0b80cb836..ee9b64d13 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.h +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.h @@ -44,6 +44,14 @@ struct quick_mode_t { */ void (*use_reqid)(quick_mode_t *this, u_int32_t reqid); + /** + * Use specific mark values, overriding configuration. + * + * @param in inbound mark value + * @param out outbound mark value + */ + void (*use_marks)(quick_mode_t *this, u_int in, u_int out); + /** * Set the SPI of the old SA, if rekeying. * diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c index eed6d1996..ebef31930 100644 --- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c @@ -522,6 +522,13 @@ METHOD(authenticator_t, process_server, status_t, { return FAILED; } + if (this->method->get_auth) + { + auth_cfg_t *auth; + + auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); + auth->merge(auth, this->method->get_auth(this->method), FALSE); + } return NEED_MORE; } diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index 6fb14bc06..151b49718 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2015 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -20,6 +20,9 @@ #include #include #include +#include +#include +#include typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t; @@ -52,83 +55,303 @@ struct private_pubkey_authenticator_t { * Reserved bytes of ID payload */ char reserved[3]; + + /** + * Whether to store signature schemes on remote auth configs. + */ + bool store_signature_scheme; }; -METHOD(authenticator_t, build, status_t, - private_pubkey_authenticator_t *this, message_t *message) +/** + * Parse authentication data used for Signature Authentication as per RFC 7427 + */ +static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type, + signature_scheme_t *scheme) { - chunk_t octets = chunk_empty, auth_data; - status_t status = FAILED; - private_key_t *private; - identification_t *id; - auth_cfg_t *auth; - auth_payload_t *auth_payload; - auth_method_t auth_method; + u_int8_t len; + int oid; + + if (!auth_data->len) + { + return FALSE; + } + len = auth_data->ptr[0]; + *auth_data = chunk_skip(*auth_data, 1); + /* we currently don't support schemes that require parameters */ + oid = asn1_parse_algorithmIdentifier(*auth_data, 1, NULL); + *scheme = signature_scheme_from_oid(oid); + if (*scheme == SIGN_UNKNOWN) + { + return FALSE; + } + *key_type = key_type_from_signature_scheme(*scheme); + *auth_data = chunk_skip(*auth_data, len); + return TRUE; +} + +/** + * Build authentication data used for Signature Authentication as per RFC 7427 + */ +static bool build_signature_auth_data(chunk_t *auth_data, + signature_scheme_t scheme) +{ + chunk_t data; + u_int8_t len; + int oid; + + oid = signature_scheme_to_oid(scheme); + if (oid == OID_UNKNOWN) + { + return FALSE; + } + data = asn1_algorithmIdentifier(oid); + len = data.len; + *auth_data = chunk_cat("cmm", chunk_from_thing(len), data, *auth_data); + return TRUE; +} + +/** + * Selects possible signature schemes based on our configuration, the other + * peer's capabilities and the private key + */ +static array_t *select_signature_schemes(keymat_v2_t *keymat, + auth_cfg_t *auth, private_key_t *private) +{ + enumerator_t *enumerator; signature_scheme_t scheme; + uintptr_t config; + auth_rule_t rule; + key_type_t key_type; + bool have_config = FALSE; + array_t *selected; + + selected = array_create(sizeof(signature_scheme_t), 0); + key_type = private->get_type(private); + enumerator = auth->create_enumerator(auth); + while (enumerator->enumerate(enumerator, &rule, &config)) + { + if (rule != AUTH_RULE_SIGNATURE_SCHEME) + { + continue; + } + have_config = TRUE; + if (key_type == key_type_from_signature_scheme(config) && + keymat->hash_algorithm_supported(keymat, + hasher_from_signature_scheme(config))) + { + scheme = config; + array_insert(selected, ARRAY_TAIL, &scheme); + } + } + enumerator->destroy(enumerator); + + if (!have_config) + { + /* if no specific configuration, find schemes appropriate for the key + * and supported by the other peer */ + enumerator = signature_schemes_for_key(key_type, + private->get_keysize(private)); + while (enumerator->enumerate(enumerator, &scheme)) + { + if (keymat->hash_algorithm_supported(keymat, + hasher_from_signature_scheme(scheme))) + { + array_insert(selected, ARRAY_TAIL, &scheme); + } + } + enumerator->destroy(enumerator); + + /* for RSA we tried at least SHA-512, also try other schemes down to + * what we'd use with classic authentication */ + if (key_type == KEY_RSA) + { + signature_scheme_t schemes[] = { + SIGN_RSA_EMSA_PKCS1_SHA384, + SIGN_RSA_EMSA_PKCS1_SHA256, + SIGN_RSA_EMSA_PKCS1_SHA1, + }, contained; + bool found; + int i, j; + + for (i = 0; i < countof(schemes); i++) + { + scheme = schemes[i]; + found = FALSE; + for (j = 0; j < array_count(selected); j++) + { + array_get(selected, j, &contained); + if (scheme == contained) + { + found = TRUE; + break; + } + } + if (!found && keymat->hash_algorithm_supported(keymat, + hasher_from_signature_scheme(scheme))) + { + array_insert(selected, ARRAY_TAIL, &scheme); + } + } + } + } + return selected; +} + +/** + * Create a signature using RFC 7427 signature authentication + */ +static status_t sign_signature_auth(private_pubkey_authenticator_t *this, + auth_cfg_t *auth, private_key_t *private, + identification_t *id, chunk_t *auth_data) +{ + enumerator_t *enumerator; keymat_v2_t *keymat; + signature_scheme_t scheme = SIGN_UNKNOWN, *schemep; + array_t *schemes; + chunk_t octets = chunk_empty; + status_t status = FAILED; - id = this->ike_sa->get_my_id(this->ike_sa); - auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); - private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth); - if (private == NULL) + keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); + schemes = select_signature_schemes(keymat, auth, private); + if (!array_count(schemes)) { - DBG1(DBG_IKE, "no private key found for '%Y'", id); - return NOT_FOUND; + DBG1(DBG_IKE, "no common hash algorithm found to create signature " + "with %N key", key_type_names, private->get_type(private)); + array_destroy(schemes); + return FAILED; } + if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init, + this->nonce, id, this->reserved, &octets)) + { + enumerator = array_create_enumerator(schemes); + while (enumerator->enumerate(enumerator, &schemep)) + { + scheme = *schemep; + if (private->sign(private, scheme, octets, auth_data) && + build_signature_auth_data(auth_data, scheme)) + { + status = SUCCESS; + break; + } + else + { + DBG2(DBG_IKE, "unable to create %N signature for %N key", + signature_scheme_names, scheme, key_type_names, + private->get_type(private)); + } + } + enumerator->destroy(enumerator); + } + DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id, + signature_scheme_names, scheme, + status == SUCCESS ? "successful" : "failed"); + array_destroy(schemes); + chunk_free(&octets); + return status; +} + +/** + * Create a classic IKEv2 signature + */ +static status_t sign_classic(private_pubkey_authenticator_t *this, + auth_cfg_t *auth, private_key_t *private, + identification_t *id, auth_method_t *auth_method, + chunk_t *auth_data) +{ + signature_scheme_t scheme; + keymat_v2_t *keymat; + chunk_t octets = chunk_empty; + status_t status = FAILED; + switch (private->get_type(private)) { case KEY_RSA: - /* we currently use always SHA1 for signatures, - * TODO: support other hashes depending on configuration/auth */ scheme = SIGN_RSA_EMSA_PKCS1_SHA1; - auth_method = AUTH_RSA; + *auth_method = AUTH_RSA; break; case KEY_ECDSA: - /* we try to deduct the signature scheme from the keysize */ + /* deduct the signature scheme from the keysize */ switch (private->get_keysize(private)) { case 256: scheme = SIGN_ECDSA_256; - auth_method = AUTH_ECDSA_256; + *auth_method = AUTH_ECDSA_256; break; case 384: scheme = SIGN_ECDSA_384; - auth_method = AUTH_ECDSA_384; + *auth_method = AUTH_ECDSA_384; break; case 521: scheme = SIGN_ECDSA_521; - auth_method = AUTH_ECDSA_521; + *auth_method = AUTH_ECDSA_521; break; default: DBG1(DBG_IKE, "%d bit ECDSA private key size not supported", - private->get_keysize(private)); - return status; + private->get_keysize(private)); + return FAILED; } break; default: DBG1(DBG_IKE, "private key of type %N not supported", - key_type_names, private->get_type(private)); - return status; + key_type_names, private->get_type(private)); + return FAILED; } + keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init, this->nonce, id, this->reserved, &octets) && - private->sign(private, scheme, octets, &auth_data)) + private->sign(private, scheme, octets, auth_data)) { - auth_payload = auth_payload_create(); - auth_payload->set_auth_method(auth_payload, auth_method); - auth_payload->set_data(auth_payload, auth_data); - chunk_free(&auth_data); - message->add_payload(message, (payload_t*)auth_payload); status = SUCCESS; } DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id, - auth_method_names, auth_method, - (status == SUCCESS)? "successful":"failed"); + auth_method_names, *auth_method, + status == SUCCESS ? "successful" : "failed"); chunk_free(&octets); + return status; +} + +METHOD(authenticator_t, build, status_t, + private_pubkey_authenticator_t *this, message_t *message) +{ + private_key_t *private; + identification_t *id; + auth_cfg_t *auth; + chunk_t auth_data; + status_t status; + auth_payload_t *auth_payload; + auth_method_t auth_method; + + id = this->ike_sa->get_my_id(this->ike_sa); + auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); + private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth); + if (!private) + { + DBG1(DBG_IKE, "no private key found for '%Y'", id); + return NOT_FOUND; + } + + if (this->ike_sa->supports_extension(this->ike_sa, EXT_SIGNATURE_AUTH)) + { + auth_method = AUTH_DS; + status = sign_signature_auth(this, auth, private, id, &auth_data); + } + else + { + status = sign_classic(this, auth, private, id, &auth_method, + &auth_data); + } private->destroy(private); + if (status == SUCCESS) + { + auth_payload = auth_payload_create(); + auth_payload->set_auth_method(auth_payload, auth_method); + auth_payload->set_data(auth_payload, auth_data); + chunk_free(&auth_data); + message->add_payload(message, (payload_t*)auth_payload); + } return status; } @@ -153,11 +376,10 @@ METHOD(authenticator_t, process, status_t, return FAILED; } auth_method = auth_payload->get_auth_method(auth_payload); + auth_data = auth_payload->get_data(auth_payload); switch (auth_method) { case AUTH_RSA: - /* We currently accept SHA1 signatures only - * TODO: allow other hash algorithms and note it in "auth" */ key_type = KEY_RSA; scheme = SIGN_RSA_EMSA_PKCS1_SHA1; break; @@ -170,10 +392,15 @@ METHOD(authenticator_t, process, status_t, case AUTH_ECDSA_521: scheme = SIGN_ECDSA_521; break; + case AUTH_DS: + if (parse_signature_auth_data(&auth_data, &key_type, &scheme)) + { + break; + } + /* fall-through */ default: return INVALID_ARG; } - auth_data = auth_payload->get_data(auth_payload); id = this->ike_sa->get_other_id(this->ike_sa); keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); if (!keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init, @@ -188,11 +415,16 @@ METHOD(authenticator_t, process, status_t, { if (public->verify(public, scheme, octets, auth_data)) { - DBG1(DBG_IKE, "authentication of '%Y' with %N successful", - id, auth_method_names, auth_method); + DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id, + auth_method == AUTH_DS ? signature_scheme_names : auth_method_names, + auth_method == AUTH_DS ? scheme : auth_method); status = SUCCESS; auth->merge(auth, current_auth, FALSE); auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + if (this->store_signature_scheme) + { + auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)scheme); + } break; } else @@ -265,6 +497,8 @@ pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa, .ike_sa = ike_sa, .ike_sa_init = received_init, .nonce = sent_nonce, + .store_signature_scheme = lib->settings->get_bool(lib->settings, + "%s.signature_authentication_constraints", TRUE, lib->ns), ); memcpy(this->reserved, reserved, sizeof(this->reserved)); diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c index 88ad14faf..f70f5cfed 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.c +++ b/src/libcharon/sa/ikev2/keymat_v2.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -17,6 +18,7 @@ #include #include +#include typedef struct private_keymat_v2_t private_keymat_v2_t; @@ -69,6 +71,11 @@ struct private_keymat_v2_t { * Key to verify incoming authentication data (SKp) */ chunk_t skp_verify; + + /** + * Set of hash algorithms supported by peer for signature authentication + */ + hash_algorithm_set_t *hash_algorithms; }; METHOD(keymat_t, get_version, ike_version_t, @@ -293,7 +300,7 @@ METHOD(keymat_v2_t, derive_ike_keys, bool, spi_i = chunk_alloca(sizeof(u_int64_t)); spi_r = chunk_alloca(sizeof(u_int64_t)); - if (dh->get_shared_secret(dh, &secret) != SUCCESS) + if (!dh->get_shared_secret(dh, &secret)) { return FALSE; } @@ -547,7 +554,7 @@ METHOD(keymat_v2_t, derive_child_keys, bool, if (dh) { - if (dh->get_shared_secret(dh, &secret) != SUCCESS) + if (!dh->get_shared_secret(dh, &secret)) { return FALSE; } @@ -676,6 +683,26 @@ METHOD(keymat_v2_t, get_psk_sig, bool, return TRUE; } +METHOD(keymat_v2_t, hash_algorithm_supported, bool, + private_keymat_v2_t *this, hash_algorithm_t hash) +{ + if (!this->hash_algorithms) + { + return FALSE; + } + return this->hash_algorithms->contains(this->hash_algorithms, hash); +} + +METHOD(keymat_v2_t, add_hash_algorithm, void, + private_keymat_v2_t *this, hash_algorithm_t hash) +{ + if (!this->hash_algorithms) + { + this->hash_algorithms = hash_algorithm_set_create(); + } + this->hash_algorithms->add(this->hash_algorithms, hash); +} + METHOD(keymat_t, destroy, void, private_keymat_v2_t *this) { @@ -685,6 +712,7 @@ METHOD(keymat_t, destroy, void, chunk_clear(&this->skd); chunk_clear(&this->skp_verify); chunk_clear(&this->skp_build); + DESTROY_IF(this->hash_algorithms); free(this); } @@ -709,6 +737,9 @@ keymat_v2_t *keymat_v2_create(bool initiator) .get_skd = _get_skd, .get_auth_octets = _get_auth_octets, .get_psk_sig = _get_psk_sig, + .add_hash_algorithm = _add_hash_algorithm, + .hash_algorithm_supported = _hash_algorithm_supported, + }, .initiator = initiator, .prf_alg = PRF_UNDEFINED, diff --git a/src/libcharon/sa/ikev2/keymat_v2.h b/src/libcharon/sa/ikev2/keymat_v2.h index 04432f05b..927b62b03 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.h +++ b/src/libcharon/sa/ikev2/keymat_v2.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Tobias Brunner + * Copyright (C) 2011-2015 Tobias Brunner * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -124,6 +124,22 @@ struct keymat_v2_t { bool (*get_psk_sig)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce, chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig); + + /** + * Add a hash algorithm supported by the peer for signature authentication. + * + * @param hash hash algorithm + */ + void (*add_hash_algorithm)(keymat_v2_t *this, hash_algorithm_t hash); + + /** + * Check if a given hash algorithm is supported by the peer for signature + * authentication. + * + * @param hash hash algorithm + * @return TRUE if supported, FALSE otherwise + */ + bool (*hash_algorithm_supported)(keymat_v2_t *this, hash_algorithm_t hash); }; /** diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index eb7df3516..298167703 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -171,6 +172,11 @@ struct private_task_manager_t { * Base to calculate retransmission timeout */ double retransmit_base; + + /** + * Use make-before-break instead of break-before-make reauth? + */ + bool make_before_break; }; /** @@ -510,6 +516,11 @@ METHOD(task_manager_t, initiate, status_t, break; } #endif /* ME */ + if (activate_task(this, TASK_IKE_REAUTH_COMPLETE)) + { + exchange = INFORMATIONAL; + break; + } case IKE_REKEYING: if (activate_task(this, TASK_IKE_DELETE)) { @@ -604,6 +615,11 @@ METHOD(task_manager_t, initiate, status_t, /* update exchange type if a task changed it */ this->initiating.type = message->get_exchange_type(message); + if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED) + { + message->destroy(message); + return SUCCESS; + } if (!generate_message(this, message, &this->initiating.packets)) { @@ -1170,7 +1186,7 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg) { unknown = (unknown_payload_t*)payload; type = payload->get_type(payload); - if (!payload_is_known(type) && + if (!payload_is_known(type, msg->get_major_version(msg)) && unknown->is_critical(unknown)) { DBG1(DBG_ENC, "payload type %N is not supported, " @@ -1288,17 +1304,16 @@ METHOD(task_manager_t, process_message, status_t, { if (mid == this->responding.mid) { - /* reject initial messages once established */ - if (msg->get_exchange_type(msg) == IKE_SA_INIT || - msg->get_exchange_type(msg) == IKE_AUTH) + /* reject initial messages if not received in specific states */ + if ((msg->get_exchange_type(msg) == IKE_SA_INIT && + this->ike_sa->get_state(this->ike_sa) != IKE_CREATED) || + (msg->get_exchange_type(msg) == IKE_AUTH && + this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)) { - if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED && - this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING) - { - DBG1(DBG_IKE, "ignoring %N in established IKE_SA state", - exchange_type_names, msg->get_exchange_type(msg)); - return FAILED; - } + DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N", + exchange_type_names, msg->get_exchange_type(msg), + ike_sa_state_names, this->ike_sa->get_state(this->ike_sa)); + return FAILED; } if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) { /* with MOBIKE, we do no implicit updates */ @@ -1339,10 +1354,6 @@ METHOD(task_manager_t, process_message, status_t, { DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored", mid, this->responding.mid); - if (msg->get_exchange_type(msg) == IKE_SA_INIT) - { /* clean up IKE_SA state if IKE_SA_INIT has invalid msg ID */ - return DESTROY_ME; - } } } else @@ -1505,9 +1516,79 @@ METHOD(task_manager_t, queue_ike_rekey, void, queue_task(this, (task_t*)ike_rekey_create(this->ike_sa, TRUE)); } +/** + * Start reauthentication using make-before-break + */ +static void trigger_mbb_reauth(private_task_manager_t *this) +{ + enumerator_t *enumerator; + child_sa_t *child_sa; + child_cfg_t *cfg; + ike_sa_t *new; + host_t *host; + task_t *task; + + new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, + this->ike_sa->get_version(this->ike_sa), TRUE); + if (!new) + { /* shouldn't happen */ + return; + } + + new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa)); + host = this->ike_sa->get_other_host(this->ike_sa); + new->set_other_host(new, host->clone(host)); + host = this->ike_sa->get_my_host(this->ike_sa); + new->set_my_host(new, host->clone(host)); + enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE); + while (enumerator->enumerate(enumerator, &host)) + { + new->add_virtual_ip(new, TRUE, host); + } + enumerator->destroy(enumerator); + + enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa); + while (enumerator->enumerate(enumerator, &child_sa)) + { + cfg = child_sa->get_config(child_sa); + new->queue_task(new, &child_create_create(new, cfg->get_ref(cfg), + FALSE, NULL, NULL)->task); + } + enumerator->destroy(enumerator); + + enumerator = array_create_enumerator(this->queued_tasks); + while (enumerator->enumerate(enumerator, &task)) + { + if (task->get_type(task) == TASK_CHILD_CREATE) + { + task->migrate(task, new); + new->queue_task(new, task); + array_remove_at(this->queued_tasks, enumerator); + } + } + enumerator->destroy(enumerator); + + if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME) + { + new->queue_task(new, (task_t*)ike_reauth_complete_create(new, + this->ike_sa->get_id(this->ike_sa))); + charon->ike_sa_manager->checkin(charon->ike_sa_manager, new); + } + else + { + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new); + DBG1(DBG_IKE, "reauthenticating IKE_SA failed"); + } + charon->bus->set_sa(charon->bus, this->ike_sa); +} + METHOD(task_manager_t, queue_ike_reauth, void, private_task_manager_t *this) { + if (this->make_before_break) + { + return trigger_mbb_reauth(this); + } queue_task(this, (task_t*)ike_reauth_create(this->ike_sa)); } @@ -1773,6 +1854,8 @@ task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa) "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns), .retransmit_base = lib->settings->get_double(lib->settings, "%s.retransmit_base", RETRANSMIT_BASE, lib->ns), + .make_before_break = lib->settings->get_bool(lib->settings, + "%s.make_before_break", FALSE, lib->ns), ); return &this->public; diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index a1f01c276..6d9132a68 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -104,6 +104,11 @@ struct private_child_create_t { */ diffie_hellman_t *dh; + /** + * Applying DH public value failed? + */ + bool dh_failed; + /** * group used for DH exchange */ @@ -159,6 +164,16 @@ struct private_child_create_t { */ u_int32_t reqid; + /** + * Explicit inbound mark value + */ + u_int mark_in; + + /** + * Explicit outbound mark value + */ + u_int mark_out; + /** * CHILD_SA which gets established */ @@ -286,7 +301,7 @@ static bool allocate_spi(private_child_create_t *this) */ static void schedule_inactivity_timeout(private_child_create_t *this) { - u_int32_t timeout; + u_int32_t timeout, id; bool close_ike; timeout = this->config->get_inactivity(this->config); @@ -294,9 +309,9 @@ static void schedule_inactivity_timeout(private_child_create_t *this) { close_ike = lib->settings->get_bool(lib->settings, "%s.inactivity_close_ike", FALSE, lib->ns); + id = this->child_sa->get_unique_id(this->child_sa); lib->scheduler->schedule_job(lib->scheduler, (job_t*) - inactivity_job_create(this->child_sa->get_reqid(this->child_sa), - timeout, close_ike), timeout); + inactivity_job_create(id, timeout, close_ike), timeout); } } @@ -683,10 +698,7 @@ static status_t select_and_install(private_child_create_t *this, this->ike_sa->add_child_sa(this->ike_sa, this->child_sa); this->established = TRUE; - if (!this->rekey) - { /* a rekeyed SA uses the same reqid, no need for a new job */ - schedule_inactivity_timeout(this); - } + schedule_inactivity_timeout(this); my_ts = linked_list_create_from_enumerator( this->child_sa->create_ts_enumerator(this->child_sa, TRUE)); @@ -696,7 +708,7 @@ static status_t select_and_install(private_child_create_t *this, DBG0(DBG_IKE, "CHILD_SA %s{%d} established " "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", this->child_sa->get_name(this->child_sa), - this->child_sa->get_reqid(this->child_sa), + this->child_sa->get_unique_id(this->child_sa), ntohl(this->child_sa->get_spi(this->child_sa, TRUE)), ntohl(this->child_sa->get_spi(this->child_sa, FALSE)), my_ts, other_ts); @@ -709,7 +721,7 @@ static status_t select_and_install(private_child_create_t *this, /** * build the payloads for the message */ -static void build_payloads(private_child_create_t *this, message_t *message) +static bool build_payloads(private_child_create_t *this, message_t *message) { sa_payload_t *sa_payload; nonce_payload_t *nonce_payload; @@ -741,6 +753,11 @@ static void build_payloads(private_child_create_t *this, message_t *message) { ke_payload = ke_payload_create_from_diffie_hellman(PLV2_KEY_EXCHANGE, this->dh); + if (!ke_payload) + { + DBG1(DBG_IKE, "creating KE payload failed"); + return FALSE; + } message->add_payload(message, (payload_t*)ke_payload); } @@ -769,6 +786,7 @@ static void build_payloads(private_child_create_t *this, message_t *message) message->add_notify(message, FALSE, ESP_TFC_PADDING_NOT_SUPPORTED, chunk_empty); } + return TRUE; } /** @@ -880,7 +898,7 @@ static void process_payloads(private_child_create_t *this, message_t *message) } if (this->dh) { - this->dh->set_other_public_value(this->dh, + this->dh_failed = !this->dh->set_other_public_value(this->dh, ke_payload->get_key_exchange_data(ke_payload)); } break; @@ -996,7 +1014,8 @@ METHOD(task_t, build_i, status_t, this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa), this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid, - this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)); + this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY), + this->mark_in, this->mark_out); if (!allocate_spi(this)) { @@ -1027,7 +1046,10 @@ METHOD(task_t, build_i, status_t, NARROW_INITIATOR_PRE_AUTH, this->tsi, this->tsr); } - build_payloads(this, message); + if (!build_payloads(this, message)) + { + return FAILED; + } this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy)); this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy)); @@ -1168,12 +1190,19 @@ METHOD(task_t, build_r, status_t, case IKE_SA_INIT: return get_nonce(message, &this->my_nonce); case CREATE_CHILD_SA: - if (generate_nonce(this) != SUCCESS) + if (generate_nonce(this) != SUCCESS ) { message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty); return SUCCESS; } + if (this->dh_failed) + { + DBG1(DBG_IKE, "applying DH public value failed"); + message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, + chunk_empty); + return SUCCESS; + } no_dh = FALSE; break; case IKE_AUTH: @@ -1241,7 +1270,8 @@ METHOD(task_t, build_r, status_t, this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa), this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid, - this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)); + this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY), + this->mark_in, this->mark_out); if (this->ipcomp_received != IPCOMP_NONE) { @@ -1279,7 +1309,12 @@ METHOD(task_t, build_r, status_t, return SUCCESS; } - build_payloads(this, message); + if (!build_payloads(this, message)) + { + message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty); + handle_child_sa_failure(this, message); + return SUCCESS; + } if (!this->rekey) { /* invoke the child_up() hook if we are not rekeying */ @@ -1408,6 +1443,7 @@ METHOD(task_t, process_i, status_t, this->dh_group, diffie_hellman_group_names, group); this->retry = TRUE; this->dh_group = group; + this->child_sa->set_state(this->child_sa, CHILD_RETRYING); this->public.task.migrate(&this->public.task, this->ike_sa); enumerator->destroy(enumerator); return NEED_MORE; @@ -1456,6 +1492,13 @@ METHOD(task_t, process_i, status_t, return delete_failed_sa(this); } + if (this->dh_failed) + { + DBG1(DBG_IKE, "applying DH public value failed"); + handle_child_sa_failure(this, message); + return delete_failed_sa(this); + } + if (select_and_install(this, no_dh, ike_auth) == SUCCESS) { if (!this->rekey) @@ -1477,6 +1520,13 @@ METHOD(child_create_t, use_reqid, void, this->reqid = reqid; } +METHOD(child_create_t, use_marks, void, + private_child_create_t *this, u_int in, u_int out) +{ + this->mark_in = in; + this->mark_out = out; +} + METHOD(child_create_t, get_child, child_sa_t*, private_child_create_t *this) { @@ -1526,6 +1576,7 @@ METHOD(task_t, migrate, void, DESTROY_IF(this->child_sa); DESTROY_IF(this->proposal); DESTROY_IF(this->dh); + this->dh_failed = FALSE; if (this->proposals) { this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy)); @@ -1544,6 +1595,8 @@ METHOD(task_t, migrate, void, this->ipcomp_received = IPCOMP_NONE; this->other_cpi = 0; this->reqid = 0; + this->mark_in = 0; + this->mark_out = 0; this->established = FALSE; } @@ -1592,6 +1645,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, .set_config = _set_config, .get_lower_nonce = _get_lower_nonce, .use_reqid = _use_reqid, + .use_marks = _use_marks, .task = { .get_type = _get_type, .migrate = _migrate, diff --git a/src/libcharon/sa/ikev2/tasks/child_create.h b/src/libcharon/sa/ikev2/tasks/child_create.h index d29ba3d98..46d9403ee 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.h +++ b/src/libcharon/sa/ikev2/tasks/child_create.h @@ -51,6 +51,14 @@ struct child_create_t { */ void (*use_reqid) (child_create_t *this, u_int32_t reqid); + /** + * Use specific mark values to override configuration. + * + * @param in inbound mark value + * @param out outbound mark value + */ + void (*use_marks)(child_create_t *this, u_int in, u_int out); + /** * Get the lower of the two nonces, used for rekey collisions. * diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c index 2b1697423..f0b11e291 100644 --- a/src/libcharon/sa/ikev2/tasks/child_delete.c +++ b/src/libcharon/sa/ikev2/tasks/child_delete.c @@ -267,7 +267,7 @@ static void log_children(private_child_delete_t *this) { DBG0(DBG_IKE, "closing expired CHILD_SA %s{%d} " "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", - child_sa->get_name(child_sa), child_sa->get_reqid(child_sa), + child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), ntohl(child_sa->get_spi(child_sa, TRUE)), ntohl(child_sa->get_spi(child_sa, FALSE)), my_ts, other_ts); } @@ -278,7 +278,7 @@ static void log_children(private_child_delete_t *this) DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs %.8x_i " "(%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R", - child_sa->get_name(child_sa), child_sa->get_reqid(child_sa), + child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in, ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out, my_ts, other_ts); diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c index db872827d..c806e19ca 100644 --- a/src/libcharon/sa/ikev2/tasks/child_rekey.c +++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c @@ -96,9 +96,9 @@ static void schedule_delayed_rekey(private_child_rekey_t *this) retry = RETRY_INTERVAL - (random() % RETRY_JITTER); job = (job_t*)rekey_child_sa_job_create( - this->child_sa->get_reqid(this->child_sa), this->child_sa->get_protocol(this->child_sa), - this->child_sa->get_spi(this->child_sa, TRUE)); + this->child_sa->get_spi(this->child_sa, TRUE), + this->ike_sa->get_my_host(this->ike_sa)); DBG1(DBG_IKE, "CHILD_SA rekeying failed, trying again in %d seconds", retry); this->child_sa->set_state(this->child_sa, CHILD_INSTALLED); lib->scheduler->schedule_job(lib->scheduler, job, retry); @@ -184,6 +184,9 @@ METHOD(task_t, build_i, status_t, } reqid = this->child_sa->get_reqid(this->child_sa); this->child_create->use_reqid(this->child_create, reqid); + this->child_create->use_marks(this->child_create, + this->child_sa->get_mark(this->child_sa, TRUE).value, + this->child_sa->get_mark(this->child_sa, FALSE).value); if (this->child_create->task.build(&this->child_create->task, message) != NEED_MORE) @@ -224,6 +227,9 @@ METHOD(task_t, build_r, status_t, /* let the CHILD_CREATE task build the response */ reqid = this->child_sa->get_reqid(this->child_sa); this->child_create->use_reqid(this->child_create, reqid); + this->child_create->use_marks(this->child_create, + this->child_sa->get_mark(this->child_sa, TRUE).value, + this->child_sa->get_mark(this->child_sa, FALSE).value); config = this->child_sa->get_config(this->child_sa); this->child_create->set_config(this->child_create, config->get_ref(config)); this->child_create->task.build(&this->child_create->task, message); diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c index 0dac975e7..ca17494de 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c +++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c @@ -229,12 +229,12 @@ static void process_x509(cert_payload_t *payload, auth_cfg_t *auth, return; } url = strdup(url); - if (first) + if (*first) { /* first URL is for an end entity certificate */ DBG1(DBG_IKE, "received hash-and-url for end entity cert \"%s\"", url); auth->add(auth, AUTH_HELPER_SUBJECT_HASH_URL, url); - first = FALSE; + *first = FALSE; } else { diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.c b/src/libcharon/sa/ikev2/tasks/ike_config.c index da06e2a36..646f20c61 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_config.c +++ b/src/libcharon/sa/ikev2/tasks/ike_config.c @@ -17,7 +17,6 @@ #include "ike_config.h" #include -#include #include typedef struct private_ike_config_t private_ike_config_t; @@ -127,9 +126,8 @@ static void handle_attribute(private_ike_config_t *this, enumerator->destroy(enumerator); /* and pass it to the handle function */ - handler = hydra->attributes->handle(hydra->attributes, - this->ike_sa->get_other_id(this->ike_sa), handler, - ca->get_type(ca), ca->get_chunk(ca)); + handler = charon->attributes->handle(charon->attributes, + this->ike_sa, handler, ca->get_type(ca), ca->get_chunk(ca)); this->ike_sa->add_configuration_attribute(this->ike_sa, handler, ca->get_type(ca), ca->get_chunk(ca)); } @@ -274,9 +272,8 @@ METHOD(task_t, build_i, status_t, enumerator->destroy(enumerator); } - enumerator = hydra->attributes->create_initiator_enumerator( - hydra->attributes, - this->ike_sa->get_other_id(this->ike_sa), vips); + enumerator = charon->attributes->create_initiator_enumerator( + charon->attributes, this->ike_sa, vips); while (enumerator->enumerate(enumerator, &handler, &type, &data)) { configuration_attribute_t *ca; @@ -352,8 +349,8 @@ METHOD(task_t, build_r, status_t, /* query all pools until we get an address */ DBG1(DBG_IKE, "peer requested virtual IP %H", requested); - found = hydra->attributes->acquire_address(hydra->attributes, - pools, id, requested); + found = charon->attributes->acquire_address(charon->attributes, + pools, this->ike_sa, requested); if (found) { DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id); @@ -398,8 +395,8 @@ METHOD(task_t, build_r, status_t, } /* query registered providers for additional attributes to include */ - enumerator = hydra->attributes->create_responder_enumerator( - hydra->attributes, pools, id, vips); + enumerator = charon->attributes->create_responder_enumerator( + charon->attributes, pools, this->ike_sa, vips); while (enumerator->enumerate(enumerator, &type, &value)) { if (!cp) diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c index 71c5f22fa..0d5700ef2 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_init.c +++ b/src/libcharon/sa/ikev2/tasks/ike_init.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2009 Tobias Brunner + * Copyright (C) 2008-2015 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -20,8 +20,11 @@ #include #include +#include +#include #include #include +#include #include #include #include @@ -66,6 +69,11 @@ struct private_ike_init_t { */ diffie_hellman_t *dh; + /** + * Applying DH public value failed? + */ + bool dh_failed; + /** * Keymat derivation (from IKE_SA) */ @@ -100,12 +108,114 @@ struct private_ike_init_t { * retries done so far after failure (cookie or bad dh group) */ u_int retry; + + /** + * Whether to use Signature Authentication as per RFC 7427 + */ + bool signature_authentication; }; +/** + * Notify the peer about the hash algorithms we support or expect, + * as per RFC 7427 + */ +static void send_supported_hash_algorithms(private_ike_init_t *this, + message_t *message) +{ + hash_algorithm_set_t *algos; + enumerator_t *enumerator, *rounds; + bio_writer_t *writer; + hash_algorithm_t hash; + peer_cfg_t *peer; + auth_cfg_t *auth; + auth_rule_t rule; + uintptr_t config; + char *plugin_name; + + algos = hash_algorithm_set_create(); + peer = this->ike_sa->get_peer_cfg(this->ike_sa); + if (peer) + { + rounds = peer->create_auth_cfg_enumerator(peer, FALSE); + while (rounds->enumerate(rounds, &auth)) + { + enumerator = auth->create_enumerator(auth); + while (enumerator->enumerate(enumerator, &rule, &config)) + { + if (rule == AUTH_RULE_SIGNATURE_SCHEME) + { + hash = hasher_from_signature_scheme(config); + if (hasher_algorithm_for_ikev2(hash)) + { + algos->add(algos, hash); + } + } + } + enumerator->destroy(enumerator); + } + rounds->destroy(rounds); + } + + if (!algos->count(algos)) + { + enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &hash, &plugin_name)) + { + if (hasher_algorithm_for_ikev2(hash)) + { + algos->add(algos, hash); + } + } + enumerator->destroy(enumerator); + } + + if (algos->count(algos)) + { + writer = bio_writer_create(0); + enumerator = algos->create_enumerator(algos); + while (enumerator->enumerate(enumerator, &hash)) + { + writer->write_uint16(writer, hash); + } + enumerator->destroy(enumerator); + message->add_notify(message, FALSE, SIGNATURE_HASH_ALGORITHMS, + writer->get_buf(writer)); + writer->destroy(writer); + } + algos->destroy(algos); +} + +/** + * Store algorithms supported by other peer + */ +static void handle_supported_hash_algorithms(private_ike_init_t *this, + notify_payload_t *notify) +{ + bio_reader_t *reader; + u_int16_t algo; + bool added = FALSE; + + reader = bio_reader_create(notify->get_notification_data(notify)); + while (reader->remaining(reader) >= 2 && reader->read_uint16(reader, &algo)) + { + if (hasher_algorithm_for_ikev2(algo)) + { + this->keymat->add_hash_algorithm(this->keymat, algo); + added = TRUE; + } + } + reader->destroy(reader); + + if (added) + { + this->ike_sa->enable_extension(this->ike_sa, EXT_SIGNATURE_AUTH); + } +} + /** * build the payloads for the message */ -static void build_payloads(private_ike_init_t *this, message_t *message) +static bool build_payloads(private_ike_init_t *this, message_t *message) { sa_payload_t *sa_payload; ke_payload_t *ke_payload; @@ -149,7 +259,13 @@ static void build_payloads(private_ike_init_t *this, message_t *message) nonce_payload = nonce_payload_create(PLV2_NONCE); nonce_payload->set_nonce(nonce_payload, this->my_nonce); - ke_payload = ke_payload_create_from_diffie_hellman(PLV2_KEY_EXCHANGE, this->dh); + ke_payload = ke_payload_create_from_diffie_hellman(PLV2_KEY_EXCHANGE, + this->dh); + if (!ke_payload) + { + DBG1(DBG_IKE, "creating KE payload failed"); + return FALSE; + } if (this->old_sa) { /* payload order differs if we are rekeying */ @@ -174,6 +290,17 @@ static void build_payloads(private_ike_init_t *this, message_t *message) chunk_empty); } } + /* submit supported hash algorithms for signature authentication */ + if (!this->old_sa && this->signature_authentication) + { + if (this->initiator || + this->ike_sa->supports_extension(this->ike_sa, + EXT_SIGNATURE_AUTH)) + { + send_supported_hash_algorithms(this, message); + } + } + return TRUE; } /** @@ -183,6 +310,7 @@ static void process_payloads(private_ike_init_t *this, message_t *message) { enumerator_t *enumerator; payload_t *payload; + ke_payload_t *ke_payload = NULL; enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) @@ -211,19 +339,9 @@ static void process_payloads(private_ike_init_t *this, message_t *message) } case PLV2_KEY_EXCHANGE: { - ke_payload_t *ke_payload = (ke_payload_t*)payload; + ke_payload = (ke_payload_t*)payload; this->dh_group = ke_payload->get_dh_group_number(ke_payload); - if (!this->initiator) - { - this->dh = this->keymat->keymat.create_dh( - &this->keymat->keymat, this->dh_group); - } - if (this->dh) - { - this->dh->set_other_public_value(this->dh, - ke_payload->get_key_exchange_data(ke_payload)); - } break; } case PLV2_NONCE: @@ -237,17 +355,44 @@ static void process_payloads(private_ike_init_t *this, message_t *message) { notify_payload_t *notify = (notify_payload_t*)payload; - if (notify->get_notify_type(notify) == FRAGMENTATION_SUPPORTED) + switch (notify->get_notify_type(notify)) { - this->ike_sa->enable_extension(this->ike_sa, - EXT_IKE_FRAGMENTATION); + case FRAGMENTATION_SUPPORTED: + this->ike_sa->enable_extension(this->ike_sa, + EXT_IKE_FRAGMENTATION); + break; + case SIGNATURE_HASH_ALGORITHMS: + if (this->signature_authentication) + { + handle_supported_hash_algorithms(this, notify); + } + break; + default: + /* other notifies are handled elsewhere */ + break; } + } default: break; } } enumerator->destroy(enumerator); + + if (ke_payload && this->proposal && + this->proposal->has_dh_group(this->proposal, this->dh_group)) + { + if (!this->initiator) + { + this->dh = this->keymat->keymat.create_dh( + &this->keymat->keymat, this->dh_group); + } + if (this->dh) + { + this->dh_failed = !this->dh->set_other_public_value(this->dh, + ke_payload->get_key_exchange_data(ke_payload)); + } + } } METHOD(task_t, build_i, status_t, @@ -305,7 +450,10 @@ METHOD(task_t, build_i, status_t, message->add_notify(message, FALSE, COOKIE, this->cookie); } - build_payloads(this, message); + if (!build_payloads(this, message)) + { + return FAILED; + } #ifdef ME { @@ -433,13 +581,24 @@ METHOD(task_t, build_r, status_t, return FAILED; } + if (this->dh_failed) + { + DBG1(DBG_IKE, "applying DH public value failed"); + message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty); + return FAILED; + } + if (!derive_keys(this, this->other_nonce, this->my_nonce)) { DBG1(DBG_IKE, "key derivation failed"); message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty); return FAILED; } - build_payloads(this, message); + if (!build_payloads(this, message)) + { + message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty); + return FAILED; + } return SUCCESS; } @@ -554,6 +713,12 @@ METHOD(task_t, process_i, status_t, return FAILED; } + if (this->dh_failed) + { + DBG1(DBG_IKE, "applying DH public value failed"); + return FAILED; + } + if (!derive_keys(this, this->my_nonce, this->other_nonce)) { DBG1(DBG_IKE, "key derivation failed"); @@ -577,6 +742,7 @@ METHOD(task_t, migrate, void, this->ike_sa = ike_sa; this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa); this->proposal = NULL; + this->dh_failed = FALSE; if (this->dh && this->dh->get_dh_group(this->dh) != this->dh_group) { /* reset DH value only if group changed (INVALID_KE_PAYLOAD) */ this->dh->destroy(this->dh); @@ -631,6 +797,8 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa) .dh_group = MODP_NONE, .keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa), .old_sa = old_sa, + .signature_authentication = lib->settings->get_bool(lib->settings, + "%s.signature_authentication", TRUE, lib->ns), ); if (initiator) diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c index d91fa5862..6295d7960 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c +++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c @@ -256,6 +256,7 @@ static void update_children(private_ike_mobike_t *this) enumerator_t *enumerator; child_sa_t *child_sa; linked_list_t *vips; + status_t status; host_t *host; vips = linked_list_create(); @@ -270,15 +271,25 @@ static void update_children(private_ike_mobike_t *this) enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa); while (enumerator->enumerate(enumerator, (void**)&child_sa)) { - if (child_sa->update(child_sa, - this->ike_sa->get_my_host(this->ike_sa), - this->ike_sa->get_other_host(this->ike_sa), vips, - this->ike_sa->has_condition(this->ike_sa, - COND_NAT_ANY)) == NOT_SUPPORTED) + status = child_sa->update(child_sa, + this->ike_sa->get_my_host(this->ike_sa), + this->ike_sa->get_other_host(this->ike_sa), vips, + this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)); + switch (status) { - this->ike_sa->rekey_child_sa(this->ike_sa, - child_sa->get_protocol(child_sa), - child_sa->get_spi(child_sa, TRUE)); + case NOT_SUPPORTED: + this->ike_sa->rekey_child_sa(this->ike_sa, + child_sa->get_protocol(child_sa), + child_sa->get_spi(child_sa, TRUE)); + break; + case SUCCESS: + charon->child_sa_manager->remove(charon->child_sa_manager, + child_sa); + charon->child_sa_manager->add(charon->child_sa_manager, + child_sa, this->ike_sa); + break; + default: + break; } } enumerator->destroy(enumerator); diff --git a/src/libcharon/sa/ikev2/tasks/ike_reauth.h b/src/libcharon/sa/ikev2/tasks/ike_reauth.h index 781b463a7..e2e48f0d4 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_reauth.h +++ b/src/libcharon/sa/ikev2/tasks/ike_reauth.h @@ -29,6 +29,8 @@ typedef struct ike_reauth_t ike_reauth_t; /** * Task of type ike_reauth, reestablishes an IKE_SA. + * + * This task implements break-before-make reauthentication. */ struct ike_reauth_t { diff --git a/src/libcharon/sa/ikev2/tasks/ike_reauth_complete.c b/src/libcharon/sa/ikev2/tasks/ike_reauth_complete.c new file mode 100644 index 000000000..a01489c03 --- /dev/null +++ b/src/libcharon/sa/ikev2/tasks/ike_reauth_complete.c @@ -0,0 +1,102 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ike_reauth_complete.h" + +#include +#include + + +typedef struct private_ike_reauth_complete_t private_ike_reauth_complete_t; + +/** + * Private members of a ike_reauth_complete_t task. + */ +struct private_ike_reauth_complete_t { + + /** + * Public methods and task_t interface. + */ + ike_reauth_complete_t public; + + /** + * Assigned IKE_SA. + */ + ike_sa_t *ike_sa; + + /** + * Reauthenticated IKE_SA identifier + */ + ike_sa_id_t *id; +}; + +METHOD(task_t, build_i, status_t, + private_ike_reauth_complete_t *this, message_t *message) +{ + message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED); + lib->processor->queue_job(lib->processor, + (job_t*)delete_ike_sa_job_create(this->id, TRUE)); + return SUCCESS; +} + +METHOD(task_t, process_i, status_t, + private_ike_reauth_complete_t *this, message_t *message) +{ + return DESTROY_ME; +} + +METHOD(task_t, get_type, task_type_t, + private_ike_reauth_complete_t *this) +{ + return TASK_IKE_REAUTH_COMPLETE; +} + +METHOD(task_t, migrate, void, + private_ike_reauth_complete_t *this, ike_sa_t *ike_sa) +{ + this->ike_sa = ike_sa; +} + +METHOD(task_t, destroy, void, + private_ike_reauth_complete_t *this) +{ + this->id->destroy(this->id); + free(this); +} + +/* + * Described in header. + */ +ike_reauth_complete_t *ike_reauth_complete_create(ike_sa_t *ike_sa, + ike_sa_id_t *id) +{ + private_ike_reauth_complete_t *this; + + INIT(this, + .public = { + .task = { + .get_type = _get_type, + .migrate = _migrate, + .build = _build_i, + .process = _process_i, + .destroy = _destroy, + }, + }, + .ike_sa = ike_sa, + .id = id->clone(id), + ); + + return &this->public; +} diff --git a/src/libcharon/sa/ikev2/tasks/ike_reauth_complete.h b/src/libcharon/sa/ikev2/tasks/ike_reauth_complete.h new file mode 100644 index 000000000..cc3d3b713 --- /dev/null +++ b/src/libcharon/sa/ikev2/tasks/ike_reauth_complete.h @@ -0,0 +1,56 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ike_reauth_complete ike_reauth_complete + * @{ @ingroup tasks_v2 + */ + +#ifndef IKE_REAUTH_COMPLETE_H_ +#define IKE_REAUTH_COMPLETE_H_ + +typedef struct ike_reauth_complete_t ike_reauth_complete_t; + +#include +#include +#include + +/** + * Task of type IKE_REAUTH_COMPLETE, removes reauthenticated SA after reauth. + * + * This task completes make-before-break reauthentication by deleting the + * old, reauthenticated IKE_SA after the new one established. + */ +struct ike_reauth_complete_t { + + /** + * Implements the task_t interface + */ + task_t task; +}; + +/** + * Create a new ike_reauth_complete task. + * + * This task is initiator only. + * + * @param ike_sa IKE_SA this task works for + * @param id old, reauthenticated IKE_SA + * @return ike_reauth_complete task to handle by the task_manager + */ +ike_reauth_complete_t *ike_reauth_complete_create(ike_sa_t *ike_sa, + ike_sa_id_t *id); + +#endif /** IKE_REAUTH_COMPLETE_H_ @}*/ diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c index 444ac6ade..1855517ce 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c +++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c @@ -22,6 +22,7 @@ #include #include #include +#include typedef struct private_ike_rekey_t private_ike_rekey_t; @@ -67,6 +68,25 @@ struct private_ike_rekey_t { task_t *collision; }; +/** + * Check if an IKE_SA has any queued tasks, return initiation job + */ +static job_t* check_queued_tasks(ike_sa_t *ike_sa) +{ + enumerator_t *enumerator; + task_t *task; + job_t *job = NULL; + + enumerator = ike_sa->create_task_enumerator(ike_sa, TASK_QUEUE_QUEUED); + if (enumerator->enumerate(enumerator, &task)) + { + job = (job_t*)initiate_tasks_job_create(ike_sa->get_id(ike_sa)); + } + enumerator->destroy(enumerator); + + return job; +} + /** * Establish the new replacement IKE_SA */ @@ -74,6 +94,8 @@ static void establish_new(private_ike_rekey_t *this) { if (this->new_sa) { + job_t *job; + this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED); DBG0(DBG_IKE, "IKE_SA %s[%d] rekeyed between %H[%Y]...%H[%Y]", this->new_sa->get_name(this->new_sa), @@ -85,7 +107,14 @@ static void establish_new(private_ike_rekey_t *this) this->new_sa->inherit_post(this->new_sa, this->ike_sa); charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa); + job = check_queued_tasks(this->new_sa); + /* don't queue job before checkin(), as the IKE_SA is not yet + * registered at the manager */ charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa); + if (job) + { + lib->processor->queue_job(lib->processor, job); + } this->new_sa = NULL; /* set threads active IKE_SA after checkin */ charon->bus->set_sa(charon->bus, this->ike_sa); @@ -163,6 +192,7 @@ METHOD(task_t, process_r, status_t, { case CHILD_CREATED: case CHILD_REKEYING: + case CHILD_RETRYING: case CHILD_DELETING: /* we do not allow rekeying while we have children in-progress */ DBG1(DBG_IKE, "peer initiated rekeying, but a child is half-open"); @@ -209,6 +239,12 @@ METHOD(task_t, build_r, status_t, this->public.task.build = _build_r_delete; this->public.task.process = _process_r_delete; + /* the peer does have to delete the IKE_SA. If it does not, we get a + * unusable IKE_SA in REKEYING state without a replacement. We consider + * this a timeout condition by the peer, and trigger a delete actively. */ + lib->scheduler->schedule_job(lib->scheduler, (job_t*) + delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE), 90); + return NEED_MORE; } diff --git a/src/libcharon/sa/task.c b/src/libcharon/sa/task.c index 4336b23ff..b35b58185 100644 --- a/src/libcharon/sa/task.c +++ b/src/libcharon/sa/task.c @@ -27,6 +27,7 @@ ENUM(task_type_names, TASK_IKE_INIT, TASK_ISAKMP_CERT_POST, "IKE_CONFIG", "IKE_REKEY", "IKE_REAUTH", + "IKE_REAUTH_COMPLETE", "IKE_DELETE", "IKE_DPD", "IKE_VENDOR", diff --git a/src/libcharon/sa/task.h b/src/libcharon/sa/task.h index f2c4299cc..7bd3da1fe 100644 --- a/src/libcharon/sa/task.h +++ b/src/libcharon/sa/task.h @@ -22,6 +22,8 @@ #ifndef TASK_H_ #define TASK_H_ +#include + typedef enum task_type_t task_type_t; typedef struct task_t task_t; @@ -51,8 +53,10 @@ enum task_type_t { TASK_IKE_CONFIG, /** rekey an IKE_SA */ TASK_IKE_REKEY, - /** reestablish a complete IKE_SA */ + /** reestablish a complete IKE_SA, break-before-make */ TASK_IKE_REAUTH, + /** completion task for make-before-break IKE_SA re-authentication */ + TASK_IKE_REAUTH_COMPLETE, /** delete an IKE_SA */ TASK_IKE_DELETE, /** liveness check */ diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c index 7e55d6b0f..d6ff3c8c5 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c @@ -65,6 +65,11 @@ struct private_trap_manager_t { * listener to track acquiring IKE_SAs */ trap_listener_t listener; + + /** + * Whether to ignore traffic selectors from acquires + */ + bool ignore_acquire_ts; }; /** @@ -171,7 +176,7 @@ METHOD(trap_manager_t, install, u_int32_t, this->lock->unlock(this->lock); /* create and route CHILD_SA */ - child_sa = child_sa_create(me, other, child, reqid, FALSE); + child_sa = child_sa_create(me, other, child, reqid, FALSE, 0, 0); list = linked_list_create_with_items(me, NULL); my_ts = child->get_traffic_selectors(child, TRUE, NULL, list); @@ -353,7 +358,7 @@ METHOD(trap_manager_t, acquire, void, { ike_sa->set_peer_cfg(ike_sa, peer); } - if (ike_sa->get_version(ike_sa) == IKEV1) + if (this->ignore_acquire_ts || ike_sa->get_version(ike_sa) == IKEV1) { /* in IKEv1, don't prepend the acquiring packet TS, as we only * have a single TS that we can establish in a Quick Mode. */ src = dst = NULL; @@ -484,6 +489,8 @@ trap_manager_t *trap_manager_create(void) }, .traps = linked_list_create(), .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + .ignore_acquire_ts = lib->settings->get_bool(lib->settings, + "%s.ignore_acquire_ts", FALSE, lib->ns), ); charon->bus->add_listener(charon->bus, &this->listener.listener); diff --git a/src/libcharon/tests/Makefile.am b/src/libcharon/tests/Makefile.am new file mode 100644 index 000000000..c8be28594 --- /dev/null +++ b/src/libcharon/tests/Makefile.am @@ -0,0 +1,21 @@ +TESTS = libcharon_tests + +check_PROGRAMS = $(TESTS) + +libcharon_tests_SOURCES = \ + suites/test_mem_pool.c \ + libcharon_tests.h libcharon_tests.c + +libcharon_tests_CFLAGS = \ + -I$(top_srcdir)/src/libcharon \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libstrongswan/tests \ + @COVERAGE_CFLAGS@ + +libcharon_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +libcharon_tests_LDADD = \ + $(top_builddir)/src/libcharon/libcharon.la \ + $(top_builddir)/src/libhydra/libhydra.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la diff --git a/src/libcharon/tests/Makefile.in b/src/libcharon/tests/Makefile.in new file mode 100644 index 000000000..7f4f4b24e --- /dev/null +++ b/src/libcharon/tests/Makefile.in @@ -0,0 +1,874 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +TESTS = libcharon_tests$(EXEEXT) +check_PROGRAMS = $(am__EXEEXT_1) +subdir = src/libcharon/tests +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__EXEEXT_1 = libcharon_tests$(EXEEXT) +am__dirstamp = $(am__leading_dot)dirstamp +am_libcharon_tests_OBJECTS = \ + suites/libcharon_tests-test_mem_pool.$(OBJEXT) \ + libcharon_tests-libcharon_tests.$(OBJEXT) +libcharon_tests_OBJECTS = $(am_libcharon_tests_OBJECTS) +libcharon_tests_DEPENDENCIES = \ + $(top_builddir)/src/libcharon/libcharon.la \ + $(top_builddir)/src/libhydra/libhydra.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libcharon_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libcharon_tests_CFLAGS) $(CFLAGS) $(libcharon_tests_LDFLAGS) \ + $(LDFLAGS) -o $@ +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libcharon_tests_SOURCES) +DIST_SOURCES = $(libcharon_tests_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__tty_colors_dummy = \ + mgn= red= grn= lgn= blu= brg= std=; \ + am__color_tests=no +am__tty_colors = { \ + $(am__tty_colors_dummy); \ + if test "X$(AM_COLOR_TESTS)" = Xno; then \ + am__color_tests=no; \ + elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ + am__color_tests=yes; \ + elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ + am__color_tests=yes; \ + fi; \ + if test $$am__color_tests = yes; then \ + red=''; \ + grn=''; \ + lgn=''; \ + blu=''; \ + mgn=''; \ + brg=''; \ + std=''; \ + fi; \ +} +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +libcharon_tests_SOURCES = \ + suites/test_mem_pool.c \ + libcharon_tests.h libcharon_tests.c + +libcharon_tests_CFLAGS = \ + -I$(top_srcdir)/src/libcharon \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libstrongswan/tests \ + @COVERAGE_CFLAGS@ + +libcharon_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +libcharon_tests_LDADD = \ + $(top_builddir)/src/libcharon/libcharon.la \ + $(top_builddir)/src/libhydra/libhydra.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/tests/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/tests/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list +suites/$(am__dirstamp): + @$(MKDIR_P) suites + @: > suites/$(am__dirstamp) +suites/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) suites/$(DEPDIR) + @: > suites/$(DEPDIR)/$(am__dirstamp) +suites/libcharon_tests-test_mem_pool.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) + +libcharon_tests$(EXEEXT): $(libcharon_tests_OBJECTS) $(libcharon_tests_DEPENDENCIES) $(EXTRA_libcharon_tests_DEPENDENCIES) + @rm -f libcharon_tests$(EXEEXT) + $(AM_V_CCLD)$(libcharon_tests_LINK) $(libcharon_tests_OBJECTS) $(libcharon_tests_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + -rm -f suites/*.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcharon_tests-libcharon_tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +suites/libcharon_tests-test_mem_pool.o: suites/test_mem_pool.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_mem_pool.o -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Tpo -c -o suites/libcharon_tests-test_mem_pool.o `test -f 'suites/test_mem_pool.c' || echo '$(srcdir)/'`suites/test_mem_pool.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Tpo suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_mem_pool.c' object='suites/libcharon_tests-test_mem_pool.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_mem_pool.o `test -f 'suites/test_mem_pool.c' || echo '$(srcdir)/'`suites/test_mem_pool.c + +suites/libcharon_tests-test_mem_pool.obj: suites/test_mem_pool.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_mem_pool.obj -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Tpo -c -o suites/libcharon_tests-test_mem_pool.obj `if test -f 'suites/test_mem_pool.c'; then $(CYGPATH_W) 'suites/test_mem_pool.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mem_pool.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Tpo suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_mem_pool.c' object='suites/libcharon_tests-test_mem_pool.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_mem_pool.obj `if test -f 'suites/test_mem_pool.c'; then $(CYGPATH_W) 'suites/test_mem_pool.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mem_pool.c'; fi` + +libcharon_tests-libcharon_tests.o: libcharon_tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT libcharon_tests-libcharon_tests.o -MD -MP -MF $(DEPDIR)/libcharon_tests-libcharon_tests.Tpo -c -o libcharon_tests-libcharon_tests.o `test -f 'libcharon_tests.c' || echo '$(srcdir)/'`libcharon_tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libcharon_tests-libcharon_tests.Tpo $(DEPDIR)/libcharon_tests-libcharon_tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='libcharon_tests.c' object='libcharon_tests-libcharon_tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o libcharon_tests-libcharon_tests.o `test -f 'libcharon_tests.c' || echo '$(srcdir)/'`libcharon_tests.c + +libcharon_tests-libcharon_tests.obj: libcharon_tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT libcharon_tests-libcharon_tests.obj -MD -MP -MF $(DEPDIR)/libcharon_tests-libcharon_tests.Tpo -c -o libcharon_tests-libcharon_tests.obj `if test -f 'libcharon_tests.c'; then $(CYGPATH_W) 'libcharon_tests.c'; else $(CYGPATH_W) '$(srcdir)/libcharon_tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libcharon_tests-libcharon_tests.Tpo $(DEPDIR)/libcharon_tests-libcharon_tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='libcharon_tests.c' object='libcharon_tests-libcharon_tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o libcharon_tests-libcharon_tests.obj `if test -f 'libcharon_tests.c'; then $(CYGPATH_W) 'libcharon_tests.c'; else $(CYGPATH_W) '$(srcdir)/libcharon_tests.c'; fi` + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + $(am__tty_colors); \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + col=$$red; res=XPASS; \ + ;; \ + *) \ + col=$$grn; res=PASS; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xfail=`expr $$xfail + 1`; \ + col=$$lgn; res=XFAIL; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + col=$$red; res=FAIL; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + col=$$blu; res=SKIP; \ + fi; \ + echo "$${col}$$res$${std}: $$tst"; \ + done; \ + if test "$$all" -eq 1; then \ + tests="test"; \ + All=""; \ + else \ + tests="tests"; \ + All="All "; \ + fi; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="$$All$$all $$tests passed"; \ + else \ + if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ + banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all $$tests failed"; \ + else \ + if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ + banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + if test "$$skip" -eq 1; then \ + skipped="($$skip test was not run)"; \ + else \ + skipped="($$skip tests were not run)"; \ + fi; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + if test "$$failed" -eq 0; then \ + col="$$grn"; \ + else \ + col="$$red"; \ + fi; \ + echo "$${col}$$dashes$${std}"; \ + echo "$${col}$$banner$${std}"; \ + test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \ + test -z "$$report" || echo "$${col}$$report$${std}"; \ + echo "$${col}$$dashes$${std}"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile +installdirs: +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + -rm -f suites/$(DEPDIR)/$(am__dirstamp) + -rm -f suites/$(am__dirstamp) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) suites/$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) suites/$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: + +.MAKE: check-am install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ + clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/tests/libcharon_tests.c b/src/libcharon/tests/libcharon_tests.c new file mode 100644 index 000000000..1ed0f0c95 --- /dev/null +++ b/src/libcharon/tests/libcharon_tests.c @@ -0,0 +1,56 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include +#include + +/* declare test suite constructors */ +#define TEST_SUITE(x) test_suite_t* x(); +#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x) +#include "libcharon_tests.h" +#undef TEST_SUITE +#undef TEST_SUITE_DEPEND + +static test_configuration_t tests[] = { +#define TEST_SUITE(x) \ + { .suite = x, }, +#define TEST_SUITE_DEPEND(x, type, args) \ + { .suite = x, .feature = PLUGIN_DEPENDS(type, args) }, +#include "libcharon_tests.h" + { .suite = NULL, } +}; + +static bool test_runner_init(bool init) +{ + if (init) + { + libhydra_init(); + libcharon_init(); + } + else + { + lib->processor->set_threads(lib->processor, 0); + lib->processor->cancel(lib->processor); + libcharon_deinit(); + libhydra_deinit(); + } + return TRUE; +} + +int main(int argc, char *argv[]) +{ + return test_runner_run("libcharon", tests, test_runner_init); +} diff --git a/src/libcharon/tests/libcharon_tests.h b/src/libcharon/tests/libcharon_tests.h new file mode 100644 index 000000000..dc9681aeb --- /dev/null +++ b/src/libcharon/tests/libcharon_tests.h @@ -0,0 +1,16 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +TEST_SUITE(mem_pool_suite_create) diff --git a/src/libcharon/tests/suites/test_mem_pool.c b/src/libcharon/tests/suites/test_mem_pool.c new file mode 100644 index 000000000..4204d4bab --- /dev/null +++ b/src/libcharon/tests/suites/test_mem_pool.c @@ -0,0 +1,230 @@ +/* + * Copyright (C) 2014 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include + +static void assert_host(char *expected, host_t *host) +{ + if (!expected) + { + ck_assert_msg(!host, "not epxecting IP != %+H", host); + } + else + { + host_t *verifier; + verifier = host_create_from_string(expected, 0); + ck_assert_msg(host, "expected IP %+H != NULL", verifier); + ck_assert_msg(verifier->ip_equals(verifier, host), "expected IP %+H != " + "%+H", verifier, host);; + verifier->destroy(verifier); + } +} + +static void assert_acquire(mem_pool_t *pool, char *requested, char *expected, + mem_pool_op_t operation) +{ + identification_t *id; + host_t *req, *acquired; + + id = identification_create_from_string("tester"); + req = host_create_from_string(requested, 0); + + acquired = pool->acquire_address(pool, id, req, operation, NULL); + assert_host(expected, acquired); + DESTROY_IF(acquired); + + req->destroy(req); + id->destroy(id); +} + +static void assert_acquires_new(mem_pool_t *pool, char *pattern, int first) +{ + char expected[16]; + int i; + + for (i = 0; i < pool->get_size(pool); i++) + { + snprintf(expected, sizeof(expected), pattern, first + i); + assert_acquire(pool, "0.0.0.0", expected, MEM_POOL_NEW); + ck_assert_int_eq(i + 1, pool->get_online(pool)); + } + assert_acquire(pool, "0.0.0.0", NULL, MEM_POOL_NEW); +} + +START_TEST(test_config) +{ + mem_pool_t *pool; + + pool = mem_pool_create("test", NULL, 0); + ck_assert_int_eq(0, pool->get_size(pool)); + assert_acquire(pool, "192.168.0.1", "192.168.0.1", MEM_POOL_NEW); + assert_acquire(pool, "10.0.1.1", "10.0.1.1", MEM_POOL_NEW); + assert_acquire(pool, "0.0.0.0", "0.0.0.0", MEM_POOL_NEW); + assert_acquire(pool, "255.255.255.255", "255.255.255.255", MEM_POOL_NEW); + ck_assert_int_eq(0, pool->get_online(pool)); + pool->destroy(pool); +} +END_TEST + +START_TEST(test_cidr) +{ + mem_pool_t *pool; + host_t *base; + + base = host_create_from_string("192.168.0.0", 0); + + pool = mem_pool_create("test", base, 32); + ck_assert_int_eq(1, pool->get_size(pool)); + assert_acquires_new(pool, "192.168.0.%d", 0); + pool->destroy(pool); + + pool = mem_pool_create("test", base, 31); + ck_assert_int_eq(2, pool->get_size(pool)); + assert_acquires_new(pool, "192.168.0.%d", 0); + pool->destroy(pool); + + pool = mem_pool_create("test", base, 30); + ck_assert_int_eq(2, pool->get_size(pool)); + assert_acquires_new(pool, "192.168.0.%d", 1); + pool->destroy(pool); + + pool = mem_pool_create("test", base, 29); + ck_assert_int_eq(6, pool->get_size(pool)); + assert_acquires_new(pool, "192.168.0.%d", 1); + pool->destroy(pool); + + pool = mem_pool_create("test", base, 24); + ck_assert_int_eq(254, pool->get_size(pool)); + assert_acquires_new(pool, "192.168.0.%d", 1); + pool->destroy(pool); + + base->destroy(base); +} +END_TEST + +START_TEST(test_cidr_offset) +{ + mem_pool_t *pool; + host_t *base; + + base = host_create_from_string("192.168.0.1", 0); + pool = mem_pool_create("test", base, 31); + ck_assert_int_eq(1, pool->get_size(pool)); + assert_acquires_new(pool, "192.168.0.%d", 1); + pool->destroy(pool); + + pool = mem_pool_create("test", base, 30); + ck_assert_int_eq(2, pool->get_size(pool)); + assert_acquires_new(pool, "192.168.0.%d", 1); + pool->destroy(pool); + base->destroy(base); + + base = host_create_from_string("192.168.0.2", 0); + pool = mem_pool_create("test", base, 30); + ck_assert_int_eq(1, pool->get_size(pool)); + assert_acquires_new(pool, "192.168.0.%d", 2); + pool->destroy(pool); + + pool = mem_pool_create("test", base, 24); + ck_assert_int_eq(253, pool->get_size(pool)); + assert_acquires_new(pool, "192.168.0.%d", 2); + pool->destroy(pool); + base->destroy(base); + + base = host_create_from_string("192.168.0.254", 0); + pool = mem_pool_create("test", base, 24); + ck_assert_int_eq(1, pool->get_size(pool)); + assert_acquires_new(pool, "192.168.0.%d", 254); + pool->destroy(pool); + base->destroy(base); + + /* due to size == 0 we get the requested IP back */ + base = host_create_from_string("192.168.0.255", 0); + pool = mem_pool_create("test", base, 24); + ck_assert_int_eq(0, pool->get_size(pool)); + assert_acquire(pool, "192.168.0.1", "192.168.0.1", MEM_POOL_NEW); + pool->destroy(pool); + + base->destroy(base); +} +END_TEST + +START_TEST(test_range) +{ + mem_pool_t *pool; + host_t *from, *to; + + from = host_create_from_string("192.168.0.0", 0); + to = host_create_from_string("192.168.0.0", 0); + pool = mem_pool_create_range("test", from, to); + ck_assert_int_eq(1, pool->get_size(pool)); + assert_acquires_new(pool, "192.168.0.%d", 0); + pool->destroy(pool); + + to->destroy(to); + to = host_create_from_string("192.168.0.1", 0); + pool = mem_pool_create_range("test", from, to); + ck_assert_int_eq(2, pool->get_size(pool)); + assert_acquires_new(pool, "192.168.0.%d", 0); + pool->destroy(pool); + + from->destroy(from); + from = host_create_from_string("192.168.0.10", 0); + pool = mem_pool_create_range("test", from, to); + ck_assert(!pool); + + to->destroy(to); + to = host_create_from_string("192.168.0.20", 0); + pool = mem_pool_create_range("test", from, to); + ck_assert_int_eq(11, pool->get_size(pool)); + assert_acquires_new(pool, "192.168.0.%d", 10); + pool->destroy(pool); + + from->destroy(from); + from = host_create_from_string("fec::1", 0); + to->destroy(to); + to = host_create_from_string("fed::1", 0); + pool = mem_pool_create_range("test", from, to); + ck_assert(!pool); + + from->destroy(from); + to->destroy(to); +} +END_TEST + +Suite *mem_pool_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("mem_pool"); + + tc = tcase_create("%config-like pool"); + tcase_add_test(tc, test_config); + suite_add_tcase(s, tc); + + tc = tcase_create("cidr constructor"); + tcase_add_test(tc, test_cidr); + tcase_add_test(tc, test_cidr_offset); + suite_add_tcase(s, tc); + + tc = tcase_create("range constructor"); + tcase_add_test(tc, test_range); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in index f0e9cbe35..6a3a4ebd5 100644 --- a/src/libfast/Makefile.in +++ b/src/libfast/Makefile.in @@ -230,6 +230,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libhydra/Android.mk b/src/libhydra/Android.mk index ff134da7b..af39f04ec 100644 --- a/src/libhydra/Android.mk +++ b/src/libhydra/Android.mk @@ -4,10 +4,6 @@ include $(CLEAR_VARS) # copy-n-paste from Makefile.am libhydra_la_SOURCES := \ hydra.c hydra.h \ -attributes/attributes.c attributes/attributes.h \ -attributes/attribute_provider.h attributes/attribute_handler.h \ -attributes/attribute_manager.c attributes/attribute_manager.h \ -attributes/mem_pool.c attributes/mem_pool.h \ kernel/kernel_interface.c kernel/kernel_interface.h \ kernel/kernel_ipsec.c kernel/kernel_ipsec.h \ kernel/kernel_net.c kernel/kernel_net.h \ @@ -17,8 +13,6 @@ LOCAL_SRC_FILES := $(filter %.c,$(libhydra_la_SOURCES)) # adding the plugin source files -LOCAL_SRC_FILES += $(call add_plugin, attr) - LOCAL_SRC_FILES += $(call add_plugin, kernel-pfkey) LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink) @@ -42,4 +36,3 @@ LOCAL_PRELINK_MODULE := false LOCAL_SHARED_LIBRARIES += libstrongswan include $(BUILD_SHARED_LIBRARY) - diff --git a/src/libhydra/Makefile.am b/src/libhydra/Makefile.am index 510f2a124..9cdbc0147 100644 --- a/src/libhydra/Makefile.am +++ b/src/libhydra/Makefile.am @@ -2,10 +2,6 @@ ipseclib_LTLIBRARIES = libhydra.la libhydra_la_SOURCES = \ hydra.c hydra.h \ -attributes/attributes.c attributes/attributes.h \ -attributes/attribute_provider.h attributes/attribute_handler.h \ -attributes/attribute_manager.c attributes/attribute_manager.h \ -attributes/mem_pool.c attributes/mem_pool.h \ kernel/kernel_interface.c kernel/kernel_interface.h \ kernel/kernel_ipsec.c kernel/kernel_ipsec.h \ kernel/kernel_net.c kernel/kernel_net.h \ @@ -37,20 +33,6 @@ else SUBDIRS = . endif -if USE_ATTR - SUBDIRS += plugins/attr -if MONOLITHIC - libhydra_la_LIBADD += plugins/attr/libstrongswan-attr.la -endif -endif - -if USE_ATTR_SQL - SUBDIRS += plugins/attr_sql -if MONOLITHIC - libhydra_la_LIBADD += plugins/attr_sql/libstrongswan-attr-sql.la -endif -endif - if USE_KERNEL_PFKEY SUBDIRS += plugins/kernel_pfkey if MONOLITHIC @@ -72,9 +54,7 @@ if MONOLITHIC endif endif -if USE_RESOLVE - SUBDIRS += plugins/resolve if MONOLITHIC - libhydra_la_LIBADD += plugins/resolve/libstrongswan-resolve.la -endif + SUBDIRS += . endif +SUBDIRS += tests diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in index e3ff1981c..9bb2e839a 100644 --- a/src/libhydra/Makefile.in +++ b/src/libhydra/Makefile.in @@ -79,18 +79,12 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @USE_WINDOWS_TRUE@am__append_1 = -lws2_32 -@USE_ATTR_TRUE@am__append_2 = plugins/attr -@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_3 = plugins/attr/libstrongswan-attr.la -@USE_ATTR_SQL_TRUE@am__append_4 = plugins/attr_sql -@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_5 = plugins/attr_sql/libstrongswan-attr-sql.la -@USE_KERNEL_PFKEY_TRUE@am__append_6 = plugins/kernel_pfkey -@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_7 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la -@USE_KERNEL_PFROUTE_TRUE@am__append_8 = plugins/kernel_pfroute -@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_9 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la -@USE_KERNEL_NETLINK_TRUE@am__append_10 = plugins/kernel_netlink -@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_11 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la -@USE_RESOLVE_TRUE@am__append_12 = plugins/resolve -@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_13 = plugins/resolve/libstrongswan-resolve.la +@USE_KERNEL_PFKEY_TRUE@am__append_2 = plugins/kernel_pfkey +@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_3 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la +@USE_KERNEL_PFROUTE_TRUE@am__append_4 = plugins/kernel_pfroute +@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_5 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la +@USE_KERNEL_NETLINK_TRUE@am__append_6 = plugins/kernel_netlink +@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_7 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la subdir = src/libhydra DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp @@ -144,13 +138,10 @@ am__DEPENDENCIES_1 = libhydra_la_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ $(am__DEPENDENCIES_1) $(am__append_3) $(am__append_5) \ - $(am__append_7) $(am__append_9) $(am__append_11) \ - $(am__append_13) + $(am__append_7) am__dirstamp = $(am__leading_dot)dirstamp -am_libhydra_la_OBJECTS = hydra.lo attributes/attributes.lo \ - attributes/attribute_manager.lo attributes/mem_pool.lo \ - kernel/kernel_interface.lo kernel/kernel_ipsec.lo \ - kernel/kernel_net.lo +am_libhydra_la_OBJECTS = hydra.lo kernel/kernel_interface.lo \ + kernel/kernel_ipsec.lo kernel/kernel_net.lo libhydra_la_OBJECTS = $(am_libhydra_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -232,8 +223,8 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = . plugins/attr plugins/attr_sql plugins/kernel_pfkey \ - plugins/kernel_pfroute plugins/kernel_netlink plugins/resolve +DIST_SUBDIRS = . plugins/kernel_pfkey plugins/kernel_pfroute \ + plugins/kernel_netlink tests DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -285,6 +276,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -345,10 +337,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -422,6 +416,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -483,10 +479,6 @@ xml_LIBS = @xml_LIBS@ ipseclib_LTLIBRARIES = libhydra.la libhydra_la_SOURCES = \ hydra.c hydra.h \ -attributes/attributes.c attributes/attributes.h \ -attributes/attribute_provider.h attributes/attribute_handler.h \ -attributes/attribute_manager.c attributes/attribute_manager.h \ -attributes/mem_pool.c attributes/mem_pool.h \ kernel/kernel_interface.c kernel/kernel_interface.h \ kernel/kernel_ipsec.c kernel/kernel_ipsec.h \ kernel/kernel_net.c kernel/kernel_net.h \ @@ -495,8 +487,7 @@ kernel/kernel_listener.h libhydra_la_LIBADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ $(am__append_1) $(am__append_3) $(am__append_5) \ - $(am__append_7) $(am__append_9) $(am__append_11) \ - $(am__append_13) + $(am__append_7) AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -DIPSEC_DIR=\"${ipsecdir}\" \ @@ -507,14 +498,12 @@ AM_LDFLAGS = \ EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_2) $(am__append_4) \ -@MONOLITHIC_FALSE@ $(am__append_6) $(am__append_8) \ -@MONOLITHIC_FALSE@ $(am__append_10) $(am__append_12) +@MONOLITHIC_FALSE@ $(am__append_6) tests # build optional plugins ######################## @MONOLITHIC_TRUE@SUBDIRS = $(am__append_2) $(am__append_4) \ -@MONOLITHIC_TRUE@ $(am__append_6) $(am__append_8) \ -@MONOLITHIC_TRUE@ $(am__append_10) $(am__append_12) +@MONOLITHIC_TRUE@ $(am__append_6) . tests all: all-recursive .SUFFIXES: @@ -584,18 +573,6 @@ clean-ipseclibLTLIBRARIES: echo rm -f $${locs}; \ rm -f $${locs}; \ } -attributes/$(am__dirstamp): - @$(MKDIR_P) attributes - @: > attributes/$(am__dirstamp) -attributes/$(DEPDIR)/$(am__dirstamp): - @$(MKDIR_P) attributes/$(DEPDIR) - @: > attributes/$(DEPDIR)/$(am__dirstamp) -attributes/attributes.lo: attributes/$(am__dirstamp) \ - attributes/$(DEPDIR)/$(am__dirstamp) -attributes/attribute_manager.lo: attributes/$(am__dirstamp) \ - attributes/$(DEPDIR)/$(am__dirstamp) -attributes/mem_pool.lo: attributes/$(am__dirstamp) \ - attributes/$(DEPDIR)/$(am__dirstamp) kernel/$(am__dirstamp): @$(MKDIR_P) kernel @: > kernel/$(am__dirstamp) @@ -614,8 +591,6 @@ libhydra.la: $(libhydra_la_OBJECTS) $(libhydra_la_DEPENDENCIES) $(EXTRA_libhydra mostlyclean-compile: -rm -f *.$(OBJEXT) - -rm -f attributes/*.$(OBJEXT) - -rm -f attributes/*.lo -rm -f kernel/*.$(OBJEXT) -rm -f kernel/*.lo @@ -623,9 +598,6 @@ distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hydra.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@attributes/$(DEPDIR)/attribute_manager.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@attributes/$(DEPDIR)/attributes.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@attributes/$(DEPDIR)/mem_pool.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_interface.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_ipsec.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_net.Plo@am__quote@ @@ -659,7 +631,6 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs - -rm -rf attributes/.libs attributes/_libs -rm -rf kernel/.libs kernel/_libs # This directory's subdirectories are mostly independent; you can cd @@ -850,8 +821,6 @@ clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) - -rm -f attributes/$(DEPDIR)/$(am__dirstamp) - -rm -f attributes/$(am__dirstamp) -rm -f kernel/$(DEPDIR)/$(am__dirstamp) -rm -f kernel/$(am__dirstamp) @@ -864,7 +833,7 @@ clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-recursive - -rm -rf ./$(DEPDIR) attributes/$(DEPDIR) kernel/$(DEPDIR) + -rm -rf ./$(DEPDIR) kernel/$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -910,7 +879,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive - -rm -rf ./$(DEPDIR) attributes/$(DEPDIR) kernel/$(DEPDIR) + -rm -rf ./$(DEPDIR) kernel/$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic diff --git a/src/libhydra/attributes/attribute_handler.h b/src/libhydra/attributes/attribute_handler.h deleted file mode 100644 index bc488f6cb..000000000 --- a/src/libhydra/attributes/attribute_handler.h +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup attribute_handler attribute_handler - * @{ @ingroup attributes - */ - -#ifndef ATTRIBUTE_HANDLER_H_ -#define ATTRIBUTE_HANDLER_H_ - -#include -#include -#include - -#include "attributes.h" - -typedef struct attribute_handler_t attribute_handler_t; - -/** - * Interface to handle configuration payload attributes. - */ -struct attribute_handler_t { - - /** - * Handle a configuration attribute. - * - * After receiving a configuration attriubte, it is passed to each - * attribute handler until it is handled. - * - * @param server server from which the attribute was received - * @param type type of configuration attribute to handle - * @param data associated attribute data - * @return TRUE if attribute handled - */ - bool (*handle)(attribute_handler_t *this, identification_t *server, - configuration_attribute_type_t type, chunk_t data); - - /** - * Release an attribute handled during handle(). - * - * A handler that handle()d an attribute gets a call to release() when the - * connection gets closed. Depending on the implementation, this is required - * to remove the attribute. - */ - void (*release)(attribute_handler_t *this, identification_t *server, - configuration_attribute_type_t type, chunk_t data); - - /** - * Enumerate attributes to request from a server. - * - * @param server server identity to request attributes from - * @param vips list of virtual IPs (host_t*) we are requesting - * @return enumerator (configuration_attribute_type_t, chunk_t) - */ - enumerator_t* (*create_attribute_enumerator)(attribute_handler_t *this, - identification_t *server, linked_list_t *vips); -}; - -#endif /** ATTRIBUTE_HANDLER_H_ @}*/ diff --git a/src/libhydra/attributes/attribute_manager.c b/src/libhydra/attributes/attribute_manager.c deleted file mode 100644 index 5fda8b426..000000000 --- a/src/libhydra/attributes/attribute_manager.c +++ /dev/null @@ -1,348 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "attribute_manager.h" - -#include -#include -#include - -typedef struct private_attribute_manager_t private_attribute_manager_t; - -/** - * private data of attribute_manager - */ -struct private_attribute_manager_t { - - /** - * public functions - */ - attribute_manager_t public; - - /** - * list of registered providers - */ - linked_list_t *providers; - - /** - * list of registered handlers - */ - linked_list_t *handlers; - - /** - * rwlock provider list - */ - rwlock_t *lock; -}; - -/** - * Data to pass to enumerator filters - */ -typedef struct { - /** attribute group pools */ - linked_list_t *pools; - /** server/peer identity */ - identification_t *id; - /** requesting/assigned virtual IPs */ - linked_list_t *vips; -} enum_data_t; - -METHOD(attribute_manager_t, acquire_address, host_t*, - private_attribute_manager_t *this, linked_list_t *pools, - identification_t *id, host_t *requested) -{ - enumerator_t *enumerator; - attribute_provider_t *current; - host_t *host = NULL; - - this->lock->read_lock(this->lock); - enumerator = this->providers->create_enumerator(this->providers); - while (enumerator->enumerate(enumerator, ¤t)) - { - host = current->acquire_address(current, pools, id, requested); - if (host) - { - break; - } - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); - - return host; -} - -METHOD(attribute_manager_t, release_address, bool, - private_attribute_manager_t *this, linked_list_t *pools, host_t *address, - identification_t *id) -{ - enumerator_t *enumerator; - attribute_provider_t *current; - bool found = FALSE; - - this->lock->read_lock(this->lock); - enumerator = this->providers->create_enumerator(this->providers); - while (enumerator->enumerate(enumerator, ¤t)) - { - if (current->release_address(current, pools, address, id)) - { - found = TRUE; - break; - } - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); - - return found; -} - -/** - * inner enumerator constructor for responder attributes - */ -static enumerator_t *responder_enum_create(attribute_provider_t *provider, - enum_data_t *data) -{ - return provider->create_attribute_enumerator(provider, data->pools, - data->id, data->vips); -} - -METHOD(attribute_manager_t, create_responder_enumerator, enumerator_t*, - private_attribute_manager_t *this, linked_list_t *pools, - identification_t *id, linked_list_t *vips) -{ - enum_data_t *data; - - INIT(data, - .pools = pools, - .id = id, - .vips = vips, - ); - this->lock->read_lock(this->lock); - return enumerator_create_cleaner( - enumerator_create_nested( - this->providers->create_enumerator(this->providers), - (void*)responder_enum_create, data, free), - (void*)this->lock->unlock, this->lock); -} - -METHOD(attribute_manager_t, add_provider, void, - private_attribute_manager_t *this, attribute_provider_t *provider) -{ - this->lock->write_lock(this->lock); - this->providers->insert_last(this->providers, provider); - this->lock->unlock(this->lock); -} - -METHOD(attribute_manager_t, remove_provider, void, - private_attribute_manager_t *this, attribute_provider_t *provider) -{ - this->lock->write_lock(this->lock); - this->providers->remove(this->providers, provider, NULL); - this->lock->unlock(this->lock); -} - -METHOD(attribute_manager_t, handle, attribute_handler_t*, - private_attribute_manager_t *this, identification_t *server, - attribute_handler_t *handler, configuration_attribute_type_t type, - chunk_t data) -{ - enumerator_t *enumerator; - attribute_handler_t *current, *handled = NULL; - - this->lock->read_lock(this->lock); - - /* try to find the passed handler */ - enumerator = this->handlers->create_enumerator(this->handlers); - while (enumerator->enumerate(enumerator, ¤t)) - { - if (current == handler && current->handle(current, server, type, data)) - { - handled = current; - break; - } - } - enumerator->destroy(enumerator); - if (!handled) - { /* handler requesting this attribute not found, try any other */ - enumerator = this->handlers->create_enumerator(this->handlers); - while (enumerator->enumerate(enumerator, ¤t)) - { - if (current->handle(current, server, type, data)) - { - handled = current; - break; - } - } - enumerator->destroy(enumerator); - } - this->lock->unlock(this->lock); - - if (!handled) - { - DBG1(DBG_CFG, "handling %N attribute failed", - configuration_attribute_type_names, type); - } - return handled; -} - -METHOD(attribute_manager_t, release, void, - private_attribute_manager_t *this, attribute_handler_t *handler, - identification_t *server, configuration_attribute_type_t type, chunk_t data) -{ - enumerator_t *enumerator; - attribute_handler_t *current; - - this->lock->read_lock(this->lock); - enumerator = this->handlers->create_enumerator(this->handlers); - while (enumerator->enumerate(enumerator, ¤t)) - { - if (current == handler) - { - current->release(current, server, type, data); - break; - } - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); -} - -/** - * Enumerator implementation to enumerate nested initiator attributes - */ -typedef struct { - /** implements enumerator_t */ - enumerator_t public; - /** back ref */ - private_attribute_manager_t *this; - /** currently processing handler */ - attribute_handler_t *handler; - /** outer enumerator over handlers */ - enumerator_t *outer; - /** inner enumerator over current handlers attributes */ - enumerator_t *inner; - /** server ID we want attributes for */ - identification_t *id; - /** virtual IPs we are requesting along with attriubutes */ - linked_list_t *vips; -} initiator_enumerator_t; - -/** - * Enumerator implementation for initiator attributes - */ -static bool initiator_enumerate(initiator_enumerator_t *this, - attribute_handler_t **handler, - configuration_attribute_type_t *type, - chunk_t *value) -{ - /* enumerate inner attributes using outer handler enumerator */ - while (!this->inner || !this->inner->enumerate(this->inner, type, value)) - { - if (!this->outer->enumerate(this->outer, &this->handler)) - { - return FALSE; - } - DESTROY_IF(this->inner); - this->inner = this->handler->create_attribute_enumerator(this->handler, - this->id, this->vips); - } - /* inject the handler as additional attribute */ - *handler = this->handler; - return TRUE; -} - -/** - * Cleanup function of initiator attribute enumerator - */ -static void initiator_destroy(initiator_enumerator_t *this) -{ - this->this->lock->unlock(this->this->lock); - this->outer->destroy(this->outer); - DESTROY_IF(this->inner); - free(this); -} - -METHOD(attribute_manager_t, create_initiator_enumerator, enumerator_t*, - private_attribute_manager_t *this, identification_t *id, linked_list_t *vips) -{ - initiator_enumerator_t *enumerator; - - this->lock->read_lock(this->lock); - - INIT(enumerator, - .public = { - .enumerate = (void*)initiator_enumerate, - .destroy = (void*)initiator_destroy, - }, - .this = this, - .id = id, - .vips = vips, - .outer = this->handlers->create_enumerator(this->handlers), - ); - return &enumerator->public; -} - -METHOD(attribute_manager_t, add_handler, void, - private_attribute_manager_t *this, attribute_handler_t *handler) -{ - this->lock->write_lock(this->lock); - this->handlers->insert_last(this->handlers, handler); - this->lock->unlock(this->lock); -} - -METHOD(attribute_manager_t, remove_handler, void, - private_attribute_manager_t *this, attribute_handler_t *handler) -{ - this->lock->write_lock(this->lock); - this->handlers->remove(this->handlers, handler, NULL); - this->lock->unlock(this->lock); -} - -METHOD(attribute_manager_t, destroy, void, - private_attribute_manager_t *this) -{ - this->providers->destroy(this->providers); - this->handlers->destroy(this->handlers); - this->lock->destroy(this->lock); - free(this); -} - -/* - * see header file - */ -attribute_manager_t *attribute_manager_create() -{ - private_attribute_manager_t *this; - - INIT(this, - .public = { - .acquire_address = _acquire_address, - .release_address = _release_address, - .create_responder_enumerator = _create_responder_enumerator, - .add_provider = _add_provider, - .remove_provider = _remove_provider, - .handle = _handle, - .release = _release, - .create_initiator_enumerator = _create_initiator_enumerator, - .add_handler = _add_handler, - .remove_handler = _remove_handler, - .destroy = _destroy, - }, - .providers = linked_list_create(), - .handlers = linked_list_create(), - .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), - ); - - return &this->public; -} - diff --git a/src/libhydra/attributes/attribute_manager.h b/src/libhydra/attributes/attribute_manager.h deleted file mode 100644 index 99f41772c..000000000 --- a/src/libhydra/attributes/attribute_manager.h +++ /dev/null @@ -1,153 +0,0 @@ -/* - * Copyright (C) 2008-2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup attribute_manager attribute_manager - * @{ @ingroup attributes - */ - -#ifndef ATTRIBUTE_MANAGER_H_ -#define ATTRIBUTE_MANAGER_H_ - -#include "attribute_provider.h" -#include "attribute_handler.h" - -typedef struct attribute_manager_t attribute_manager_t; - -/** - * The attribute manager hands out attributes or handles them. - * - * The attribute manager manages both, attribute providers and attribute - * handlers. Attribute providers are responsible to hand out attributes if - * a connecting peer requests them. Handlers handle such attributes if they - * are received on the requesting peer. - */ -struct attribute_manager_t { - - /** - * Acquire a virtual IP address to assign to a peer. - * - * @param pools list of pool names (char*) to acquire from - * @param id peer identity to get address forua - * @param requested IP in configuration request - * @return allocated address, NULL to serve none - */ - host_t* (*acquire_address)(attribute_manager_t *this, - linked_list_t *pool, identification_t *id, - host_t *requested); - - /** - * Release a previously acquired address. - * - * @param pools list of pool names (char*) to release to - * @param address address to release - * @param id peer identity to get address for - * @return TRUE if address released to pool - */ - bool (*release_address)(attribute_manager_t *this, - linked_list_t *pools, host_t *address, - identification_t *id); - - /** - * Create an enumerator over attributes to hand out to a peer. - * - * @param pool list of pools names (char*) to query attributes from - * @param id peer identity to hand out attributes to - * @param vip list of virtual IPs (host_t*) to assign to peer - * @return enumerator (configuration_attribute_type_t, chunk_t) - */ - enumerator_t* (*create_responder_enumerator)(attribute_manager_t *this, - linked_list_t *pool, identification_t *id, - linked_list_t *vips); - - /** - * Register an attribute provider to the manager. - * - * @param provider attribute provider to register - */ - void (*add_provider)(attribute_manager_t *this, - attribute_provider_t *provider); - /** - * Unregister an attribute provider from the manager. - * - * @param provider attribute provider to unregister - */ - void (*remove_provider)(attribute_manager_t *this, - attribute_provider_t *provider); - - /** - * Handle a configuration attribute by passing them to the handlers. - * - * @param server server from which the attribute was received - * @param handler handler we requested the attribute for, if any - * @param type type of configuration attribute - * @param data associated attribute data - * @return handler which handled this attribute, NULL if none - */ - attribute_handler_t* (*handle)(attribute_manager_t *this, - identification_t *server, attribute_handler_t *handler, - configuration_attribute_type_t type, chunk_t data); - - /** - * Release an attribute previously handle()d by a handler. - * - * @param handler handler returned by handle() for this attribute - * @param server server from which the attribute was received - * @param type type of attribute to release - * @param data associated attribute data - */ - void (*release)(attribute_manager_t *this, attribute_handler_t *handler, - identification_t *server, - configuration_attribute_type_t type, - chunk_t data); - - /** - * Create an enumerator over attributes to request from server. - * - * @param id server identity to hand out attributes to - * @param vip list of virtual IPs (host_t*) going to request - * @return enumerator (attribute_handler_t, ca_type_t, chunk_t) - */ - enumerator_t* (*create_initiator_enumerator)(attribute_manager_t *this, - identification_t *id, linked_list_t *vips); - - /** - * Register an attribute handler to the manager. - * - * @param handler attribute handler to register - */ - void (*add_handler)(attribute_manager_t *this, - attribute_handler_t *handler); - - /** - * Unregister an attribute handler from the manager. - * - * @param handler attribute handler to unregister - */ - void (*remove_handler)(attribute_manager_t *this, - attribute_handler_t *handler); - - /** - * Destroy a attribute_manager instance. - */ - void (*destroy)(attribute_manager_t *this); -}; - -/** - * Create a attribute_manager instance. - */ -attribute_manager_t *attribute_manager_create(); - -#endif /** ATTRIBUTE_MANAGER_H_ @}*/ diff --git a/src/libhydra/attributes/attribute_provider.h b/src/libhydra/attributes/attribute_provider.h deleted file mode 100644 index adfd4a516..000000000 --- a/src/libhydra/attributes/attribute_provider.h +++ /dev/null @@ -1,71 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup attribute_provider attribute_provider - * @{ @ingroup attributes - */ - -#ifndef ATTRIBUTE_PROVIDER_H_ -#define ATTRIBUTE_PROVIDER_H_ - -#include -#include -#include - -typedef struct attribute_provider_t attribute_provider_t; - -/** - * Interface to provide attributes to peers through attribute manager. - */ -struct attribute_provider_t { - - /** - * Acquire a virtual IP address to assign to a peer. - * - * @param pools list of pool names (char*) to acquire from - * @param id peer ID - * @param requested IP in configuration request - * @return allocated address, NULL to serve none - */ - host_t* (*acquire_address)(attribute_provider_t *this, - linked_list_t *pools, identification_t *id, - host_t *requested); - /** - * Release a previously acquired address. - * - * @param pools list of pool names (char*) to release to - * @param address address to release - * @param id peer ID - * @return TRUE if the address has been released by the provider - */ - bool (*release_address)(attribute_provider_t *this, - linked_list_t *pools, host_t *address, - identification_t *id); - - /** - * Create an enumerator over attributes to hand out to a peer. - * - * @param pool list of pools names (char*) to query attributes from - * @param id peer ID - * @param vip list of virtual IPs (host_t*) to assign to peer - * @return enumerator (configuration_attribute_type_t, chunk_t) - */ - enumerator_t* (*create_attribute_enumerator)(attribute_provider_t *this, - linked_list_t *pools, identification_t *id, - linked_list_t *vips); -}; - -#endif /** ATTRIBUTE_PROVIDER_H_ @}*/ diff --git a/src/libhydra/attributes/attributes.c b/src/libhydra/attributes/attributes.c deleted file mode 100644 index 9fabcf4e4..000000000 --- a/src/libhydra/attributes/attributes.c +++ /dev/null @@ -1,114 +0,0 @@ -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - - -#include "attributes.h" - -ENUM_BEGIN(configuration_attribute_type_names, INTERNAL_IP4_ADDRESS, HOME_AGENT_ADDRESS, - "INTERNAL_IP4_ADDRESS", - "INTERNAL_IP4_NETMASK", - "INTERNAL_IP4_DNS", - "INTERNAL_IP4_NBNS", - "INTERNAL_ADDRESS_EXPIRY", - "INTERNAL_IP4_DHCP", - "APPLICATION_VERSION", - "INTERNAL_IP6_ADDRESS", - "INTERNAL_IP6_NETMASK", - "INTERNAL_IP6_DNS", - "INTERNAL_IP6_NBNS", - "INTERNAL_IP6_DHCP", - "INTERNAL_IP4_SUBNET", - "SUPPORTED_ATTRIBUTES", - "INTERNAL_IP6_SUBNET", - "MIP6_HOME_PREFIX", - "INTERNAL_IP6_LINK", - "INTERNAL_IP6_PREFIX", - "HOME_AGENT_ADDRESS"); -ENUM_NEXT(configuration_attribute_type_names, XAUTH_TYPE, XAUTH_ANSWER, HOME_AGENT_ADDRESS, - "XAUTH_TYPE", - "XAUTH_USER_NAME", - "XAUTH_USER_PASSWORD", - "XAUTH_PASSCODE", - "XAUTH_MESSAGE", - "XAUTH_CHALLENGE", - "XAUTH_DOMAIN", - "XAUTH_STATUS", - "XAUTH_NEXT_PIN", - "XAUTH_ANSWER"); -ENUM_NEXT(configuration_attribute_type_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, XAUTH_ANSWER, - "INTERNAL_IP4_SERVER", - "INTERNAL_IP6_SERVER"); -ENUM_NEXT(configuration_attribute_type_names, UNITY_BANNER, UNITY_DDNS_HOSTNAME, INTERNAL_IP6_SERVER, - "UNITY_BANNER", - "UNITY_SAVE_PASSWD", - "UNITY_DEF_DOMAIN", - "UNITY_SPLITDNS_NAME", - "UNITY_SPLIT_INCLUDE", - "UNITY_NATT_PORT", - "UNITY_LOCAL_LAN", - "UNITY_PFS", - "UNITY_FW_TYPE", - "UNITY_BACKUP_SERVERS", - "UNITY_DDNS_HOSTNAME"); -ENUM_END(configuration_attribute_type_names, UNITY_DDNS_HOSTNAME); - -ENUM_BEGIN(configuration_attribute_type_short_names, INTERNAL_IP4_ADDRESS, HOME_AGENT_ADDRESS, - "ADDR", - "MASK", - "DNS", - "NBNS", - "EXP", - "DHCP", - "VER", - "ADDR6", - "MASK6", - "DNS6", - "NBNS6", - "DHCP6", - "SUBNET", - "SUP", - "SUBNET6", - "MIP6HPFX", - "LINK6", - "PFX6", - "HOA"); -ENUM_NEXT(configuration_attribute_type_short_names, XAUTH_TYPE, XAUTH_ANSWER, HOME_AGENT_ADDRESS, - "X_TYPE", - "X_USER", - "X_PWD", - "X_CODE", - "X_MSG", - "X_CHALL", - "X_DOMAIN", - "X_STATUS", - "X_PIN", - "X_ANSWER"); -ENUM_NEXT(configuration_attribute_type_short_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, XAUTH_ANSWER, - "SRV", - "SRV6"); -ENUM_NEXT(configuration_attribute_type_short_names, UNITY_BANNER, UNITY_DDNS_HOSTNAME, INTERNAL_IP6_SERVER, - "U_BANNER", - "U_SAVEPWD", - "U_DEFDOM", - "U_SPLITDNS", - "U_SPLITINC", - "U_NATTPORT", - "U_LOCALLAN", - "U_PFS", - "U_FWTYPE", - "U_BKPSRV", - "U_DDNSHOST"); -ENUM_END(configuration_attribute_type_short_names, UNITY_DDNS_HOSTNAME); diff --git a/src/libhydra/attributes/attributes.h b/src/libhydra/attributes/attributes.h deleted file mode 100644 index 5d1e9f9ba..000000000 --- a/src/libhydra/attributes/attributes.h +++ /dev/null @@ -1,91 +0,0 @@ -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup attributes_g attributes - * @{ @ingroup attributes - */ - -#ifndef ATTRIBUTES_H_ -#define ATTRIBUTES_H_ - -typedef enum configuration_attribute_type_t configuration_attribute_type_t; - -#include - -/** - * Type of the attribute, as in IKEv2 RFC 3.15.1 or IKEv1 ModeConfig. - */ -enum configuration_attribute_type_t { - INTERNAL_IP4_ADDRESS = 1, - INTERNAL_IP4_NETMASK = 2, - INTERNAL_IP4_DNS = 3, - INTERNAL_IP4_NBNS = 4, - INTERNAL_ADDRESS_EXPIRY = 5, - INTERNAL_IP4_DHCP = 6, - APPLICATION_VERSION = 7, - INTERNAL_IP6_ADDRESS = 8, - INTERNAL_IP6_NETMASK = 9, - INTERNAL_IP6_DNS = 10, - INTERNAL_IP6_NBNS = 11, - INTERNAL_IP6_DHCP = 12, - INTERNAL_IP4_SUBNET = 13, - SUPPORTED_ATTRIBUTES = 14, - INTERNAL_IP6_SUBNET = 15, - MIP6_HOME_PREFIX = 16, - INTERNAL_IP6_LINK = 17, - INTERNAL_IP6_PREFIX = 18, - HOME_AGENT_ADDRESS = 19, - /* XAUTH attributes */ - XAUTH_TYPE = 16520, - XAUTH_USER_NAME = 16521, - XAUTH_USER_PASSWORD = 16522, - XAUTH_PASSCODE = 16523, - XAUTH_MESSAGE = 16524, - XAUTH_CHALLENGE = 16525, - XAUTH_DOMAIN = 16526, - XAUTH_STATUS = 16527, - XAUTH_NEXT_PIN = 16528, - XAUTH_ANSWER = 16529, - /* proprietary Microsoft attributes */ - INTERNAL_IP4_SERVER = 23456, - INTERNAL_IP6_SERVER = 23457, - /* proprietary Cisco Unity attributes */ - UNITY_BANNER = 28672, - UNITY_SAVE_PASSWD = 28673, - UNITY_DEF_DOMAIN = 28674, - UNITY_SPLITDNS_NAME = 28675, - UNITY_SPLIT_INCLUDE = 28676, - UNITY_NATT_PORT = 28677, - UNITY_LOCAL_LAN = 28678, - UNITY_PFS = 28679, - UNITY_FW_TYPE = 28680, - UNITY_BACKUP_SERVERS = 28681, - UNITY_DDNS_HOSTNAME = 28682 -}; - -/** - * enum names for configuration_attribute_type_t. - */ -extern enum_name_t *configuration_attribute_type_names; - -/** - * Short enum names for configuration_attribute_type_t. - */ -extern enum_name_t *configuration_attribute_type_short_names; - - -#endif /** ATTRIBUTES_H_ @}*/ diff --git a/src/libhydra/attributes/mem_pool.c b/src/libhydra/attributes/mem_pool.c deleted file mode 100644 index cc45e5629..000000000 --- a/src/libhydra/attributes/mem_pool.c +++ /dev/null @@ -1,649 +0,0 @@ -/* - * Copyright (C) 2010 Tobias Brunner - * Copyright (C) 2008-2010 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "mem_pool.h" - -#include -#include -#include -#include -#include -#include - -#define POOL_LIMIT (sizeof(u_int)*8 - 1) - -typedef struct private_mem_pool_t private_mem_pool_t; - -/** - * private data of mem_pool_t - */ -struct private_mem_pool_t { - /** - * public interface - */ - mem_pool_t public; - - /** - * name of the pool - */ - char *name; - - /** - * base address of the pool - */ - host_t *base; - - /** - * size of the pool - */ - u_int size; - - /** - * next unused address - */ - u_int unused; - - /** - * lease hashtable [identity => entry] - */ - hashtable_t *leases; - - /** - * lock to safely access the pool - */ - mutex_t *mutex; - - /** - * Do we reassign online leases to the same identity, if requested? - */ - bool reassign_online; -}; - -/** - * Lease entry. - */ -typedef struct { - /* identitiy reference */ - identification_t *id; - /* array of online leases, as u_int offset */ - array_t *online; - /* array of offline leases, as u_int offset */ - array_t *offline; -} entry_t; - -/** - * Create a new entry - */ -static entry_t* entry_create(identification_t *id) -{ - entry_t *entry; - - INIT(entry, - .id = id->clone(id), - .online = array_create(sizeof(u_int), 0), - .offline = array_create(sizeof(u_int), 0), - ); - return entry; -} - -/** - * hashtable hash function for identities - */ -static u_int id_hash(identification_t *id) -{ - return chunk_hash(id->get_encoding(id)); -} - -/** - * hashtable equals function for identities - */ -static bool id_equals(identification_t *a, identification_t *b) -{ - return a->equals(a, b); -} - -/** - * convert a pool offset to an address - */ -static host_t* offset2host(private_mem_pool_t *pool, int offset) -{ - chunk_t addr; - host_t *host; - u_int32_t *pos; - - offset--; - if (offset > pool->size) - { - return NULL; - } - - addr = chunk_clone(pool->base->get_address(pool->base)); - if (pool->base->get_family(pool->base) == AF_INET6) - { - pos = (u_int32_t*)(addr.ptr + 12); - } - else - { - pos = (u_int32_t*)addr.ptr; - } - *pos = htonl(offset + ntohl(*pos)); - host = host_create_from_chunk(pool->base->get_family(pool->base), addr, 0); - free(addr.ptr); - return host; -} - -/** - * convert a host to a pool offset - */ -static int host2offset(private_mem_pool_t *pool, host_t *addr) -{ - chunk_t host, base; - u_int32_t hosti, basei; - - if (addr->get_family(addr) != pool->base->get_family(pool->base)) - { - return -1; - } - host = addr->get_address(addr); - base = pool->base->get_address(pool->base); - if (addr->get_family(addr) == AF_INET6) - { - /* only look at last /32 block */ - if (!memeq(host.ptr, base.ptr, 12)) - { - return -1; - } - host = chunk_skip(host, 12); - base = chunk_skip(base, 12); - } - hosti = ntohl(*(u_int32_t*)(host.ptr)); - basei = ntohl(*(u_int32_t*)(base.ptr)); - if (hosti > basei + pool->size) - { - return -1; - } - return hosti - basei + 1; -} - -METHOD(mem_pool_t, get_name, const char*, - private_mem_pool_t *this) -{ - return this->name; -} - -METHOD(mem_pool_t, get_base, host_t*, - private_mem_pool_t *this) -{ - return this->base; -} - -METHOD(mem_pool_t, get_size, u_int, - private_mem_pool_t *this) -{ - return this->size; -} - -METHOD(mem_pool_t, get_online, u_int, - private_mem_pool_t *this) -{ - enumerator_t *enumerator; - entry_t *entry; - u_int count = 0; - - this->mutex->lock(this->mutex); - enumerator = this->leases->create_enumerator(this->leases); - while (enumerator->enumerate(enumerator, NULL, &entry)) - { - count += array_count(entry->online); - } - enumerator->destroy(enumerator); - this->mutex->unlock(this->mutex); - - return count; -} - -METHOD(mem_pool_t, get_offline, u_int, - private_mem_pool_t *this) -{ - enumerator_t *enumerator; - entry_t *entry; - u_int count = 0; - - this->mutex->lock(this->mutex); - enumerator = this->leases->create_enumerator(this->leases); - while (enumerator->enumerate(enumerator, NULL, &entry)) - { - count += array_count(entry->offline); - } - enumerator->destroy(enumerator); - this->mutex->unlock(this->mutex); - - return count; -} - -/** - * Get an existing lease for id - */ -static int get_existing(private_mem_pool_t *this, identification_t *id, - host_t *requested) -{ - enumerator_t *enumerator; - u_int *current; - entry_t *entry; - int offset = 0; - - entry = this->leases->get(this->leases, id); - if (!entry) - { - return 0; - } - - /* check for a valid offline lease, refresh */ - enumerator = array_create_enumerator(entry->offline); - if (enumerator->enumerate(enumerator, ¤t)) - { - offset = *current; - array_insert(entry->online, ARRAY_TAIL, current); - array_remove_at(entry->offline, enumerator); - } - enumerator->destroy(enumerator); - if (offset) - { - DBG1(DBG_CFG, "reassigning offline lease to '%Y'", id); - return offset; - } - if (!this->reassign_online) - { - return 0; - } - /* check for a valid online lease to reassign */ - enumerator = array_create_enumerator(entry->online); - while (enumerator->enumerate(enumerator, ¤t)) - { - if (*current == host2offset(this, requested)) - { - offset = *current; - /* add an additional "online" entry */ - array_insert(entry->online, ARRAY_TAIL, current); - break; - } - } - enumerator->destroy(enumerator); - if (offset) - { - DBG1(DBG_CFG, "reassigning online lease to '%Y'", id); - } - return offset; -} - -/** - * Get a new lease for id - */ -static int get_new(private_mem_pool_t *this, identification_t *id) -{ - entry_t *entry; - u_int offset = 0; - - if (this->unused < this->size) - { - entry = this->leases->get(this->leases, id); - if (!entry) - { - entry = entry_create(id); - this->leases->put(this->leases, entry->id, entry); - } - /* assigning offset, starting by 1 */ - offset = ++this->unused; - array_insert(entry->online, ARRAY_TAIL, &offset); - DBG1(DBG_CFG, "assigning new lease to '%Y'", id); - } - return offset; -} - -/** - * Get a reassigned lease for id in case the pool is full - */ -static int get_reassigned(private_mem_pool_t *this, identification_t *id) -{ - enumerator_t *enumerator; - entry_t *entry; - u_int current, offset = 0; - - enumerator = this->leases->create_enumerator(this->leases); - while (enumerator->enumerate(enumerator, NULL, &entry)) - { - if (array_remove(entry->offline, ARRAY_HEAD, ¤t)) - { - offset = current; - DBG1(DBG_CFG, "reassigning existing offline lease by '%Y'" - " to '%Y'", entry->id, id); - break; - } - } - enumerator->destroy(enumerator); - - if (offset) - { - entry = entry_create(id); - array_insert(entry->online, ARRAY_TAIL, &offset); - this->leases->put(this->leases, entry->id, entry); - } - return offset; -} - -METHOD(mem_pool_t, acquire_address, host_t*, - private_mem_pool_t *this, identification_t *id, host_t *requested, - mem_pool_op_t operation) -{ - int offset = 0; - - /* if the pool is empty (e.g. in the %config case) we simply return the - * requested address */ - if (this->size == 0) - { - return requested->clone(requested); - } - - if (requested->get_family(requested) != - this->base->get_family(this->base)) - { - return NULL; - } - - this->mutex->lock(this->mutex); - switch (operation) - { - case MEM_POOL_EXISTING: - offset = get_existing(this, id, requested); - break; - case MEM_POOL_NEW: - offset = get_new(this, id); - break; - case MEM_POOL_REASSIGN: - offset = get_reassigned(this, id); - if (!offset) - { - DBG1(DBG_CFG, "pool '%s' is full, unable to assign address", - this->name); - } - break; - default: - break; - } - this->mutex->unlock(this->mutex); - - if (offset) - { - return offset2host(this, offset); - } - return NULL; -} - -METHOD(mem_pool_t, release_address, bool, - private_mem_pool_t *this, host_t *address, identification_t *id) -{ - enumerator_t *enumerator; - bool found = FALSE, more = FALSE; - entry_t *entry; - u_int offset, *current; - - if (this->size != 0) - { - this->mutex->lock(this->mutex); - entry = this->leases->get(this->leases, id); - if (entry) - { - offset = host2offset(this, address); - - enumerator = array_create_enumerator(entry->online); - while (enumerator->enumerate(enumerator, ¤t)) - { - if (*current == offset) - { - if (!found) - { /* remove the first entry only */ - array_remove_at(entry->online, enumerator); - found = TRUE; - } - else - { /* but check for more entries */ - more = TRUE; - break; - } - } - } - enumerator->destroy(enumerator); - - if (found && !more) - { - /* no tunnels are online anymore for this lease, make offline */ - array_insert(entry->offline, ARRAY_TAIL, &offset); - DBG1(DBG_CFG, "lease %H by '%Y' went offline", address, id); - } - } - this->mutex->unlock(this->mutex); - } - return found; -} - -/** - * lease enumerator - */ -typedef struct { - /** implemented enumerator interface */ - enumerator_t public; - /** hash-table enumerator */ - enumerator_t *entries; - /** online enumerator */ - enumerator_t *online; - /** offline enumerator */ - enumerator_t *offline; - /** enumerated pool */ - private_mem_pool_t *pool; - /** currently enumerated entry */ - entry_t *entry; - /** currently enumerated lease address */ - host_t *addr; -} lease_enumerator_t; - -METHOD(enumerator_t, lease_enumerate, bool, - lease_enumerator_t *this, identification_t **id, host_t **addr, bool *online) -{ - u_int *offset; - - DESTROY_IF(this->addr); - this->addr = NULL; - - while (TRUE) - { - if (this->entry) - { - if (this->online->enumerate(this->online, &offset)) - { - *id = this->entry->id; - *addr = this->addr = offset2host(this->pool, *offset); - *online = TRUE; - return TRUE; - } - if (this->offline->enumerate(this->offline, &offset)) - { - *id = this->entry->id; - *addr = this->addr = offset2host(this->pool, *offset); - *online = FALSE; - return TRUE; - } - this->online->destroy(this->online); - this->offline->destroy(this->offline); - this->online = this->offline = NULL; - } - if (!this->entries->enumerate(this->entries, NULL, &this->entry)) - { - return FALSE; - } - this->online = array_create_enumerator(this->entry->online); - this->offline = array_create_enumerator(this->entry->offline); - } -} - -METHOD(enumerator_t, lease_enumerator_destroy, void, - lease_enumerator_t *this) -{ - DESTROY_IF(this->addr); - DESTROY_IF(this->online); - DESTROY_IF(this->offline); - this->entries->destroy(this->entries); - this->pool->mutex->unlock(this->pool->mutex); - free(this); -} - -METHOD(mem_pool_t, create_lease_enumerator, enumerator_t*, - private_mem_pool_t *this) -{ - lease_enumerator_t *enumerator; - - this->mutex->lock(this->mutex); - INIT(enumerator, - .public = { - .enumerate = (void*)_lease_enumerate, - .destroy = _lease_enumerator_destroy, - }, - .pool = this, - .entries = this->leases->create_enumerator(this->leases), - ); - return &enumerator->public; -} - -METHOD(mem_pool_t, destroy, void, - private_mem_pool_t *this) -{ - enumerator_t *enumerator; - entry_t *entry; - - enumerator = this->leases->create_enumerator(this->leases); - while (enumerator->enumerate(enumerator, NULL, &entry)) - { - entry->id->destroy(entry->id); - array_destroy(entry->online); - array_destroy(entry->offline); - free(entry); - } - enumerator->destroy(enumerator); - - this->leases->destroy(this->leases); - this->mutex->destroy(this->mutex); - DESTROY_IF(this->base); - free(this->name); - free(this); -} - -/** - * Generic constructor - */ -static private_mem_pool_t *create_generic(char *name) -{ - private_mem_pool_t *this; - - INIT(this, - .public = { - .get_name = _get_name, - .get_base = _get_base, - .get_size = _get_size, - .get_online = _get_online, - .get_offline = _get_offline, - .acquire_address = _acquire_address, - .release_address = _release_address, - .create_lease_enumerator = _create_lease_enumerator, - .destroy = _destroy, - }, - .name = strdup(name), - .leases = hashtable_create((hashtable_hash_t)id_hash, - (hashtable_equals_t)id_equals, 16), - .mutex = mutex_create(MUTEX_TYPE_DEFAULT), - .reassign_online = lib->settings->get_bool(lib->settings, - "%s.mem-pool.reassign_online", FALSE, lib->ns), - ); - - return this; -} - -/** - * Described in header - */ -mem_pool_t *mem_pool_create(char *name, host_t *base, int bits) -{ - private_mem_pool_t *this; - int addr_bits; - - this = create_generic(name); - if (base) - { - addr_bits = base->get_family(base) == AF_INET ? 32 : 128; - bits = max(0, min(bits, base->get_family(base) == AF_INET ? 32 : 128)); - /* net bits -> host bits */ - bits = addr_bits - bits; - if (bits > POOL_LIMIT) - { - bits = POOL_LIMIT; - DBG1(DBG_CFG, "virtual IP pool too large, limiting to %H/%d", - base, addr_bits - bits); - } - this->size = 1 << bits; - - if (this->size > 2) - { /* do not use first and last addresses of a block */ - this->unused++; - this->size -= 2; - } - this->base = base->clone(base); - } - - return &this->public; -} - -/** - * Described in header - */ -mem_pool_t *mem_pool_create_range(char *name, host_t *from, host_t *to) -{ - private_mem_pool_t *this; - chunk_t fromaddr, toaddr; - u_int32_t diff; - - fromaddr = from->get_address(from); - toaddr = to->get_address(to); - - if (from->get_family(from) != to->get_family(to) || - fromaddr.len != toaddr.len || fromaddr.len < sizeof(diff) || - memcmp(fromaddr.ptr, toaddr.ptr, toaddr.len) > 0) - { - DBG1(DBG_CFG, "invalid IP address range: %H-%H", from, to); - return NULL; - } - if (fromaddr.len > sizeof(diff) && - !chunk_equals(chunk_create(fromaddr.ptr, fromaddr.len - sizeof(diff)), - chunk_create(toaddr.ptr, toaddr.len - sizeof(diff)))) - { - DBG1(DBG_CFG, "IP address range too large: %H-%H", from, to); - return NULL; - } - this = create_generic(name); - this->base = from->clone(from); - diff = untoh32(toaddr.ptr + toaddr.len - sizeof(diff)) - - untoh32(fromaddr.ptr + fromaddr.len - sizeof(diff)); - this->size = diff + 1; - - return &this->public; -} diff --git a/src/libhydra/attributes/mem_pool.h b/src/libhydra/attributes/mem_pool.h deleted file mode 100644 index 7347bb547..000000000 --- a/src/libhydra/attributes/mem_pool.h +++ /dev/null @@ -1,146 +0,0 @@ -/* - * Copyright (C) 2010 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup mem_pool mem_pool - * @{ @ingroup attributes - */ - -#ifndef MEM_POOL_H -#define MEM_POOL_H - -typedef struct mem_pool_t mem_pool_t; -typedef enum mem_pool_op_t mem_pool_op_t; - -#include -#include - -/** - * In-memory IP pool acquire operation. - */ -enum mem_pool_op_t { - /** Check for an exsiting lease */ - MEM_POOL_EXISTING, - /** Get a new lease */ - MEM_POOL_NEW, - /** Replace an existing offline lease of another ID */ - MEM_POOL_REASSIGN, -}; - -/** - * An in-memory IP address pool. - */ -struct mem_pool_t { - - /** - * Get the name of this pool. - * - * @return the name of this pool - */ - const char* (*get_name)(mem_pool_t *this); - - /** - * Get the base (first) address of this pool. - * - * @return base address, internal host - */ - host_t* (*get_base)(mem_pool_t *this); - - /** - * Get the size (i.e. number of addresses) of this pool. - * - * @return the size of this pool - */ - u_int (*get_size)(mem_pool_t *this); - - /** - * Get the number of online leases. - * - * @return the number of offline leases - */ - u_int (*get_online)(mem_pool_t *this); - - /** - * Get the number of offline leases. - * - * @return the number of online leases - */ - u_int (*get_offline)(mem_pool_t *this); - - /** - * Acquire an address for the given id from this pool. - * - * This call is usually invoked several times: The first time to find an - * existing lease (MEM_POOL_EXISTING), if none found a second time to - * acquire a new lease (MEM_POOL_NEW), and if the pool is full once again - * to assign an existing offline lease (MEM_POOL_REASSIGN). - * - * @param id the id to acquire an address for - * @param requested acquire this address, if possible - * @param operation acquire operation to perform, see above - * @return the acquired address - */ - host_t* (*acquire_address)(mem_pool_t *this, identification_t *id, - host_t *requested, mem_pool_op_t operation); - - /** - * Release a previously acquired address. - * - * @param address the address to release - * @param id the id the address was assigned to - * @return TRUE, if the lease was found - */ - bool (*release_address)(mem_pool_t *this, host_t *address, - identification_t *id); - - /** - * Create an enumerator over the leases of this pool. - * - * Enumerator enumerates over - * identification_t *id, host_t *address, bool online - * - * @return enumerator - */ - enumerator_t* (*create_lease_enumerator)(mem_pool_t *this); - - /** - * Destroy a mem_pool_t instance. - */ - void (*destroy)(mem_pool_t *this); -}; - -/** - * Create an in-memory IP address pool. - * - * An empty pool just returns the requested address. - * - * @param name name of this pool - * @param base base address of this pool, NULL to create an empty pool - * @param bits number of non-network bits in base, as in CIDR notation - * @return memory pool instance - */ -mem_pool_t *mem_pool_create(char *name, host_t *base, int bits); - -/** - * Create an in-memory IP address from a range. - * - * @param name name of this pool - * @param from start of ranged pool - * @param to end of ranged pool - * @return memory pool instance, NULL if range invalid - */ -mem_pool_t *mem_pool_create_range(char *name, host_t *from, host_t *to); - -#endif /** MEM_POOL_H_ @} */ diff --git a/src/libhydra/hydra.c b/src/libhydra/hydra.c index 1b5065081..47ffb59c6 100644 --- a/src/libhydra/hydra.c +++ b/src/libhydra/hydra.c @@ -57,7 +57,6 @@ void libhydra_deinit() return; } - this->public.attributes->destroy(this->public.attributes); this->public.kernel_interface->destroy(this->public.kernel_interface); free(this); hydra = NULL; @@ -78,9 +77,6 @@ bool libhydra_init() } INIT(this, - .public = { - .attributes = attribute_manager_create(), - }, .ref = 1, ); hydra = &this->public; diff --git a/src/libhydra/hydra.h b/src/libhydra/hydra.h index 94209ff59..b23a30584 100644 --- a/src/libhydra/hydra.h +++ b/src/libhydra/hydra.h @@ -16,9 +16,6 @@ /** * @defgroup libhydra libhydra * - * @defgroup attributes attributes - * @ingroup libhydra - * * @defgroup hkernel kernel * @ingroup libhydra * @@ -34,7 +31,6 @@ typedef struct hydra_t hydra_t; -#include #include #include @@ -44,11 +40,6 @@ typedef struct hydra_t hydra_t; */ struct hydra_t { - /** - * manager for payload attributes - */ - attribute_manager_t *attributes; - /** * kernel interface to communicate with kernel */ diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c index 3fa28e054..ce31bd410 100644 --- a/src/libhydra/kernel/kernel_interface.c +++ b/src/libhydra/kernel/kernel_interface.c @@ -43,6 +43,8 @@ #include #include #include +#include +#include typedef struct private_kernel_interface_t private_kernel_interface_t; @@ -114,6 +116,16 @@ struct private_kernel_interface_t { */ linked_list_t *listeners; + /** + * Reqid entries indexed by reqids + */ + hashtable_t *reqids; + + /** + * Reqid entries indexed by traffic selectors + */ + hashtable_t *reqids_by_ts; + /** * mutex for algorithm mappings */ @@ -155,24 +167,252 @@ METHOD(kernel_interface_t, get_features, kernel_feature_t, METHOD(kernel_interface_t, get_spi, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, - u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) + u_int8_t protocol, u_int32_t *spi) { if (!this->ipsec) { return NOT_SUPPORTED; } - return this->ipsec->get_spi(this->ipsec, src, dst, protocol, reqid, spi); + return this->ipsec->get_spi(this->ipsec, src, dst, protocol, spi); } METHOD(kernel_interface_t, get_cpi, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t reqid, u_int16_t *cpi) + u_int16_t *cpi) { if (!this->ipsec) { return NOT_SUPPORTED; } - return this->ipsec->get_cpi(this->ipsec, src, dst, reqid, cpi); + return this->ipsec->get_cpi(this->ipsec, src, dst, cpi); +} + +/** + * Reqid mapping entry + */ +typedef struct { + /** allocated reqid */ + u_int32_t reqid; + /** references to this entry */ + u_int refs; + /** inbound mark used for SA */ + mark_t mark_in; + /** outbound mark used for SA */ + mark_t mark_out; + /** local traffic selectors */ + array_t *local; + /** remote traffic selectors */ + array_t *remote; +} reqid_entry_t; + +/** + * Destroy a reqid mapping entry + */ +static void reqid_entry_destroy(reqid_entry_t *entry) +{ + array_destroy_offset(entry->local, offsetof(traffic_selector_t, destroy)); + array_destroy_offset(entry->remote, offsetof(traffic_selector_t, destroy)); + free(entry); +} + +/** + * Hashtable hash function for reqid entries using reqid as key + */ +static u_int hash_reqid(reqid_entry_t *entry) +{ + return chunk_hash_inc(chunk_from_thing(entry->reqid), + chunk_hash_inc(chunk_from_thing(entry->mark_in), + chunk_hash(chunk_from_thing(entry->mark_out)))); +} + +/** + * Hashtable equals function for reqid entries using reqid as key + */ +static bool equals_reqid(reqid_entry_t *a, reqid_entry_t *b) +{ + return a->reqid == b->reqid && + a->mark_in.value == b->mark_in.value && + a->mark_in.mask == b->mark_in.mask && + a->mark_out.value == b->mark_out.value && + a->mark_out.mask == b->mark_out.mask; +} + +/** + * Hash an array of traffic selectors + */ +static u_int hash_ts_array(array_t *array, u_int hash) +{ + enumerator_t *enumerator; + traffic_selector_t *ts; + + enumerator = array_create_enumerator(array); + while (enumerator->enumerate(enumerator, &ts)) + { + hash = ts->hash(ts, hash); + } + enumerator->destroy(enumerator); + + return hash; +} + +/** + * Hashtable hash function for reqid entries using traffic selectors as key + */ +static u_int hash_reqid_by_ts(reqid_entry_t *entry) +{ + return hash_ts_array(entry->local, hash_ts_array(entry->remote, + chunk_hash_inc(chunk_from_thing(entry->mark_in), + chunk_hash(chunk_from_thing(entry->mark_out))))); +} + +/** + * Compare two array with traffic selectors for equality + */ +static bool ts_array_equals(array_t *a, array_t *b) +{ + traffic_selector_t *tsa, *tsb; + enumerator_t *ae, *be; + bool equal = TRUE; + + if (array_count(a) != array_count(b)) + { + return FALSE; + } + + ae = array_create_enumerator(a); + be = array_create_enumerator(b); + while (equal && ae->enumerate(ae, &tsa) && be->enumerate(be, &tsb)) + { + equal = tsa->equals(tsa, tsb); + } + ae->destroy(ae); + be->destroy(be); + + return equal; +} + +/** + * Hashtable equals function for reqid entries using traffic selectors as key + */ +static bool equals_reqid_by_ts(reqid_entry_t *a, reqid_entry_t *b) +{ + return ts_array_equals(a->local, b->local) && + ts_array_equals(a->remote, b->remote) && + a->mark_in.value == b->mark_in.value && + a->mark_in.mask == b->mark_in.mask && + a->mark_out.value == b->mark_out.value && + a->mark_out.mask == b->mark_out.mask; +} + +/** + * Create an array from copied traffic selector list items + */ +static array_t *array_from_ts_list(linked_list_t *list) +{ + enumerator_t *enumerator; + traffic_selector_t *ts; + array_t *array; + + array = array_create(0, 0); + + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &ts)) + { + array_insert(array, ARRAY_TAIL, ts->clone(ts)); + } + enumerator->destroy(enumerator); + + return array; +} + +METHOD(kernel_interface_t, alloc_reqid, status_t, + private_kernel_interface_t *this, + linked_list_t *local_ts, linked_list_t *remote_ts, + mark_t mark_in, mark_t mark_out, u_int32_t *reqid) +{ + static u_int32_t counter = 0; + reqid_entry_t *entry = NULL, *tmpl; + status_t status = SUCCESS; + + INIT(tmpl, + .local = array_from_ts_list(local_ts), + .remote = array_from_ts_list(remote_ts), + .mark_in = mark_in, + .mark_out = mark_out, + .reqid = *reqid, + ); + + this->mutex->lock(this->mutex); + if (tmpl->reqid) + { + /* search by reqid if given */ + entry = this->reqids->get(this->reqids, tmpl); + } + if (entry) + { + /* we don't require a traffic selector match for explicit reqids, + * as we wan't to reuse a reqid for trap-triggered policies that + * got narrowed during negotiation. */ + reqid_entry_destroy(tmpl); + } + else + { + /* search by traffic selectors */ + entry = this->reqids_by_ts->get(this->reqids_by_ts, tmpl); + if (entry) + { + reqid_entry_destroy(tmpl); + } + else + { + /* none found, create a new entry, allocating a reqid */ + entry = tmpl; + entry->reqid = ++counter; + this->reqids_by_ts->put(this->reqids_by_ts, entry, entry); + this->reqids->put(this->reqids, entry, entry); + } + *reqid = entry->reqid; + } + entry->refs++; + this->mutex->unlock(this->mutex); + + return status; +} + +METHOD(kernel_interface_t, release_reqid, status_t, + private_kernel_interface_t *this, u_int32_t reqid, + mark_t mark_in, mark_t mark_out) +{ + reqid_entry_t *entry, tmpl = { + .reqid = reqid, + .mark_in = mark_in, + .mark_out = mark_out, + }; + + this->mutex->lock(this->mutex); + entry = this->reqids->remove(this->reqids, &tmpl); + if (entry) + { + if (--entry->refs == 0) + { + entry = this->reqids_by_ts->remove(this->reqids_by_ts, entry); + if (entry) + { + reqid_entry_destroy(entry); + } + } + else + { + this->reqids->put(this->reqids, entry, entry); + } + } + this->mutex->unlock(this->mutex); + + if (entry) + { + return SUCCESS; + } + return NOT_FOUND; } METHOD(kernel_interface_t, add_sa, status_t, @@ -181,8 +421,8 @@ METHOD(kernel_interface_t, add_sa, status_t, u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window, - bool initiator, bool encap, bool esn, bool inbound, - traffic_selector_t *src_ts, traffic_selector_t *dst_ts) + bool initiator, bool encap, bool esn, bool inbound, bool update, + linked_list_t *src_ts, linked_list_t *dst_ts) { if (!this->ipsec) { @@ -191,7 +431,7 @@ METHOD(kernel_interface_t, add_sa, status_t, return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid, mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode, ipcomp, cpi, replay_window, initiator, encap, esn, inbound, - src_ts, dst_ts); + update, src_ts, dst_ts); } METHOD(kernel_interface_t, update_sa, status_t, @@ -575,17 +815,18 @@ METHOD(kernel_interface_t, acquire, void, } METHOD(kernel_interface_t, expire, void, - private_kernel_interface_t *this, u_int32_t reqid, u_int8_t protocol, - u_int32_t spi, bool hard) + private_kernel_interface_t *this, u_int8_t protocol, u_int32_t spi, + host_t *dst, bool hard) { kernel_listener_t *listener; enumerator_t *enumerator; + this->mutex->lock(this->mutex); enumerator = this->listeners->create_enumerator(this->listeners); while (enumerator->enumerate(enumerator, &listener)) { if (listener->expire && - !listener->expire(listener, reqid, protocol, spi, hard)) + !listener->expire(listener, protocol, spi, dst, hard)) { this->listeners->remove_at(this->listeners, enumerator); } @@ -595,17 +836,18 @@ METHOD(kernel_interface_t, expire, void, } METHOD(kernel_interface_t, mapping, void, - private_kernel_interface_t *this, u_int32_t reqid, u_int32_t spi, - host_t *remote) + private_kernel_interface_t *this, u_int8_t protocol, u_int32_t spi, + host_t *dst, host_t *remote) { kernel_listener_t *listener; enumerator_t *enumerator; + this->mutex->lock(this->mutex); enumerator = this->listeners->create_enumerator(this->listeners); while (enumerator->enumerate(enumerator, &listener)) { if (listener->mapping && - !listener->mapping(listener, reqid, spi, remote)) + !listener->mapping(listener, protocol, spi, dst, remote)) { this->listeners->remove_at(this->listeners, enumerator); } @@ -733,6 +975,8 @@ METHOD(kernel_interface_t, destroy, void, DESTROY_IF(this->ipsec); DESTROY_IF(this->net); DESTROY_FUNCTION_IF(this->ifaces_filter, (void*)free); + this->reqids->destroy(this->reqids); + this->reqids_by_ts->destroy(this->reqids_by_ts); this->listeners->destroy(this->listeners); this->mutex->destroy(this->mutex); free(this); @@ -751,6 +995,8 @@ kernel_interface_t *kernel_interface_create() .get_features = _get_features, .get_spi = _get_spi, .get_cpi = _get_cpi, + .alloc_reqid = _alloc_reqid, + .release_reqid = _release_reqid, .add_sa = _add_sa, .update_sa = _update_sa, .query_sa = _query_sa, @@ -795,6 +1041,10 @@ kernel_interface_t *kernel_interface_create() .listeners = linked_list_create(), .mutex_algs = mutex_create(MUTEX_TYPE_DEFAULT), .algorithms = linked_list_create(), + .reqids = hashtable_create((hashtable_hash_t)hash_reqid, + (hashtable_equals_t)equals_reqid, 8), + .reqids_by_ts = hashtable_create((hashtable_hash_t)hash_reqid_by_ts, + (hashtable_equals_t)equals_reqid_by_ts, 8), ); ifaces = lib->settings->get_str(lib->settings, diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h index cd550383c..96ce9e26d 100644 --- a/src/libhydra/kernel/kernel_interface.h +++ b/src/libhydra/kernel/kernel_interface.h @@ -104,39 +104,67 @@ struct kernel_interface_t { * @param src source address of SA * @param dst destination address of SA * @param protocol protocol for SA (ESP/AH) - * @param reqid unique ID for this SA * @param spi allocated spi - * @return SUCCESS if operation completed + * @return SUCCESS if operation completed */ status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst, - u_int8_t protocol, u_int32_t reqid, u_int32_t *spi); + u_int8_t protocol, u_int32_t *spi); /** * Get a Compression Parameter Index (CPI) from the kernel. * * @param src source address of SA * @param dst destination address of SA - * @param reqid unique ID for the corresponding SA * @param cpi allocated cpi - * @return SUCCESS if operation completed + * @return SUCCESS if operation completed */ status_t (*get_cpi)(kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t reqid, u_int16_t *cpi); + u_int16_t *cpi); + + /** + * Allocate or confirm a reqid to use for a given SA pair. + * + * Each returned reqid by a successful call to alloc_reqid() must be + * released using release_reqid(). + * + * The reqid parameter is an in/out parameter. If it points to non-zero, + * the reqid is confirmed and registered for use. If it points to zero, + * a reqid is allocated for the given selectors, and returned to reqid. + * + * @param local_ts traffic selectors of local side for SA + * @param remote_ts traffic selectors of remote side for SA + * @param mark_in inbound mark on SA + * @param mark_out outbound mark on SA + * @param reqid allocated reqid + * @return SUCCESS if reqid allocated + */ + status_t (*alloc_reqid)(kernel_interface_t *this, + linked_list_t *local_ts, linked_list_t *remote_ts, + mark_t mark_in, mark_t mark_out, + u_int32_t *reqid); + + /** + * Release a previously allocated reqid. + * + * @param reqid reqid to release + * @param mark_in inbound mark on SA + * @param mark_out outbound mark on SA + * @return SUCCESS if reqid released + */ + status_t (*release_reqid)(kernel_interface_t *this, u_int32_t reqid, + mark_t mark_in, mark_t mark_out); /** * Add an SA to the SAD. * - * add_sa() may update an already allocated - * SPI (via get_spi). In this case, the replace - * flag must be set. - * This function does install a single SA for a - * single protocol in one direction. + * This function does install a single SA for a single protocol in one + * direction. * * @param src source address for this SA * @param dst destination address for this SA * @param spi SPI allocated by us or remote peer * @param protocol protocol for this SA (ESP/AH) - * @param reqid unique ID for this SA + * @param reqid reqid for this SA * @param mark optional mark for this SA * @param tfc Traffic Flow Confidentiality padding for this SA * @param lifetime lifetime_cfg_t for this SA @@ -152,8 +180,9 @@ struct kernel_interface_t { * @param encap enable UDP encapsulation for NAT traversal * @param esn TRUE to use Extended Sequence Numbers * @param inbound TRUE if this is an inbound SA - * @param src_ts traffic selector with BEET source address - * @param dst_ts traffic selector with BEET destination address + * @param update TRUE if an SPI has already been allocated for SA + * @param src_ts list of source traffic selectors + * @param dst_ts list of destination traffic selectors * @return SUCCESS if operation completed */ status_t (*add_sa) (kernel_interface_t *this, @@ -163,9 +192,9 @@ struct kernel_interface_t { u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - u_int32_t replay_window, - bool initiator, bool encap, bool esn, bool inbound, - traffic_selector_t *src_ts, traffic_selector_t *dst_ts); + u_int32_t replay_window, bool initiator, bool encap, + bool esn, bool inbound, bool update, + linked_list_t *src_ts, linked_list_t *dst_ts); /** * Update the hosts on an installed SA. @@ -531,23 +560,24 @@ struct kernel_interface_t { /** * Raise an expire event. * - * @param reqid reqid of the expired SA * @param protocol protocol of the expired SA * @param spi spi of the expired SA + * @param dst destination address of expired SA * @param hard TRUE if it is a hard expire, FALSE otherwise */ - void (*expire)(kernel_interface_t *this, u_int32_t reqid, - u_int8_t protocol, u_int32_t spi, bool hard); + void (*expire)(kernel_interface_t *this, u_int8_t protocol, u_int32_t spi, + host_t *dst, bool hard); /** * Raise a mapping event. * - * @param reqid reqid of the SA + * @param protocol protocol of affected SA * @param spi spi of the SA + * @param dst original destination address of SA * @param remote new remote host */ - void (*mapping)(kernel_interface_t *this, u_int32_t reqid, u_int32_t spi, - host_t *remote); + void (*mapping)(kernel_interface_t *this, u_int8_t protocol, u_int32_t spi, + host_t *dst, host_t *remote); /** * Raise a migrate event. diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h index eec7401e9..19caaa400 100644 --- a/src/libhydra/kernel/kernel_ipsec.h +++ b/src/libhydra/kernel/kernel_ipsec.h @@ -58,33 +58,28 @@ struct kernel_ipsec_t { * @param src source address of SA * @param dst destination address of SA * @param protocol protocol for SA (ESP/AH) - * @param reqid unique ID for this SA * @param spi allocated spi - * @return SUCCESS if operation completed + * @return SUCCESS if operation completed */ status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst, - u_int8_t protocol, u_int32_t reqid, u_int32_t *spi); + u_int8_t protocol, u_int32_t *spi); /** * Get a Compression Parameter Index (CPI) from the kernel. * * @param src source address of SA * @param dst destination address of SA - * @param reqid unique ID for the corresponding SA * @param cpi allocated cpi - * @return SUCCESS if operation completed + * @return SUCCESS if operation completed */ status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t reqid, u_int16_t *cpi); + u_int16_t *cpi); /** * Add an SA to the SAD. * - * add_sa() may update an already allocated - * SPI (via get_spi). In this case, the replace - * flag must be set. - * This function does install a single SA for a - * single protocol in one direction. + * This function does install a single SA for a single protocol in one + * direction. * * @param src source address for this SA * @param dst destination address for this SA @@ -106,8 +101,9 @@ struct kernel_ipsec_t { * @param encap enable UDP encapsulation for NAT traversal * @param esn TRUE to use Extended Sequence Numbers * @param inbound TRUE if this is an inbound SA - * @param src_ts traffic selector with BEET source address - * @param dst_ts traffic selector with BEET destination address + * @param update TRUE if an SPI has already been allocated for SA + * @param src_ts list of source traffic selectors + * @param dst_ts list of destination traffic selectors * @return SUCCESS if operation completed */ status_t (*add_sa) (kernel_ipsec_t *this, @@ -117,9 +113,9 @@ struct kernel_ipsec_t { u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - u_int32_t replay_window, - bool initiator, bool encap, bool esn, bool inbound, - traffic_selector_t *src_ts, traffic_selector_t *dst_ts); + u_int32_t replay_window, bool initiator, bool encap, + bool esn, bool inbound, bool update, + linked_list_t *src_ts, linked_list_t *dst_ts); /** * Update the hosts on an installed SA. diff --git a/src/libhydra/kernel/kernel_listener.h b/src/libhydra/kernel/kernel_listener.h index 4382a43fd..8074356a4 100644 --- a/src/libhydra/kernel/kernel_listener.h +++ b/src/libhydra/kernel/kernel_listener.h @@ -49,25 +49,26 @@ struct kernel_listener_t { /** * Hook called if an exire event for an IPsec SA is received. * - * @param reqid reqid of the expired SA * @param protocol protocol of the expired SA * @param spi spi of the expired SA + * @param dst destination address of expired SA * @param hard TRUE if it is a hard expire, FALSE otherwise * @return TRUE to remain registered, FALSE to unregister */ - bool (*expire)(kernel_listener_t *this, u_int32_t reqid, - u_int8_t protocol, u_int32_t spi, bool hard); + bool (*expire)(kernel_listener_t *this, u_int8_t protocol, u_int32_t spi, + host_t *dst, bool hard); /** * Hook called if the NAT mappings of an IPsec SA changed. * - * @param reqid reqid of the SA + * @param protocol IPsec protocol of affected SA * @param spi spi of the SA + * @param dst old destinatino address of SA * @param remote new remote host * @return TRUE to remain registered, FALSE to unregister */ - bool (*mapping)(kernel_listener_t *this, u_int32_t reqid, u_int32_t spi, - host_t *remote); + bool (*mapping)(kernel_listener_t *this, u_int8_t protocol, u_int32_t spi, + host_t *dst, host_t *remote); /** * Hook called if a migrate event for a policy is received. diff --git a/src/libhydra/plugins/attr/Makefile.am b/src/libhydra/plugins/attr/Makefile.am deleted file mode 100644 index 5b899b80c..000000000 --- a/src/libhydra/plugins/attr/Makefile.am +++ /dev/null @@ -1,18 +0,0 @@ -AM_CPPFLAGS = \ - -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra - -AM_CFLAGS = \ - $(PLUGIN_CFLAGS) - -if MONOLITHIC -noinst_LTLIBRARIES = libstrongswan-attr.la -else -plugin_LTLIBRARIES = libstrongswan-attr.la -endif - -libstrongswan_attr_la_SOURCES = \ - attr_plugin.h attr_plugin.c \ - attr_provider.h attr_provider.c - -libstrongswan_attr_la_LDFLAGS = -module -avoid-version diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in deleted file mode 100644 index 50ea066c5..000000000 --- a/src/libhydra/plugins/attr/Makefile.in +++ /dev/null @@ -1,771 +0,0 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994-2013 Free Software Foundation, Inc. - -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' -am__make_running_with_option = \ - case $${target_option-} in \ - ?) ;; \ - *) echo "am__make_running_with_option: internal error: invalid" \ - "target option '$${target_option-}' specified" >&2; \ - exit 1;; \ - esac; \ - has_opt=no; \ - sane_makeflags=$$MAKEFLAGS; \ - if $(am__is_gnu_make); then \ - sane_makeflags=$$MFLAGS; \ - else \ - case $$MAKEFLAGS in \ - *\\[\ \ ]*) \ - bs=\\; \ - sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ - | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ - esac; \ - fi; \ - skip_next=no; \ - strip_trailopt () \ - { \ - flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ - }; \ - for flg in $$sane_makeflags; do \ - test $$skip_next = yes && { skip_next=no; continue; }; \ - case $$flg in \ - *=*|--*) continue;; \ - -*I) strip_trailopt 'I'; skip_next=yes;; \ - -*I?*) strip_trailopt 'I';; \ - -*O) strip_trailopt 'O'; skip_next=yes;; \ - -*O?*) strip_trailopt 'O';; \ - -*l) strip_trailopt 'l'; skip_next=yes;; \ - -*l?*) strip_trailopt 'l';; \ - -[dEDm]) skip_next=yes;; \ - -[JT]) skip_next=yes;; \ - esac; \ - case $$flg in \ - *$$target_option*) has_opt=yes; break;; \ - esac; \ - done; \ - test $$has_opt = yes -am__make_dryrun = (target_option=n; $(am__make_running_with_option)) -am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) -pkgdatadir = $(datadir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkglibexecdir = $(libexecdir)/@PACKAGE@ -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -build_triplet = @build@ -host_triplet = @host@ -subdir = src/libhydra/plugins/attr -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/depcomp -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ - $(top_srcdir)/m4/config/ltoptions.m4 \ - $(top_srcdir)/m4/config/ltsugar.m4 \ - $(top_srcdir)/m4/config/ltversion.m4 \ - $(top_srcdir)/m4/config/lt~obsolete.m4 \ - $(top_srcdir)/m4/macros/split-package-version.m4 \ - $(top_srcdir)/m4/macros/with.m4 \ - $(top_srcdir)/m4/macros/enable-disable.m4 \ - $(top_srcdir)/m4/macros/add-plugin.m4 \ - $(top_srcdir)/configure.ac -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(install_sh) -d -CONFIG_HEADER = $(top_builddir)/config.h -CONFIG_CLEAN_FILES = -CONFIG_CLEAN_VPATH_FILES = -am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; -am__vpath_adj = case $$p in \ - $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ - *) f=$$p;; \ - esac; -am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; -am__install_max = 40 -am__nobase_strip_setup = \ - srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` -am__nobase_strip = \ - for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" -am__nobase_list = $(am__nobase_strip_setup); \ - for p in $$list; do echo "$$p $$p"; done | \ - sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ - $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ - if (++n[$$2] == $(am__install_max)) \ - { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ - END { for (dir in files) print dir, files[dir] }' -am__base_list = \ - sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ - sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -am__uninstall_files_from_dir = { \ - test -z "$$files" \ - || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ - || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ - $(am__cd) "$$dir" && rm -f $$files; }; \ - } -am__installdirs = "$(DESTDIR)$(plugindir)" -LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -libstrongswan_attr_la_LIBADD = -am_libstrongswan_attr_la_OBJECTS = attr_plugin.lo attr_provider.lo -libstrongswan_attr_la_OBJECTS = $(am_libstrongswan_attr_la_OBJECTS) -AM_V_lt = $(am__v_lt_@AM_V@) -am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) -am__v_lt_0 = --silent -am__v_lt_1 = -libstrongswan_attr_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ - $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ - $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_attr_la_LDFLAGS) \ - $(LDFLAGS) -o $@ -@MONOLITHIC_FALSE@am_libstrongswan_attr_la_rpath = -rpath $(plugindir) -@MONOLITHIC_TRUE@am_libstrongswan_attr_la_rpath = -AM_V_P = $(am__v_P_@AM_V@) -am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) -am__v_P_0 = false -am__v_P_1 = : -AM_V_GEN = $(am__v_GEN_@AM_V@) -am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) -am__v_GEN_0 = @echo " GEN " $@; -am__v_GEN_1 = -AM_V_at = $(am__v_at_@AM_V@) -am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) -am__v_at_0 = @ -am__v_at_1 = -DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) -depcomp = $(SHELL) $(top_srcdir)/depcomp -am__depfiles_maybe = depfiles -am__mv = mv -f -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -AM_V_CC = $(am__v_CC_@AM_V@) -am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) -am__v_CC_0 = @echo " CC " $@; -am__v_CC_1 = -CCLD = $(CC) -LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -AM_V_CCLD = $(am__v_CCLD_@AM_V@) -am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) -am__v_CCLD_0 = @echo " CCLD " $@; -am__v_CCLD_1 = -SOURCES = $(libstrongswan_attr_la_SOURCES) -DIST_SOURCES = $(libstrongswan_attr_la_SOURCES) -am__can_run_installinfo = \ - case $$AM_UPDATE_INFO_DIR in \ - n|no|NO) false;; \ - *) (install-info --version) >/dev/null 2>&1;; \ - esac -am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) -# Read a list of newline-separated strings from the standard input, -# and print each of them once, without duplicates. Input order is -# *not* preserved. -am__uniquify_input = $(AWK) '\ - BEGIN { nonempty = 0; } \ - { items[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in items) print i; }; } \ -' -# Make sure the list of sources is unique. This is necessary because, -# e.g., the same source file might be shared among _SOURCES variables -# for different programs/libraries. -am__define_uniq_tagged_files = \ - list='$(am__tagged_files)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -ALLOCA = @ALLOCA@ -AMTAR = @AMTAR@ -AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -BFDLIB = @BFDLIB@ -BTLIB = @BTLIB@ -CC = @CC@ -CCDEPMODE = @CCDEPMODE@ -CFLAGS = @CFLAGS@ -COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ -COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DEFS = @DEFS@ -DEPDIR = @DEPDIR@ -DLLIB = @DLLIB@ -DLLTOOL = @DLLTOOL@ -DSYMUTIL = @DSYMUTIL@ -DUMPBIN = @DUMPBIN@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -FGREP = @FGREP@ -GEM = @GEM@ -GENHTML = @GENHTML@ -GPERF = @GPERF@ -GPRBUILD = @GPRBUILD@ -GREP = @GREP@ -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LCOV = @LCOV@ -LD = @LD@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIPO = @LIPO@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAKEINFO = @MAKEINFO@ -MANIFEST_TOOL = @MANIFEST_TOOL@ -MKDIR_P = @MKDIR_P@ -MYSQLCFLAG = @MYSQLCFLAG@ -MYSQLCONFIG = @MYSQLCONFIG@ -MYSQLLIB = @MYSQLLIB@ -NM = @NM@ -NMEDIT = @NMEDIT@ -OBJDUMP = @OBJDUMP@ -OBJEXT = @OBJEXT@ -OPENSSL_LIB = @OPENSSL_LIB@ -OTOOL = @OTOOL@ -OTOOL64 = @OTOOL64@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ -PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ -PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ -PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -PERL = @PERL@ -PKG_CONFIG = @PKG_CONFIG@ -PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ -PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ -PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ -PTHREADLIB = @PTHREADLIB@ -PYTHON = @PYTHON@ -PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ -PYTHON_PLATFORM = @PYTHON_PLATFORM@ -PYTHON_PREFIX = @PYTHON_PREFIX@ -PYTHON_VERSION = @PYTHON_VERSION@ -RANLIB = @RANLIB@ -RTLIB = @RTLIB@ -RUBY = @RUBY@ -RUBYGEMDIR = @RUBYGEMDIR@ -RUBYINCLUDE = @RUBYINCLUDE@ -RUBYLIB = @RUBYLIB@ -SED = @SED@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -SOCKLIB = @SOCKLIB@ -STRIP = @STRIP@ -UNWINDLIB = @UNWINDLIB@ -VERSION = @VERSION@ -YACC = @YACC@ -YFLAGS = @YFLAGS@ -abs_builddir = @abs_builddir@ -abs_srcdir = @abs_srcdir@ -abs_top_builddir = @abs_top_builddir@ -abs_top_srcdir = @abs_top_srcdir@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ -aikgen_plugins = @aikgen_plugins@ -am__include = @am__include@ -am__leading_dot = @am__leading_dot@ -am__quote = @am__quote@ -am__tar = @am__tar@ -am__untar = @am__untar@ -attest_plugins = @attest_plugins@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -builddir = @builddir@ -c_plugins = @c_plugins@ -charon_natt_port = @charon_natt_port@ -charon_plugins = @charon_plugins@ -charon_udp_port = @charon_udp_port@ -clearsilver_LIBS = @clearsilver_LIBS@ -cmd_plugins = @cmd_plugins@ -datadir = @datadir@ -datarootdir = @datarootdir@ -dbusservicedir = @dbusservicedir@ -dev_headers = @dev_headers@ -docdir = @docdir@ -dvidir = @dvidir@ -exec_prefix = @exec_prefix@ -fips_mode = @fips_mode@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ -h_plugins = @h_plugins@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -htmldir = @htmldir@ -imcvdir = @imcvdir@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -ipsec_script = @ipsec_script@ -ipsec_script_upper = @ipsec_script_upper@ -ipsecdir = @ipsecdir@ -ipsecgroup = @ipsecgroup@ -ipseclibdir = @ipseclibdir@ -ipsecuser = @ipsecuser@ -json_CFLAGS = @json_CFLAGS@ -json_LIBS = @json_LIBS@ -libdir = @libdir@ -libexecdir = @libexecdir@ -linux_headers = @linux_headers@ -localedir = @localedir@ -localstatedir = @localstatedir@ -maemo_CFLAGS = @maemo_CFLAGS@ -maemo_LIBS = @maemo_LIBS@ -manager_plugins = @manager_plugins@ -mandir = @mandir@ -medsrv_plugins = @medsrv_plugins@ -mkdir_p = @mkdir_p@ -nm_CFLAGS = @nm_CFLAGS@ -nm_LIBS = @nm_LIBS@ -nm_ca_dir = @nm_ca_dir@ -nm_plugins = @nm_plugins@ -oldincludedir = @oldincludedir@ -pcsclite_CFLAGS = @pcsclite_CFLAGS@ -pcsclite_LIBS = @pcsclite_LIBS@ -pdfdir = @pdfdir@ -piddir = @piddir@ -pkgpyexecdir = @pkgpyexecdir@ -pkgpythondir = @pkgpythondir@ -pki_plugins = @pki_plugins@ -plugindir = @plugindir@ -pool_plugins = @pool_plugins@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -psdir = @psdir@ -pyexecdir = @pyexecdir@ -pythondir = @pythondir@ -random_device = @random_device@ -resolv_conf = @resolv_conf@ -routing_table = @routing_table@ -routing_table_prio = @routing_table_prio@ -s_plugins = @s_plugins@ -sbindir = @sbindir@ -scepclient_plugins = @scepclient_plugins@ -scripts_plugins = @scripts_plugins@ -sharedstatedir = @sharedstatedir@ -soup_CFLAGS = @soup_CFLAGS@ -soup_LIBS = @soup_LIBS@ -srcdir = @srcdir@ -starter_plugins = @starter_plugins@ -strongswan_conf = @strongswan_conf@ -strongswan_options = @strongswan_options@ -swanctldir = @swanctldir@ -sysconfdir = @sysconfdir@ -systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ -systemd_daemon_LIBS = @systemd_daemon_LIBS@ -systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ -systemd_journal_LIBS = @systemd_journal_LIBS@ -systemdsystemunitdir = @systemdsystemunitdir@ -t_plugins = @t_plugins@ -target_alias = @target_alias@ -top_build_prefix = @top_build_prefix@ -top_builddir = @top_builddir@ -top_srcdir = @top_srcdir@ -urandom_device = @urandom_device@ -xml_CFLAGS = @xml_CFLAGS@ -xml_LIBS = @xml_LIBS@ -AM_CPPFLAGS = \ - -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra - -AM_CFLAGS = \ - $(PLUGIN_CFLAGS) - -@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-attr.la -@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-attr.la -libstrongswan_attr_la_SOURCES = \ - attr_plugin.h attr_plugin.c \ - attr_provider.h attr_provider.c - -libstrongswan_attr_la_LDFLAGS = -module -avoid-version -all: all-am - -.SUFFIXES: -.SUFFIXES: .c .lo .o .obj -$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ - && { if test -f $@; then exit 0; else break; fi; }; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/attr/Makefile'; \ - $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libhydra/plugins/attr/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(am__aclocal_m4_deps): - -clean-noinstLTLIBRARIES: - -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) - @list='$(noinst_LTLIBRARIES)'; \ - locs=`for p in $$list; do echo $$p; done | \ - sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ - sort -u`; \ - test -z "$$locs" || { \ - echo rm -f $${locs}; \ - rm -f $${locs}; \ - } - -install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) - @$(NORMAL_INSTALL) - @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ - list2=; for p in $$list; do \ - if test -f $$p; then \ - list2="$$list2 $$p"; \ - else :; fi; \ - done; \ - test -z "$$list2" || { \ - echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ - } - -uninstall-pluginLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ - for p in $$list; do \ - $(am__strip_dir) \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ - done - -clean-pluginLTLIBRARIES: - -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) - @list='$(plugin_LTLIBRARIES)'; \ - locs=`for p in $$list; do echo $$p; done | \ - sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ - sort -u`; \ - test -z "$$locs" || { \ - echo rm -f $${locs}; \ - rm -f $${locs}; \ - } - -libstrongswan-attr.la: $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_DEPENDENCIES) $(EXTRA_libstrongswan_attr_la_DEPENDENCIES) - $(AM_V_CCLD)$(libstrongswan_attr_la_LINK) $(am_libstrongswan_attr_la_rpath) $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_LIBADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_plugin.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_provider.Plo@am__quote@ - -.c.o: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< - -.c.obj: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` - -.c.lo: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ -@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -ID: $(am__tagged_files) - $(am__define_uniq_tagged_files); mkid -fID $$unique -tags: tags-am -TAGS: tags - -tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) - set x; \ - here=`pwd`; \ - $(am__define_uniq_tagged_files); \ - shift; \ - if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ - test -n "$$unique" || unique=$$empty_fix; \ - if test $$# -gt 0; then \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - "$$@" $$unique; \ - else \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$unique; \ - fi; \ - fi -ctags: ctags-am - -CTAGS: ctags -ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) - $(am__define_uniq_tagged_files); \ - test -z "$(CTAGS_ARGS)$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && $(am__cd) $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) "$$here" -cscopelist: cscopelist-am - -cscopelist-am: $(am__tagged_files) - list='$(am__tagged_files)'; \ - case "$(srcdir)" in \ - [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ - *) sdir=$(subdir)/$(srcdir) ;; \ - esac; \ - for i in $$list; do \ - if test -f "$$i"; then \ - echo "$(subdir)/$$i"; \ - else \ - echo "$$sdir/$$i"; \ - fi; \ - done >> $(top_builddir)/cscope.files - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - list='$(DISTFILES)'; \ - dist_files=`for file in $$list; do echo $$file; done | \ - sed -e "s|^$$srcdirstrip/||;t" \ - -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ - case $$dist_files in \ - */*) $(MKDIR_P) `echo "$$dist_files" | \ - sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ - sort -u` ;; \ - esac; \ - for file in $$dist_files; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - if test -d $$d/$$file; then \ - dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test -d "$(distdir)/$$file"; then \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ - else \ - test -f "$(distdir)/$$file" \ - || cp -p $$d/$$file "$(distdir)/$$file" \ - || exit 1; \ - fi; \ - done -check-am: all-am -check: check-am -all-am: Makefile $(LTLIBRARIES) -installdirs: - for dir in "$(DESTDIR)$(plugindir)"; do \ - test -z "$$dir" || $(MKDIR_P) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - if test -z '$(STRIP)'; then \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - install; \ - else \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ - fi -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) - -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ - clean-pluginLTLIBRARIES mostlyclean-am - -distclean: distclean-am - -rm -rf ./$(DEPDIR) - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -html-am: - -info: info-am - -info-am: - -install-data-am: install-pluginLTLIBRARIES - -install-dvi: install-dvi-am - -install-dvi-am: - -install-exec-am: - -install-html: install-html-am - -install-html-am: - -install-info: install-info-am - -install-info-am: - -install-man: - -install-pdf: install-pdf-am - -install-pdf-am: - -install-ps: install-ps-am - -install-ps-am: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-pluginLTLIBRARIES - -.MAKE: install-am install-strip - -.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ - clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-pdf \ - install-pdf-am install-pluginLTLIBRARIES install-ps \ - install-ps-am install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ - uninstall-am uninstall-pluginLTLIBRARIES - - -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/src/libhydra/plugins/attr/attr_plugin.c b/src/libhydra/plugins/attr/attr_plugin.c deleted file mode 100644 index 72fcd6dff..000000000 --- a/src/libhydra/plugins/attr/attr_plugin.c +++ /dev/null @@ -1,109 +0,0 @@ -/* - * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "attr_plugin.h" -#include "attr_provider.h" - -#include - -typedef struct private_attr_plugin_t private_attr_plugin_t; - -/** - * private data of attr plugin - */ -struct private_attr_plugin_t { - - /** - * implements plugin interface - */ - attr_plugin_t public; - - /** - * CFG attributes provider - */ - attr_provider_t *provider; -}; - -METHOD(plugin_t, get_name, char*, - private_attr_plugin_t *this) -{ - return "attr"; -} - -/** - * Register provider - */ -static bool plugin_cb(private_attr_plugin_t *this, - plugin_feature_t *feature, bool reg, void *cb_data) -{ - if (reg) - { - hydra->attributes->add_provider(hydra->attributes, - &this->provider->provider); - } - else - { - hydra->attributes->remove_provider(hydra->attributes, - &this->provider->provider); - } - return TRUE; -} - -METHOD(plugin_t, get_features, int, - private_attr_plugin_t *this, plugin_feature_t *features[]) -{ - static plugin_feature_t f[] = { - PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL), - PLUGIN_PROVIDE(CUSTOM, "attr"), - }; - *features = f; - return countof(f); -} - -METHOD(plugin_t, reload, bool, - private_attr_plugin_t *this) -{ - this->provider->reload(this->provider); - return TRUE; -} - -METHOD(plugin_t, destroy, void, - private_attr_plugin_t *this) -{ - this->provider->destroy(this->provider); - free(this); -} - -/* - * see header file - */ -plugin_t *attr_plugin_create() -{ - private_attr_plugin_t *this; - - INIT(this, - .public = { - .plugin = { - .get_name = _get_name, - .get_features = _get_features, - .reload = _reload, - .destroy = _destroy, - }, - }, - .provider = attr_provider_create(), - ); - - return &this->public.plugin; -} diff --git a/src/libhydra/plugins/attr/attr_plugin.h b/src/libhydra/plugins/attr/attr_plugin.h deleted file mode 100644 index 29fb33839..000000000 --- a/src/libhydra/plugins/attr/attr_plugin.h +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup attr attr - * @ingroup hplugins - * - * @defgroup attr_plugin attr_plugin - * @{ @ingroup attr - */ - -#ifndef ATTR_PLUGIN_H_ -#define ATTR_PLUGIN_H_ - -#include - -typedef struct attr_plugin_t attr_plugin_t; - -/** - * Plugin providing configuration attribute through strongswan.conf. - */ -struct attr_plugin_t { - - /** - * implements plugin interface - */ - plugin_t plugin; -}; - -#endif /** ATTR_PLUGIN_H_ @}*/ diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libhydra/plugins/attr/attr_provider.c deleted file mode 100644 index c1788df94..000000000 --- a/src/libhydra/plugins/attr/attr_provider.c +++ /dev/null @@ -1,329 +0,0 @@ -/* - * Copyright (C) 2010 Tobias Brunner - * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "attr_provider.h" - -#include - -#include -#include -#include -#include - -#define SERVER_MAX 2 - -typedef struct private_attr_provider_t private_attr_provider_t; -typedef struct attribute_entry_t attribute_entry_t; - -/** - * private data of attr_provider - */ -struct private_attr_provider_t { - - /** - * public functions - */ - attr_provider_t public; - - /** - * List of attributes, attribute_entry_t - */ - linked_list_t *attributes; - - /** - * Lock for attribute list - */ - rwlock_t *lock; -}; - -struct attribute_entry_t { - /** type of attribute */ - configuration_attribute_type_t type; - /** attribute value */ - chunk_t value; -}; - -/** - * Destroy an entry - */ -static void attribute_destroy(attribute_entry_t *this) -{ - free(this->value.ptr); - free(this); -} - -/** - * convert enumerator value from attribute_entry - */ -static bool attr_enum_filter(void *null, attribute_entry_t **in, - configuration_attribute_type_t *type, void* none, chunk_t *value) -{ - *type = (*in)->type; - *value = (*in)->value; - return TRUE; -} - -METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*, - private_attr_provider_t *this, linked_list_t *pools, - identification_t *id, linked_list_t *vips) -{ - if (vips->get_count(vips)) - { - this->lock->read_lock(this->lock); - return enumerator_create_filter( - this->attributes->create_enumerator(this->attributes), - (void*)attr_enum_filter, this->lock, (void*)this->lock->unlock); - } - return enumerator_create_empty(); -} - -METHOD(attr_provider_t, destroy, void, - private_attr_provider_t *this) -{ - this->attributes->destroy_function(this->attributes, - (void*)attribute_destroy); - this->lock->destroy(this->lock); - free(this); -} - -/** - * Add an attribute entry to the list - */ -static void add_legacy_entry(private_attr_provider_t *this, char *key, int nr, - configuration_attribute_type_t type) -{ - attribute_entry_t *entry; - host_t *host; - char *str; - - str = lib->settings->get_str(lib->settings, "%s.%s%d", NULL, lib->ns, - key, nr); - if (str) - { - host = host_create_from_string(str, 0); - if (host) - { - entry = malloc_thing(attribute_entry_t); - - if (host->get_family(host) == AF_INET6) - { - switch (type) - { - case INTERNAL_IP4_DNS: - type = INTERNAL_IP6_DNS; - break; - case INTERNAL_IP4_NBNS: - type = INTERNAL_IP6_NBNS; - break; - default: - break; - } - } - entry->type = type; - entry->value = chunk_clone(host->get_address(host)); - host->destroy(host); - DBG2(DBG_CFG, "loaded legacy entry attribute %N: %#B", - configuration_attribute_type_names, entry->type, &entry->value); - this->attributes->insert_last(this->attributes, entry); - } - } -} - -/** - * Key to attribute type mappings, for v4 and v6 attributes - */ -typedef struct { - char *name; - configuration_attribute_type_t v4; - configuration_attribute_type_t v6; -} attribute_type_key_t; - -static attribute_type_key_t keys[] = { - {"address", INTERNAL_IP4_ADDRESS, INTERNAL_IP6_ADDRESS}, - {"dns", INTERNAL_IP4_DNS, INTERNAL_IP6_DNS}, - {"nbns", INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS}, - {"dhcp", INTERNAL_IP4_DHCP, INTERNAL_IP6_DHCP}, - {"netmask", INTERNAL_IP4_NETMASK, INTERNAL_IP6_NETMASK}, - {"server", INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER}, - {"subnet", INTERNAL_IP4_SUBNET, INTERNAL_IP6_SUBNET}, - {"split-include", UNITY_SPLIT_INCLUDE, UNITY_SPLIT_INCLUDE}, - {"split-exclude", UNITY_LOCAL_LAN, UNITY_LOCAL_LAN}, -}; - -/** - * Load (numerical) entries from the plugins.attr namespace - */ -static void load_entries(private_attr_provider_t *this) -{ - enumerator_t *enumerator, *tokens; - char *key, *value, *token; - int i; - - for (i = 1; i <= SERVER_MAX; i++) - { - add_legacy_entry(this, "dns", i, INTERNAL_IP4_DNS); - add_legacy_entry(this, "nbns", i, INTERNAL_IP4_NBNS); - } - - enumerator = lib->settings->create_key_value_enumerator(lib->settings, - "%s.plugins.attr", lib->ns); - while (enumerator->enumerate(enumerator, &key, &value)) - { - configuration_attribute_type_t type; - attribute_type_key_t *mapped = NULL; - attribute_entry_t *entry; - chunk_t data; - host_t *host; - char *pos; - int i, mask = -1, family; - - if (streq(key, "load")) - { - continue; - } - type = atoi(key); - if (!type) - { - for (i = 0; i < countof(keys); i++) - { - if (streq(key, keys[i].name)) - { - mapped = &keys[i]; - break; - } - } - if (!mapped) - { - DBG1(DBG_CFG, "mapping attribute type %s failed", key); - continue; - } - } - tokens = enumerator_create_token(value, ",", " "); - while (tokens->enumerate(tokens, &token)) - { - pos = strchr(token, '/'); - if (pos) - { - *(pos++) = '\0'; - mask = atoi(pos); - } - host = host_create_from_string(token, 0); - if (!host) - { - if (mapped) - { - DBG1(DBG_CFG, "invalid host in key %s: %s", key, token); - continue; - } - /* store numeric attributes that are no IP addresses as strings */ - data = chunk_clone(chunk_from_str(token)); - } - else - { - family = host->get_family(host); - if (mask == -1) - { - data = chunk_clone(host->get_address(host)); - } - else - { - if (family == AF_INET) - { /* IPv4 attributes contain a subnet mask */ - u_int32_t netmask = 0; - - if (mask) - { /* shifting u_int32_t by 32 or more is undefined */ - mask = 32 - mask; - netmask = htonl((0xFFFFFFFF >> mask) << mask); - } - data = chunk_cat("cc", host->get_address(host), - chunk_from_thing(netmask)); - } - else - { /* IPv6 addresses the prefix only */ - data = chunk_cat("cc", host->get_address(host), - chunk_from_chars(mask)); - } - } - host->destroy(host); - if (mapped) - { - switch (family) - { - case AF_INET: - type = mapped->v4; - break; - case AF_INET6: - type = mapped->v6; - break; - } - } - } - INIT(entry, - .type = type, - .value = data, - ); - DBG2(DBG_CFG, "loaded attribute %N: %#B", - configuration_attribute_type_names, entry->type, &entry->value); - this->attributes->insert_last(this->attributes, entry); - } - tokens->destroy(tokens); - } - enumerator->destroy(enumerator); -} - -METHOD(attr_provider_t, reload, void, - private_attr_provider_t *this) -{ - this->lock->write_lock(this->lock); - - this->attributes->destroy_function(this->attributes, (void*)attribute_destroy); - this->attributes = linked_list_create(); - - load_entries(this); - - DBG1(DBG_CFG, "loaded %d entr%s for attr plugin configuration", - this->attributes->get_count(this->attributes), - this->attributes->get_count(this->attributes) == 1 ? "y" : "ies"); - - this->lock->unlock(this->lock); -} - -/* - * see header file - */ -attr_provider_t *attr_provider_create(database_t *db) -{ - private_attr_provider_t *this; - - INIT(this, - .public = { - .provider = { - .acquire_address = (void*)return_null, - .release_address = (void*)return_false, - .create_attribute_enumerator = _create_attribute_enumerator, - }, - .reload = _reload, - .destroy = _destroy, - }, - .attributes = linked_list_create(), - .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), - ); - - load_entries(this); - - return &this->public; -} diff --git a/src/libhydra/plugins/attr/attr_provider.h b/src/libhydra/plugins/attr/attr_provider.h deleted file mode 100644 index 17db30408..000000000 --- a/src/libhydra/plugins/attr/attr_provider.h +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup attr_provider attr_provider - * @{ @ingroup attr - */ - -#ifndef ATTR_PROVIDER_H_ -#define ATTR_PROVIDER_H_ - -#include - -typedef struct attr_provider_t attr_provider_t; - -/** - * Provide configuration attributes through static strongswan.conf definition. - */ -struct attr_provider_t { - - /** - * Implements attribute provider interface - */ - attribute_provider_t provider; - - /** - * Reload configuration from strongswan.conf. - */ - void (*reload)(attr_provider_t *this); - - /** - * Destroy a attr_provider instance. - */ - void (*destroy)(attr_provider_t *this); -}; - -/** - * Create a attr_provider instance. - */ -attr_provider_t *attr_provider_create(); - -#endif /** ATTR_PROVIDER @}*/ diff --git a/src/libhydra/plugins/attr_sql/Makefile.am b/src/libhydra/plugins/attr_sql/Makefile.am deleted file mode 100644 index 6e7eae5eb..000000000 --- a/src/libhydra/plugins/attr_sql/Makefile.am +++ /dev/null @@ -1,18 +0,0 @@ -AM_CPPFLAGS = \ - -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra - -AM_CFLAGS = \ - $(PLUGIN_CFLAGS) - -if MONOLITHIC -noinst_LTLIBRARIES = libstrongswan-attr-sql.la -else -plugin_LTLIBRARIES = libstrongswan-attr-sql.la -endif - -libstrongswan_attr_sql_la_SOURCES = \ - attr_sql_plugin.h attr_sql_plugin.c \ - sql_attribute.h sql_attribute.c - -libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in deleted file mode 100644 index 076e1f8f2..000000000 --- a/src/libhydra/plugins/attr_sql/Makefile.in +++ /dev/null @@ -1,774 +0,0 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994-2013 Free Software Foundation, Inc. - -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' -am__make_running_with_option = \ - case $${target_option-} in \ - ?) ;; \ - *) echo "am__make_running_with_option: internal error: invalid" \ - "target option '$${target_option-}' specified" >&2; \ - exit 1;; \ - esac; \ - has_opt=no; \ - sane_makeflags=$$MAKEFLAGS; \ - if $(am__is_gnu_make); then \ - sane_makeflags=$$MFLAGS; \ - else \ - case $$MAKEFLAGS in \ - *\\[\ \ ]*) \ - bs=\\; \ - sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ - | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ - esac; \ - fi; \ - skip_next=no; \ - strip_trailopt () \ - { \ - flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ - }; \ - for flg in $$sane_makeflags; do \ - test $$skip_next = yes && { skip_next=no; continue; }; \ - case $$flg in \ - *=*|--*) continue;; \ - -*I) strip_trailopt 'I'; skip_next=yes;; \ - -*I?*) strip_trailopt 'I';; \ - -*O) strip_trailopt 'O'; skip_next=yes;; \ - -*O?*) strip_trailopt 'O';; \ - -*l) strip_trailopt 'l'; skip_next=yes;; \ - -*l?*) strip_trailopt 'l';; \ - -[dEDm]) skip_next=yes;; \ - -[JT]) skip_next=yes;; \ - esac; \ - case $$flg in \ - *$$target_option*) has_opt=yes; break;; \ - esac; \ - done; \ - test $$has_opt = yes -am__make_dryrun = (target_option=n; $(am__make_running_with_option)) -am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) -pkgdatadir = $(datadir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkglibexecdir = $(libexecdir)/@PACKAGE@ -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -build_triplet = @build@ -host_triplet = @host@ -subdir = src/libhydra/plugins/attr_sql -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/depcomp -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ - $(top_srcdir)/m4/config/ltoptions.m4 \ - $(top_srcdir)/m4/config/ltsugar.m4 \ - $(top_srcdir)/m4/config/ltversion.m4 \ - $(top_srcdir)/m4/config/lt~obsolete.m4 \ - $(top_srcdir)/m4/macros/split-package-version.m4 \ - $(top_srcdir)/m4/macros/with.m4 \ - $(top_srcdir)/m4/macros/enable-disable.m4 \ - $(top_srcdir)/m4/macros/add-plugin.m4 \ - $(top_srcdir)/configure.ac -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(install_sh) -d -CONFIG_HEADER = $(top_builddir)/config.h -CONFIG_CLEAN_FILES = -CONFIG_CLEAN_VPATH_FILES = -am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; -am__vpath_adj = case $$p in \ - $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ - *) f=$$p;; \ - esac; -am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; -am__install_max = 40 -am__nobase_strip_setup = \ - srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` -am__nobase_strip = \ - for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" -am__nobase_list = $(am__nobase_strip_setup); \ - for p in $$list; do echo "$$p $$p"; done | \ - sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ - $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ - if (++n[$$2] == $(am__install_max)) \ - { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ - END { for (dir in files) print dir, files[dir] }' -am__base_list = \ - sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ - sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -am__uninstall_files_from_dir = { \ - test -z "$$files" \ - || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ - || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ - $(am__cd) "$$dir" && rm -f $$files; }; \ - } -am__installdirs = "$(DESTDIR)$(plugindir)" -LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -libstrongswan_attr_sql_la_LIBADD = -am_libstrongswan_attr_sql_la_OBJECTS = attr_sql_plugin.lo \ - sql_attribute.lo -libstrongswan_attr_sql_la_OBJECTS = \ - $(am_libstrongswan_attr_sql_la_OBJECTS) -AM_V_lt = $(am__v_lt_@AM_V@) -am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) -am__v_lt_0 = --silent -am__v_lt_1 = -libstrongswan_attr_sql_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ - $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ - $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_attr_sql_la_LDFLAGS) \ - $(LDFLAGS) -o $@ -@MONOLITHIC_FALSE@am_libstrongswan_attr_sql_la_rpath = -rpath \ -@MONOLITHIC_FALSE@ $(plugindir) -@MONOLITHIC_TRUE@am_libstrongswan_attr_sql_la_rpath = -AM_V_P = $(am__v_P_@AM_V@) -am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) -am__v_P_0 = false -am__v_P_1 = : -AM_V_GEN = $(am__v_GEN_@AM_V@) -am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) -am__v_GEN_0 = @echo " GEN " $@; -am__v_GEN_1 = -AM_V_at = $(am__v_at_@AM_V@) -am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) -am__v_at_0 = @ -am__v_at_1 = -DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) -depcomp = $(SHELL) $(top_srcdir)/depcomp -am__depfiles_maybe = depfiles -am__mv = mv -f -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -AM_V_CC = $(am__v_CC_@AM_V@) -am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) -am__v_CC_0 = @echo " CC " $@; -am__v_CC_1 = -CCLD = $(CC) -LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -AM_V_CCLD = $(am__v_CCLD_@AM_V@) -am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) -am__v_CCLD_0 = @echo " CCLD " $@; -am__v_CCLD_1 = -SOURCES = $(libstrongswan_attr_sql_la_SOURCES) -DIST_SOURCES = $(libstrongswan_attr_sql_la_SOURCES) -am__can_run_installinfo = \ - case $$AM_UPDATE_INFO_DIR in \ - n|no|NO) false;; \ - *) (install-info --version) >/dev/null 2>&1;; \ - esac -am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) -# Read a list of newline-separated strings from the standard input, -# and print each of them once, without duplicates. Input order is -# *not* preserved. -am__uniquify_input = $(AWK) '\ - BEGIN { nonempty = 0; } \ - { items[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in items) print i; }; } \ -' -# Make sure the list of sources is unique. This is necessary because, -# e.g., the same source file might be shared among _SOURCES variables -# for different programs/libraries. -am__define_uniq_tagged_files = \ - list='$(am__tagged_files)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -ALLOCA = @ALLOCA@ -AMTAR = @AMTAR@ -AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -BFDLIB = @BFDLIB@ -BTLIB = @BTLIB@ -CC = @CC@ -CCDEPMODE = @CCDEPMODE@ -CFLAGS = @CFLAGS@ -COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ -COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DEFS = @DEFS@ -DEPDIR = @DEPDIR@ -DLLIB = @DLLIB@ -DLLTOOL = @DLLTOOL@ -DSYMUTIL = @DSYMUTIL@ -DUMPBIN = @DUMPBIN@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -FGREP = @FGREP@ -GEM = @GEM@ -GENHTML = @GENHTML@ -GPERF = @GPERF@ -GPRBUILD = @GPRBUILD@ -GREP = @GREP@ -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LCOV = @LCOV@ -LD = @LD@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIPO = @LIPO@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAKEINFO = @MAKEINFO@ -MANIFEST_TOOL = @MANIFEST_TOOL@ -MKDIR_P = @MKDIR_P@ -MYSQLCFLAG = @MYSQLCFLAG@ -MYSQLCONFIG = @MYSQLCONFIG@ -MYSQLLIB = @MYSQLLIB@ -NM = @NM@ -NMEDIT = @NMEDIT@ -OBJDUMP = @OBJDUMP@ -OBJEXT = @OBJEXT@ -OPENSSL_LIB = @OPENSSL_LIB@ -OTOOL = @OTOOL@ -OTOOL64 = @OTOOL64@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ -PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ -PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ -PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -PERL = @PERL@ -PKG_CONFIG = @PKG_CONFIG@ -PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ -PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ -PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ -PTHREADLIB = @PTHREADLIB@ -PYTHON = @PYTHON@ -PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ -PYTHON_PLATFORM = @PYTHON_PLATFORM@ -PYTHON_PREFIX = @PYTHON_PREFIX@ -PYTHON_VERSION = @PYTHON_VERSION@ -RANLIB = @RANLIB@ -RTLIB = @RTLIB@ -RUBY = @RUBY@ -RUBYGEMDIR = @RUBYGEMDIR@ -RUBYINCLUDE = @RUBYINCLUDE@ -RUBYLIB = @RUBYLIB@ -SED = @SED@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -SOCKLIB = @SOCKLIB@ -STRIP = @STRIP@ -UNWINDLIB = @UNWINDLIB@ -VERSION = @VERSION@ -YACC = @YACC@ -YFLAGS = @YFLAGS@ -abs_builddir = @abs_builddir@ -abs_srcdir = @abs_srcdir@ -abs_top_builddir = @abs_top_builddir@ -abs_top_srcdir = @abs_top_srcdir@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ -aikgen_plugins = @aikgen_plugins@ -am__include = @am__include@ -am__leading_dot = @am__leading_dot@ -am__quote = @am__quote@ -am__tar = @am__tar@ -am__untar = @am__untar@ -attest_plugins = @attest_plugins@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -builddir = @builddir@ -c_plugins = @c_plugins@ -charon_natt_port = @charon_natt_port@ -charon_plugins = @charon_plugins@ -charon_udp_port = @charon_udp_port@ -clearsilver_LIBS = @clearsilver_LIBS@ -cmd_plugins = @cmd_plugins@ -datadir = @datadir@ -datarootdir = @datarootdir@ -dbusservicedir = @dbusservicedir@ -dev_headers = @dev_headers@ -docdir = @docdir@ -dvidir = @dvidir@ -exec_prefix = @exec_prefix@ -fips_mode = @fips_mode@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ -h_plugins = @h_plugins@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -htmldir = @htmldir@ -imcvdir = @imcvdir@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -ipsec_script = @ipsec_script@ -ipsec_script_upper = @ipsec_script_upper@ -ipsecdir = @ipsecdir@ -ipsecgroup = @ipsecgroup@ -ipseclibdir = @ipseclibdir@ -ipsecuser = @ipsecuser@ -json_CFLAGS = @json_CFLAGS@ -json_LIBS = @json_LIBS@ -libdir = @libdir@ -libexecdir = @libexecdir@ -linux_headers = @linux_headers@ -localedir = @localedir@ -localstatedir = @localstatedir@ -maemo_CFLAGS = @maemo_CFLAGS@ -maemo_LIBS = @maemo_LIBS@ -manager_plugins = @manager_plugins@ -mandir = @mandir@ -medsrv_plugins = @medsrv_plugins@ -mkdir_p = @mkdir_p@ -nm_CFLAGS = @nm_CFLAGS@ -nm_LIBS = @nm_LIBS@ -nm_ca_dir = @nm_ca_dir@ -nm_plugins = @nm_plugins@ -oldincludedir = @oldincludedir@ -pcsclite_CFLAGS = @pcsclite_CFLAGS@ -pcsclite_LIBS = @pcsclite_LIBS@ -pdfdir = @pdfdir@ -piddir = @piddir@ -pkgpyexecdir = @pkgpyexecdir@ -pkgpythondir = @pkgpythondir@ -pki_plugins = @pki_plugins@ -plugindir = @plugindir@ -pool_plugins = @pool_plugins@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -psdir = @psdir@ -pyexecdir = @pyexecdir@ -pythondir = @pythondir@ -random_device = @random_device@ -resolv_conf = @resolv_conf@ -routing_table = @routing_table@ -routing_table_prio = @routing_table_prio@ -s_plugins = @s_plugins@ -sbindir = @sbindir@ -scepclient_plugins = @scepclient_plugins@ -scripts_plugins = @scripts_plugins@ -sharedstatedir = @sharedstatedir@ -soup_CFLAGS = @soup_CFLAGS@ -soup_LIBS = @soup_LIBS@ -srcdir = @srcdir@ -starter_plugins = @starter_plugins@ -strongswan_conf = @strongswan_conf@ -strongswan_options = @strongswan_options@ -swanctldir = @swanctldir@ -sysconfdir = @sysconfdir@ -systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ -systemd_daemon_LIBS = @systemd_daemon_LIBS@ -systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ -systemd_journal_LIBS = @systemd_journal_LIBS@ -systemdsystemunitdir = @systemdsystemunitdir@ -t_plugins = @t_plugins@ -target_alias = @target_alias@ -top_build_prefix = @top_build_prefix@ -top_builddir = @top_builddir@ -top_srcdir = @top_srcdir@ -urandom_device = @urandom_device@ -xml_CFLAGS = @xml_CFLAGS@ -xml_LIBS = @xml_LIBS@ -AM_CPPFLAGS = \ - -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra - -AM_CFLAGS = \ - $(PLUGIN_CFLAGS) - -@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-attr-sql.la -@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-attr-sql.la -libstrongswan_attr_sql_la_SOURCES = \ - attr_sql_plugin.h attr_sql_plugin.c \ - sql_attribute.h sql_attribute.c - -libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version -all: all-am - -.SUFFIXES: -.SUFFIXES: .c .lo .o .obj -$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ - && { if test -f $@; then exit 0; else break; fi; }; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/attr_sql/Makefile'; \ - $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libhydra/plugins/attr_sql/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(am__aclocal_m4_deps): - -clean-noinstLTLIBRARIES: - -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) - @list='$(noinst_LTLIBRARIES)'; \ - locs=`for p in $$list; do echo $$p; done | \ - sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ - sort -u`; \ - test -z "$$locs" || { \ - echo rm -f $${locs}; \ - rm -f $${locs}; \ - } - -install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) - @$(NORMAL_INSTALL) - @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ - list2=; for p in $$list; do \ - if test -f $$p; then \ - list2="$$list2 $$p"; \ - else :; fi; \ - done; \ - test -z "$$list2" || { \ - echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ - } - -uninstall-pluginLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ - for p in $$list; do \ - $(am__strip_dir) \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ - done - -clean-pluginLTLIBRARIES: - -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) - @list='$(plugin_LTLIBRARIES)'; \ - locs=`for p in $$list; do echo $$p; done | \ - sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ - sort -u`; \ - test -z "$$locs" || { \ - echo rm -f $${locs}; \ - rm -f $${locs}; \ - } - -libstrongswan-attr-sql.la: $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_DEPENDENCIES) $(EXTRA_libstrongswan_attr_sql_la_DEPENDENCIES) - $(AM_V_CCLD)$(libstrongswan_attr_sql_la_LINK) $(am_libstrongswan_attr_sql_la_rpath) $(libstrongswan_attr_sql_la_OBJECTS) $(libstrongswan_attr_sql_la_LIBADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_sql_plugin.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_attribute.Plo@am__quote@ - -.c.o: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< - -.c.obj: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` - -.c.lo: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ -@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -ID: $(am__tagged_files) - $(am__define_uniq_tagged_files); mkid -fID $$unique -tags: tags-am -TAGS: tags - -tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) - set x; \ - here=`pwd`; \ - $(am__define_uniq_tagged_files); \ - shift; \ - if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ - test -n "$$unique" || unique=$$empty_fix; \ - if test $$# -gt 0; then \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - "$$@" $$unique; \ - else \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$unique; \ - fi; \ - fi -ctags: ctags-am - -CTAGS: ctags -ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) - $(am__define_uniq_tagged_files); \ - test -z "$(CTAGS_ARGS)$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && $(am__cd) $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) "$$here" -cscopelist: cscopelist-am - -cscopelist-am: $(am__tagged_files) - list='$(am__tagged_files)'; \ - case "$(srcdir)" in \ - [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ - *) sdir=$(subdir)/$(srcdir) ;; \ - esac; \ - for i in $$list; do \ - if test -f "$$i"; then \ - echo "$(subdir)/$$i"; \ - else \ - echo "$$sdir/$$i"; \ - fi; \ - done >> $(top_builddir)/cscope.files - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - list='$(DISTFILES)'; \ - dist_files=`for file in $$list; do echo $$file; done | \ - sed -e "s|^$$srcdirstrip/||;t" \ - -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ - case $$dist_files in \ - */*) $(MKDIR_P) `echo "$$dist_files" | \ - sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ - sort -u` ;; \ - esac; \ - for file in $$dist_files; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - if test -d $$d/$$file; then \ - dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test -d "$(distdir)/$$file"; then \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ - else \ - test -f "$(distdir)/$$file" \ - || cp -p $$d/$$file "$(distdir)/$$file" \ - || exit 1; \ - fi; \ - done -check-am: all-am -check: check-am -all-am: Makefile $(LTLIBRARIES) -installdirs: - for dir in "$(DESTDIR)$(plugindir)"; do \ - test -z "$$dir" || $(MKDIR_P) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - if test -z '$(STRIP)'; then \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - install; \ - else \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ - fi -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) - -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ - clean-pluginLTLIBRARIES mostlyclean-am - -distclean: distclean-am - -rm -rf ./$(DEPDIR) - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -html-am: - -info: info-am - -info-am: - -install-data-am: install-pluginLTLIBRARIES - -install-dvi: install-dvi-am - -install-dvi-am: - -install-exec-am: - -install-html: install-html-am - -install-html-am: - -install-info: install-info-am - -install-info-am: - -install-man: - -install-pdf: install-pdf-am - -install-pdf-am: - -install-ps: install-ps-am - -install-ps-am: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-pluginLTLIBRARIES - -.MAKE: install-am install-strip - -.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ - clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-pdf \ - install-pdf-am install-pluginLTLIBRARIES install-ps \ - install-ps-am install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ - uninstall-am uninstall-pluginLTLIBRARIES - - -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c deleted file mode 100644 index dde90051a..000000000 --- a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c +++ /dev/null @@ -1,129 +0,0 @@ -/* - * Copyright (C) 2013 Tobias Brunner - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include -#include - -#include "attr_sql_plugin.h" -#include "sql_attribute.h" - -typedef struct private_attr_sql_plugin_t private_attr_sql_plugin_t; - -/** - * private data of attr_sql plugin - */ -struct private_attr_sql_plugin_t { - - /** - * implements plugin interface - */ - attr_sql_plugin_t public; - - /** - * database connection instance - */ - database_t *db; - - /** - * configuration attributes - */ - sql_attribute_t *attribute; -}; - -METHOD(plugin_t, get_name, char*, - private_attr_sql_plugin_t *this) -{ - return "attr-sql"; -} - -/** - * Connect to database - */ -static bool open_database(private_attr_sql_plugin_t *this, - plugin_feature_t *feature, bool reg, void *cb_data) -{ - if (reg) - { - char *uri; - - uri = lib->settings->get_str(lib->settings, - "%s.plugins.attr-sql.database", NULL, lib->ns); - if (!uri) - { - DBG1(DBG_CFG, "attr-sql plugin: database URI not set"); - return FALSE; - } - - this->db = lib->db->create(lib->db, uri); - if (!this->db) - { - DBG1(DBG_CFG, "attr-sql plugin failed to connect to database"); - return FALSE; - } - this->attribute = sql_attribute_create(this->db); - hydra->attributes->add_provider(hydra->attributes, - &this->attribute->provider); - } - else - { - hydra->attributes->remove_provider(hydra->attributes, - &this->attribute->provider); - this->attribute->destroy(this->attribute); - this->db->destroy(this->db); - } - return TRUE; -} - -METHOD(plugin_t, get_features, int, - private_attr_sql_plugin_t *this, plugin_feature_t *features[]) -{ - static plugin_feature_t f[] = { - PLUGIN_CALLBACK((plugin_feature_callback_t)open_database, NULL), - PLUGIN_PROVIDE(CUSTOM, "attr-sql"), - PLUGIN_DEPENDS(DATABASE, DB_ANY), - }; - *features = f; - return countof(f); -} - -METHOD(plugin_t, destroy, void, - private_attr_sql_plugin_t *this) -{ - free(this); -} - -/* - * see header file - */ -plugin_t *attr_sql_plugin_create() -{ - private_attr_sql_plugin_t *this; - - INIT(this, - .public = { - .plugin = { - .get_name = _get_name, - .get_features = _get_features, - .destroy = _destroy, - }, - }, - ); - lib->settings->add_fallback(lib->settings, "%s.plugins.attr-sql", - "libhydra.plugins.attr-sql", lib->ns); - - return &this->public.plugin; -} diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.h b/src/libhydra/plugins/attr_sql/attr_sql_plugin.h deleted file mode 100644 index ba85a6b28..000000000 --- a/src/libhydra/plugins/attr_sql/attr_sql_plugin.h +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup attr_sql attr_sql - * @ingroup hplugins - * - * @defgroup sql_plugin sql_plugin - * @{ @ingroup attr_sql - */ - -#ifndef ATTR_SQL_PLUGIN_H_ -#define ATTR_SQL_PLUGIN_H_ - -#include - -typedef struct attr_sql_plugin_t attr_sql_plugin_t; - -/** - * SQL database attribute configuration plugin - */ -struct attr_sql_plugin_t { - - /** - * implements plugin interface - */ - plugin_t plugin; -}; - -#endif /** ATTR_SQL_PLUGIN_H_ @}*/ diff --git a/src/libhydra/plugins/attr_sql/sql_attribute.c b/src/libhydra/plugins/attr_sql/sql_attribute.c deleted file mode 100644 index d527c3fba..000000000 --- a/src/libhydra/plugins/attr_sql/sql_attribute.c +++ /dev/null @@ -1,475 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include - -#include -#include - -#include "sql_attribute.h" - -typedef struct private_sql_attribute_t private_sql_attribute_t; - -/** - * private data of sql_attribute - */ -struct private_sql_attribute_t { - - /** - * public functions - */ - sql_attribute_t public; - - /** - * database connection - */ - database_t *db; - - /** - * whether to record lease history in lease table - */ - bool history; -}; - -/** - * lookup/insert an identity - */ -static u_int get_identity(private_sql_attribute_t *this, identification_t *id) -{ - enumerator_t *e; - u_int row; - - this->db->transaction(this->db, TRUE); - /* look for peer identity in the identities table */ - e = this->db->query(this->db, - "SELECT id FROM identities WHERE type = ? AND data = ?", - DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id), - DB_UINT); - if (e && e->enumerate(e, &row)) - { - e->destroy(e); - this->db->commit(this->db); - return row; - } - DESTROY_IF(e); - /* not found, insert new one */ - if (this->db->execute(this->db, &row, - "INSERT INTO identities (type, data) VALUES (?, ?)", - DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id)) == 1) - { - this->db->commit(this->db); - return row; - } - this->db->rollback(this->db); - return 0; -} - -/** - * Lookup an attribute pool by name - */ -static u_int get_attr_pool(private_sql_attribute_t *this, char *name) -{ - enumerator_t *e; - u_int row = 0; - - e = this->db->query(this->db, - "SELECT id FROM attribute_pools WHERE name = ?", - DB_TEXT, name, DB_UINT); - if (e) - { - e->enumerate(e, &row); - } - DESTROY_IF(e); - - return row; -} - -/** - * Lookup pool by name and address family - */ -static u_int get_pool(private_sql_attribute_t *this, char *name, int family, - u_int *timeout) -{ - enumerator_t *e; - chunk_t start; - u_int pool; - - e = this->db->query(this->db, - "SELECT id, start, timeout FROM pools WHERE name = ?", - DB_TEXT, name, DB_UINT, DB_BLOB, DB_UINT); - if (e && e->enumerate(e, &pool, &start, timeout)) - { - if ((family == AF_INET && start.len == 4) || - (family == AF_INET6 && start.len == 16)) - { - e->destroy(e); - return pool; - } - } - DESTROY_IF(e); - return 0; -} - -/** - * Look up an existing lease - */ -static host_t* check_lease(private_sql_attribute_t *this, char *name, - u_int pool, u_int identity) -{ - while (TRUE) - { - u_int id; - chunk_t address; - enumerator_t *e; - time_t now = time(NULL); - - e = this->db->query(this->db, - "SELECT id, address FROM addresses " - "WHERE pool = ? AND identity = ? AND released != 0 LIMIT 1", - DB_UINT, pool, DB_UINT, identity, DB_UINT, DB_BLOB); - if (!e || !e->enumerate(e, &id, &address)) - { - DESTROY_IF(e); - break; - } - address = chunk_clonea(address); - e->destroy(e); - - if (this->db->execute(this->db, NULL, - "UPDATE addresses SET acquired = ?, released = 0 " - "WHERE id = ? AND identity = ? AND released != 0", - DB_UINT, now, DB_UINT, id, DB_UINT, identity) > 0) - { - host_t *host; - - host = host_create_from_chunk(AF_UNSPEC, address, 0); - if (host) - { - DBG1(DBG_CFG, "acquired existing lease for address %H in" - " pool '%s'", host, name); - return host; - } - } - } - return NULL; -} - -/** - * We check for unallocated addresses or expired leases. First we select an - * address as a candidate, but double check later on if it is still available - * during the update operation. This allows us to work without locking. - */ -static host_t* get_lease(private_sql_attribute_t *this, char *name, - u_int pool, u_int timeout, u_int identity) -{ - while (TRUE) - { - u_int id; - chunk_t address; - enumerator_t *e; - time_t now = time(NULL); - int hits; - - if (timeout) - { - /* check for an expired lease */ - e = this->db->query(this->db, - "SELECT id, address FROM addresses " - "WHERE pool = ? AND released != 0 AND released < ? LIMIT 1", - DB_UINT, pool, DB_UINT, now - timeout, DB_UINT, DB_BLOB); - } - else - { - /* with static leases, check for an unallocated address */ - e = this->db->query(this->db, - "SELECT id, address FROM addresses " - "WHERE pool = ? AND identity = 0 LIMIT 1", - DB_UINT, pool, DB_UINT, DB_BLOB); - - } - - if (!e || !e->enumerate(e, &id, &address)) - { - DESTROY_IF(e); - break; - } - address = chunk_clonea(address); - e->destroy(e); - - if (timeout) - { - hits = this->db->execute(this->db, NULL, - "UPDATE addresses SET " - "acquired = ?, released = 0, identity = ? " - "WHERE id = ? AND released != 0 AND released < ?", - DB_UINT, now, DB_UINT, identity, - DB_UINT, id, DB_UINT, now - timeout); - } - else - { - hits = this->db->execute(this->db, NULL, - "UPDATE addresses SET " - "acquired = ?, released = 0, identity = ? " - "WHERE id = ? AND identity = 0", - DB_UINT, now, DB_UINT, identity, DB_UINT, id); - } - if (hits > 0) - { - host_t *host; - - host = host_create_from_chunk(AF_UNSPEC, address, 0); - if (host) - { - DBG1(DBG_CFG, "acquired new lease for address %H in pool '%s'", - host, name); - return host; - } - } - } - DBG1(DBG_CFG, "no available address found in pool '%s'", name); - return NULL; -} - -METHOD(attribute_provider_t, acquire_address, host_t*, - private_sql_attribute_t *this, linked_list_t *pools, identification_t *id, - host_t *requested) -{ - enumerator_t *enumerator; - host_t *address = NULL; - u_int identity, pool, timeout; - char *name; - int family; - - identity = get_identity(this, id); - if (identity) - { - family = requested->get_family(requested); - /* check for an existing lease in all pools */ - enumerator = pools->create_enumerator(pools); - while (enumerator->enumerate(enumerator, &name)) - { - pool = get_pool(this, name, family, &timeout); - if (pool) - { - address = check_lease(this, name, pool, identity); - if (address) - { - break; - } - } - } - enumerator->destroy(enumerator); - - if (!address) - { - /* get an unallocated address or expired lease */ - enumerator = pools->create_enumerator(pools); - while (enumerator->enumerate(enumerator, &name)) - { - pool = get_pool(this, name, family, &timeout); - if (pool) - { - address = get_lease(this, name, pool, timeout, identity); - if (address) - { - break; - } - } - } - enumerator->destroy(enumerator); - } - } - return address; -} - -METHOD(attribute_provider_t, release_address, bool, - private_sql_attribute_t *this, linked_list_t *pools, host_t *address, - identification_t *id) -{ - enumerator_t *enumerator; - u_int pool, timeout; - time_t now = time(NULL); - bool found = FALSE; - char *name; - int family; - - family = address->get_family(address); - enumerator = pools->create_enumerator(pools); - while (enumerator->enumerate(enumerator, &name)) - { - pool = get_pool(this, name, family, &timeout); - if (!pool) - { - continue; - } - if (this->db->execute(this->db, NULL, - "UPDATE addresses SET released = ? WHERE " - "pool = ? AND address = ?", DB_UINT, time(NULL), - DB_UINT, pool, DB_BLOB, address->get_address(address)) > 0) - { - if (this->history) - { - this->db->execute(this->db, NULL, - "INSERT INTO leases (address, identity, acquired, released)" - " SELECT id, identity, acquired, ? FROM addresses " - " WHERE pool = ? AND address = ?", - DB_UINT, now, DB_UINT, pool, - DB_BLOB, address->get_address(address)); - } - found = TRUE; - break; - } - } - enumerator->destroy(enumerator); - - return found; -} - -METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*, - private_sql_attribute_t *this, linked_list_t *pools, identification_t *id, - linked_list_t *vips) -{ - enumerator_t *attr_enumerator = NULL; - - if (vips->get_count(vips)) - { - enumerator_t *pool_enumerator; - u_int count; - char *name; - - /* in a first step check for attributes that match name and id */ - if (id) - { - u_int identity = get_identity(this, id); - - pool_enumerator = pools->create_enumerator(pools); - while (pool_enumerator->enumerate(pool_enumerator, &name)) - { - u_int attr_pool = get_attr_pool(this, name); - if (!attr_pool) - { - continue; - } - - attr_enumerator = this->db->query(this->db, - "SELECT count(*) FROM attributes " - "WHERE pool = ? AND identity = ?", - DB_UINT, attr_pool, DB_UINT, identity, DB_UINT); - - if (attr_enumerator && - attr_enumerator->enumerate(attr_enumerator, &count) && - count != 0) - { - attr_enumerator->destroy(attr_enumerator); - attr_enumerator = this->db->query(this->db, - "SELECT type, value FROM attributes " - "WHERE pool = ? AND identity = ?", DB_UINT, - attr_pool, DB_UINT, identity, DB_INT, DB_BLOB); - break; - } - DESTROY_IF(attr_enumerator); - attr_enumerator = NULL; - } - pool_enumerator->destroy(pool_enumerator); - } - - /* in a second step check for attributes that match name */ - if (!attr_enumerator) - { - pool_enumerator = pools->create_enumerator(pools); - while (pool_enumerator->enumerate(pool_enumerator, &name)) - { - u_int attr_pool = get_attr_pool(this, name); - if (!attr_pool) - { - continue; - } - - attr_enumerator = this->db->query(this->db, - "SELECT count(*) FROM attributes " - "WHERE pool = ? AND identity = 0", - DB_UINT, attr_pool, DB_UINT); - - if (attr_enumerator && - attr_enumerator->enumerate(attr_enumerator, &count) && - count != 0) - { - attr_enumerator->destroy(attr_enumerator); - attr_enumerator = this->db->query(this->db, - "SELECT type, value FROM attributes " - "WHERE pool = ? AND identity = 0", - DB_UINT, attr_pool, DB_INT, DB_BLOB); - break; - } - DESTROY_IF(attr_enumerator); - attr_enumerator = NULL; - } - pool_enumerator->destroy(pool_enumerator); - } - - /* lastly try to find global attributes */ - if (!attr_enumerator) - { - attr_enumerator = this->db->query(this->db, - "SELECT type, value FROM attributes " - "WHERE pool = 0 AND identity = 0", - DB_INT, DB_BLOB); - } - } - - return (attr_enumerator ? attr_enumerator : enumerator_create_empty()); -} - -METHOD(sql_attribute_t, destroy, void, - private_sql_attribute_t *this) -{ - free(this); -} - -/* - * see header file - */ -sql_attribute_t *sql_attribute_create(database_t *db) -{ - private_sql_attribute_t *this; - time_t now = time(NULL); - - INIT(this, - .public = { - .provider = { - .acquire_address = _acquire_address, - .release_address = _release_address, - .create_attribute_enumerator = _create_attribute_enumerator, - }, - .destroy = _destroy, - }, - .db = db, - .history = lib->settings->get_bool(lib->settings, - "%s.plugins.attr-sql.lease_history", TRUE, lib->ns), - ); - - /* close any "online" leases in the case we crashed */ - if (this->history) - { - this->db->execute(this->db, NULL, - "INSERT INTO leases (address, identity, acquired, released)" - " SELECT id, identity, acquired, ? FROM addresses " - " WHERE released = 0", DB_UINT, now); - } - this->db->execute(this->db, NULL, - "UPDATE addresses SET released = ? WHERE released = 0", - DB_UINT, now); - return &this->public; -} diff --git a/src/libhydra/plugins/attr_sql/sql_attribute.h b/src/libhydra/plugins/attr_sql/sql_attribute.h deleted file mode 100644 index ca87eb27e..000000000 --- a/src/libhydra/plugins/attr_sql/sql_attribute.h +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup sql_attribute sql_attribute - * @{ @ingroup attr_sql - */ - -#ifndef SQL_ATTRIBUTE_H_ -#define SQL_ATTRIBUTE_H_ - -#include -#include - -typedef struct sql_attribute_t sql_attribute_t; - -/** - * SQL database based IKEv2 cfg attribute provider. - */ -struct sql_attribute_t { - - /** - * Implements attribute provider interface - */ - attribute_provider_t provider; - - /** - * Destroy a sql_attribute instance. - */ - void (*destroy)(sql_attribute_t *this); -}; - -/** - * Create a sql_attribute instance. - */ -sql_attribute_t *sql_attribute_create(database_t *db); - -#endif /** SQL_ATTRIBUTE_H_ @}*/ diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.am b/src/libhydra/plugins/kernel_netlink/Makefile.am index c91f9a9e4..cc8855406 100644 --- a/src/libhydra/plugins/kernel_netlink/Makefile.am +++ b/src/libhydra/plugins/kernel_netlink/Makefile.am @@ -21,3 +21,24 @@ libstrongswan_kernel_netlink_la_SOURCES = \ kernel_netlink_shared.h kernel_netlink_shared.c libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version + + +TESTS = tests + +check_PROGRAMS = $(TESTS) + +tests_SOURCES = \ + tests.h tests.c \ + suites/test_socket.c \ + kernel_netlink_shared.c + +tests_CFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libstrongswan/tests \ + -DNETLINK_MSG_LOSS_HOOK=netlink_msg_loss \ + @COVERAGE_CFLAGS@ + +tests_LDFLAGS = @COVERAGE_LDFLAGS@ +tests_LDADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in index a9b523eb8..962fe1ba1 100644 --- a/src/libhydra/plugins/kernel_netlink/Makefile.in +++ b/src/libhydra/plugins/kernel_netlink/Makefile.in @@ -78,6 +78,8 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ +TESTS = tests$(EXEEXT) +check_PROGRAMS = $(am__EXEEXT_1) subdir = src/libhydra/plugins/kernel_netlink DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp @@ -144,6 +146,18 @@ libstrongswan_kernel_netlink_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ @MONOLITHIC_FALSE@am_libstrongswan_kernel_netlink_la_rpath = -rpath \ @MONOLITHIC_FALSE@ $(plugindir) @MONOLITHIC_TRUE@am_libstrongswan_kernel_netlink_la_rpath = +am__EXEEXT_1 = tests$(EXEEXT) +am__dirstamp = $(am__leading_dot)dirstamp +am_tests_OBJECTS = tests-tests.$(OBJEXT) \ + suites/tests-test_socket.$(OBJEXT) \ + tests-kernel_netlink_shared.$(OBJEXT) +tests_OBJECTS = $(am_tests_OBJECTS) +tests_DEPENDENCIES = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la +tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(tests_CFLAGS) $(CFLAGS) \ + $(tests_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -178,8 +192,9 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES) -DIST_SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES) +SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES) $(tests_SOURCES) +DIST_SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES) \ + $(tests_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -204,6 +219,28 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags +am__tty_colors_dummy = \ + mgn= red= grn= lgn= blu= brg= std=; \ + am__color_tests=no +am__tty_colors = { \ + $(am__tty_colors_dummy); \ + if test "X$(AM_COLOR_TESTS)" = Xno; then \ + am__color_tests=no; \ + elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ + am__color_tests=yes; \ + elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ + am__color_tests=yes; \ + fi; \ + if test $$am__color_tests = yes; then \ + red=''; \ + grn=''; \ + lgn=''; \ + blu=''; \ + mgn=''; \ + brg=''; \ + std=''; \ + fi; \ +} DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ ALLOCA = @ALLOCA@ @@ -230,6 +267,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -290,10 +328,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -367,6 +407,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -444,6 +486,22 @@ libstrongswan_kernel_netlink_la_SOURCES = \ kernel_netlink_shared.h kernel_netlink_shared.c libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version +tests_SOURCES = \ + tests.h tests.c \ + suites/test_socket.c \ + kernel_netlink_shared.c + +tests_CFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libstrongswan/tests \ + -DNETLINK_MSG_LOSS_HOOK=netlink_msg_loss \ + @COVERAGE_CFLAGS@ + +tests_LDFLAGS = @COVERAGE_LDFLAGS@ +tests_LDADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la + all: all-am .SUFFIXES: @@ -528,8 +586,30 @@ clean-pluginLTLIBRARIES: libstrongswan-kernel-netlink.la: $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_netlink_la_DEPENDENCIES) $(AM_V_CCLD)$(libstrongswan_kernel_netlink_la_LINK) $(am_libstrongswan_kernel_netlink_la_rpath) $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_LIBADD) $(LIBS) +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list +suites/$(am__dirstamp): + @$(MKDIR_P) suites + @: > suites/$(am__dirstamp) +suites/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) suites/$(DEPDIR) + @: > suites/$(DEPDIR)/$(am__dirstamp) +suites/tests-test_socket.$(OBJEXT): suites/$(am__dirstamp) \ + suites/$(DEPDIR)/$(am__dirstamp) + +tests$(EXEEXT): $(tests_OBJECTS) $(tests_DEPENDENCIES) $(EXTRA_tests_DEPENDENCIES) + @rm -f tests$(EXEEXT) + $(AM_V_CCLD)$(tests_LINK) $(tests_OBJECTS) $(tests_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) + -rm -f suites/*.$(OBJEXT) distclean-compile: -rm -f *.tab.c @@ -538,6 +618,9 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_net.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_plugin.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_shared.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tests-kernel_netlink_shared.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tests-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_socket.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ @@ -563,6 +646,48 @@ distclean-compile: @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< +tests-tests.o: tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-tests.o -MD -MP -MF $(DEPDIR)/tests-tests.Tpo -c -o tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-tests.Tpo $(DEPDIR)/tests-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='tests-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c + +tests-tests.obj: tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-tests.obj -MD -MP -MF $(DEPDIR)/tests-tests.Tpo -c -o tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-tests.Tpo $(DEPDIR)/tests-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='tests-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi` + +suites/tests-test_socket.o: suites/test_socket.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_socket.o -MD -MP -MF suites/$(DEPDIR)/tests-test_socket.Tpo -c -o suites/tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_socket.Tpo suites/$(DEPDIR)/tests-test_socket.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_socket.c' object='suites/tests-test_socket.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c + +suites/tests-test_socket.obj: suites/test_socket.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_socket.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_socket.Tpo -c -o suites/tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_socket.Tpo suites/$(DEPDIR)/tests-test_socket.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_socket.c' object='suites/tests-test_socket.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi` + +tests-kernel_netlink_shared.o: kernel_netlink_shared.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-kernel_netlink_shared.o -MD -MP -MF $(DEPDIR)/tests-kernel_netlink_shared.Tpo -c -o tests-kernel_netlink_shared.o `test -f 'kernel_netlink_shared.c' || echo '$(srcdir)/'`kernel_netlink_shared.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-kernel_netlink_shared.Tpo $(DEPDIR)/tests-kernel_netlink_shared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='kernel_netlink_shared.c' object='tests-kernel_netlink_shared.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-kernel_netlink_shared.o `test -f 'kernel_netlink_shared.c' || echo '$(srcdir)/'`kernel_netlink_shared.c + +tests-kernel_netlink_shared.obj: kernel_netlink_shared.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-kernel_netlink_shared.obj -MD -MP -MF $(DEPDIR)/tests-kernel_netlink_shared.Tpo -c -o tests-kernel_netlink_shared.obj `if test -f 'kernel_netlink_shared.c'; then $(CYGPATH_W) 'kernel_netlink_shared.c'; else $(CYGPATH_W) '$(srcdir)/kernel_netlink_shared.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-kernel_netlink_shared.Tpo $(DEPDIR)/tests-kernel_netlink_shared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='kernel_netlink_shared.c' object='tests-kernel_netlink_shared.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-kernel_netlink_shared.obj `if test -f 'kernel_netlink_shared.c'; then $(CYGPATH_W) 'kernel_netlink_shared.c'; else $(CYGPATH_W) '$(srcdir)/kernel_netlink_shared.c'; fi` + mostlyclean-libtool: -rm -f *.lo @@ -621,6 +746,99 @@ cscopelist-am: $(am__tagged_files) distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + $(am__tty_colors); \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + col=$$red; res=XPASS; \ + ;; \ + *) \ + col=$$grn; res=PASS; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xfail=`expr $$xfail + 1`; \ + col=$$lgn; res=XFAIL; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + col=$$red; res=FAIL; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + col=$$blu; res=SKIP; \ + fi; \ + echo "$${col}$$res$${std}: $$tst"; \ + done; \ + if test "$$all" -eq 1; then \ + tests="test"; \ + All=""; \ + else \ + tests="tests"; \ + All="All "; \ + fi; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="$$All$$all $$tests passed"; \ + else \ + if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ + banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all $$tests failed"; \ + else \ + if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ + banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + if test "$$skip" -eq 1; then \ + skipped="($$skip test was not run)"; \ + else \ + skipped="($$skip tests were not run)"; \ + fi; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + if test "$$failed" -eq 0; then \ + col="$$grn"; \ + else \ + col="$$red"; \ + fi; \ + echo "$${col}$$dashes$${std}"; \ + echo "$${col}$$banner$${std}"; \ + test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \ + test -z "$$report" || echo "$${col}$$report$${std}"; \ + echo "$${col}$$dashes$${std}"; \ + test "$$failed" -eq 0; \ + else :; fi + distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ @@ -652,6 +870,8 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) + $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile $(LTLIBRARIES) installdirs: @@ -684,17 +904,19 @@ clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + -rm -f suites/$(DEPDIR)/$(am__dirstamp) + -rm -f suites/$(am__dirstamp) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am -clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ - clean-pluginLTLIBRARIES mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -rf ./$(DEPDIR) suites/$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -740,7 +962,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -rf ./$(DEPDIR) suites/$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -759,22 +981,23 @@ ps-am: uninstall-am: uninstall-pluginLTLIBRARIES -.MAKE: install-am install-strip - -.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ - clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-pdf \ - install-pdf-am install-pluginLTLIBRARIES install-ps \ - install-ps-am install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ - uninstall-am uninstall-pluginLTLIBRARIES +.MAKE: check-am install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ + clean-checkPROGRAMS clean-generic clean-libtool \ + clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index dfd71f3bd..03e44e510 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -38,6 +38,7 @@ #include #include #include +#include #include #include @@ -319,6 +320,16 @@ struct private_kernel_netlink_ipsec_t { * Whether to track the history of a policy */ bool policy_history; + + /** + * Whether to always use UPDATE to install policies + */ + bool policy_update; + + /** + * Installed port based IKE bypass policies, as bypass_t + */ + array_t *bypass; }; typedef struct route_entry_t route_entry_t; @@ -859,25 +870,26 @@ static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr) { struct xfrm_user_expire *expire; - u_int32_t spi, reqid; + u_int32_t spi; u_int8_t protocol; + host_t *dst; expire = NLMSG_DATA(hdr); protocol = expire->state.id.proto; spi = expire->state.id.spi; - reqid = expire->state.reqid; DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE"); - if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH) + if (protocol == IPPROTO_ESP || protocol == IPPROTO_AH) { - DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and " - "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid); - return; + dst = xfrm2host(expire->state.family, &expire->state.id.daddr, 0); + if (dst) + { + hydra->kernel_interface->expire(hydra->kernel_interface, protocol, + spi, dst, expire->hard != 0); + dst->destroy(dst); + } } - - hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol, - spi, expire->hard != 0); } /** @@ -961,23 +973,29 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr) { struct xfrm_user_mapping *mapping; - u_int32_t spi, reqid; + u_int32_t spi; mapping = NLMSG_DATA(hdr); spi = mapping->id.spi; - reqid = mapping->reqid; DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING"); if (mapping->id.proto == IPPROTO_ESP) { - host_t *host; - host = xfrm2host(mapping->id.family, &mapping->new_saddr, - mapping->new_sport); - if (host) + host_t *dst, *new; + + dst = xfrm2host(mapping->id.family, &mapping->id.daddr, 0); + if (dst) { - hydra->kernel_interface->mapping(hydra->kernel_interface, reqid, - spi, host); + new = xfrm2host(mapping->id.family, &mapping->new_saddr, + mapping->new_sport); + if (new) + { + hydra->kernel_interface->mapping(hydra->kernel_interface, + IPPROTO_ESP, spi, dst, new); + new->destroy(new); + } + dst->destroy(dst); } } } @@ -1055,7 +1073,7 @@ METHOD(kernel_ipsec_t, get_features, kernel_feature_t, */ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max, - u_int32_t reqid, u_int32_t *spi) + u_int32_t *spi) { netlink_buf_t request; struct nlmsghdr *hdr, *out; @@ -1075,7 +1093,6 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this, host2xfrm(dst, &userspi->info.id.daddr); userspi->info.id.proto = proto; userspi->info.mode = XFRM_MODE_TUNNEL; - userspi->info.reqid = reqid; userspi->info.family = src->get_family(src); userspi->min = min; userspi->max = max; @@ -1122,39 +1139,35 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this, METHOD(kernel_ipsec_t, get_spi, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) + u_int8_t protocol, u_int32_t *spi) { - DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid); - if (get_spi_internal(this, src, dst, protocol, - 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS) + 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS) { - DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid); + DBG1(DBG_KNL, "unable to get SPI"); return FAILED; } - DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid); + DBG2(DBG_KNL, "got SPI %.8x", ntohl(*spi)); return SUCCESS; } METHOD(kernel_ipsec_t, get_cpi, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t reqid, u_int16_t *cpi) + u_int16_t *cpi) { u_int32_t received_spi = 0; - DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid); - if (get_spi_internal(this, src, dst, IPPROTO_COMP, - 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS) + 0x100, 0xEFFF, &received_spi) != SUCCESS) { - DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid); + DBG1(DBG_KNL, "unable to get CPI"); return FAILED; } *cpi = htons((u_int16_t)ntohl(received_spi)); - DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid); + DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi)); return SUCCESS; } @@ -1184,8 +1197,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t, u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window, - bool initiator, bool encap, bool esn, bool inbound, - traffic_selector_t* src_ts, traffic_selector_t* dst_ts) + bool initiator, bool encap, bool esn, bool inbound, bool update, + linked_list_t* src_ts, linked_list_t* dst_ts) { netlink_buf_t request; char *alg_name; @@ -1193,6 +1206,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, struct xfrm_usersa_info *sa; u_int16_t icv_size = 64; ipsec_mode_t original_mode = mode; + traffic_selector_t *first_src_ts, *first_dst_ts; status_t status = FAILED; /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0 @@ -1203,7 +1217,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty, mode, ipcomp, 0, 0, initiator, FALSE, FALSE, - inbound, src_ts, dst_ts); + inbound, update, src_ts, dst_ts); ipcomp = IPCOMP_NONE; /* use transport mode ESP SA, IPComp uses tunnel mode */ mode = MODE_TRANSPORT; @@ -1216,7 +1230,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, hdr = &request.hdr; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA; + hdr->nlmsg_type = update ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA; hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)); sa = NLMSG_DATA(hdr); @@ -1238,9 +1252,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t, * selector can be installed other traffic would get dropped */ break; } - if (src_ts && dst_ts) + if (src_ts->get_first(src_ts, (void**)&first_src_ts) == SUCCESS && + dst_ts->get_first(dst_ts, (void**)&first_dst_ts) == SUCCESS) { - sa->sel = ts2selector(src_ts, dst_ts); + sa->sel = ts2selector(first_src_ts, first_dst_ts); if (!this->proto_port_transport) { /* don't install proto/port on SA. This would break @@ -1535,7 +1550,8 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this, host_t *dst, mark_t mark, struct xfrm_replay_state_esn **replay_esn, u_int32_t *replay_esn_len, - struct xfrm_replay_state **replay) + struct xfrm_replay_state **replay, + struct xfrm_lifetime_cur **lifetime) { netlink_buf_t request; struct nlmsghdr *hdr, *out = NULL; @@ -1603,20 +1619,27 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this, rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id); while (RTA_OK(rta, rtasize)) { + if (rta->rta_type == XFRMA_LTIME_VAL && + RTA_PAYLOAD(rta) == sizeof(**lifetime)) + { + free(*lifetime); + *lifetime = malloc(RTA_PAYLOAD(rta)); + memcpy(*lifetime, RTA_DATA(rta), RTA_PAYLOAD(rta)); + } if (rta->rta_type == XFRMA_REPLAY_VAL && RTA_PAYLOAD(rta) == sizeof(**replay)) { + free(*replay); *replay = malloc(RTA_PAYLOAD(rta)); memcpy(*replay, RTA_DATA(rta), RTA_PAYLOAD(rta)); - break; } if (rta->rta_type == XFRMA_REPLAY_ESN_VAL && RTA_PAYLOAD(rta) >= sizeof(**replay_esn)) { + free(*replay_esn); *replay_esn = malloc(RTA_PAYLOAD(rta)); *replay_esn_len = RTA_PAYLOAD(rta); memcpy(*replay_esn, RTA_DATA(rta), RTA_PAYLOAD(rta)); - break; } rta = RTA_NEXT(rta, rtasize); } @@ -1798,6 +1821,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, struct xfrm_encap_tmpl* tmpl = NULL; struct xfrm_replay_state *replay = NULL; struct xfrm_replay_state_esn *replay_esn = NULL; + struct xfrm_lifetime_cur *lifetime = NULL; u_int32_t replay_esn_len; status_t status = FAILED; @@ -1863,7 +1887,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t, goto failed; } - get_replay_state(this, spi, protocol, dst, mark, &replay_esn, &replay_esn_len, &replay); + get_replay_state(this, spi, protocol, dst, mark, &replay_esn, + &replay_esn_len, &replay, &lifetime); /* delete the old SA (without affecting the IPComp SA) */ if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS) @@ -1952,8 +1977,25 @@ METHOD(kernel_ipsec_t, update_sa, status_t, } else { - DBG1(DBG_KNL, "unable to copy replay state from old SAD entry " - "with SPI %.8x", ntohl(spi)); + DBG1(DBG_KNL, "unable to copy replay state from old SAD entry with " + "SPI %.8x", ntohl(spi)); + } + if (lifetime) + { + struct xfrm_lifetime_cur *state; + + state = netlink_reserve(hdr, sizeof(request), XFRMA_LTIME_VAL, + sizeof(*state)); + if (!state) + { + goto failed; + } + memcpy(state, lifetime, sizeof(*state)); + } + else + { + DBG1(DBG_KNL, "unable to copy usage stats from old SAD entry with " + "SPI %.8x", ntohl(spi)); } if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) @@ -1966,6 +2008,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, failed: free(replay); free(replay_esn); + free(lifetime); memwipe(out, len); memwipe(&request, sizeof(request)); free(out); @@ -2313,6 +2356,11 @@ METHOD(kernel_ipsec_t, add_policy, status_t, return SUCCESS; } + if (this->policy_update) + { + found = TRUE; + } + DBG2(DBG_KNL, "%s policy %R === %R %N (mark %u/0x%08x)", found ? "updating" : "adding", src_ts, dst_ts, policy_dir_names, direction, mark.value, mark.mask); @@ -2576,9 +2624,11 @@ METHOD(kernel_ipsec_t, flush_policies, status_t, return SUCCESS; } - -METHOD(kernel_ipsec_t, bypass_socket, bool, - private_kernel_netlink_ipsec_t *this, int fd, int family) +/** + * Bypass socket using a per-socket policy + */ +static bool add_socket_bypass(private_kernel_netlink_ipsec_t *this, + int fd, int family) { struct xfrm_userpolicy_info policy; u_int sol, ipsec_policy; @@ -2618,6 +2668,154 @@ METHOD(kernel_ipsec_t, bypass_socket, bool, return TRUE; } +/** + * Port based IKE bypass policy + */ +typedef struct { + /** address family */ + int family; + /** layer 4 protocol */ + int proto; + /** port number, network order */ + u_int16_t port; +} bypass_t; + +/** + * Add or remove a bypass policy from/to kernel + */ +static bool manage_bypass(private_kernel_netlink_ipsec_t *this, + int type, policy_dir_t dir, bypass_t *bypass) +{ + netlink_buf_t request; + struct xfrm_selector *sel; + struct nlmsghdr *hdr; + + memset(&request, 0, sizeof(request)); + hdr = &request.hdr; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; + hdr->nlmsg_type = type; + + if (type == XFRM_MSG_NEWPOLICY) + { + struct xfrm_userpolicy_info *policy; + + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info)); + + policy = NLMSG_DATA(hdr); + policy->dir = dir; + policy->priority = 32; + policy->action = XFRM_POLICY_ALLOW; + policy->share = XFRM_SHARE_ANY; + + policy->lft.soft_byte_limit = XFRM_INF; + policy->lft.soft_packet_limit = XFRM_INF; + policy->lft.hard_byte_limit = XFRM_INF; + policy->lft.hard_packet_limit = XFRM_INF; + + sel = &policy->sel; + } + else /* XFRM_MSG_DELPOLICY */ + { + struct xfrm_userpolicy_id *policy; + + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id)); + + policy = NLMSG_DATA(hdr); + policy->dir = dir; + + sel = &policy->sel; + } + + sel->family = bypass->family; + sel->proto = bypass->proto; + if (dir == POLICY_IN) + { + sel->dport = bypass->port; + sel->dport_mask = 0xffff; + } + else + { + sel->sport = bypass->port; + sel->sport_mask = 0xffff; + } + return this->socket_xfrm->send_ack(this->socket_xfrm, hdr) == SUCCESS; +} + +/** + * Bypass socket using a port-based bypass policy + */ +static bool add_port_bypass(private_kernel_netlink_ipsec_t *this, + int fd, int family) +{ + union { + struct sockaddr sa; + struct sockaddr_in in; + struct sockaddr_in6 in6; + } saddr; + socklen_t len; + bypass_t bypass = { + .family = family, + }; + + len = sizeof(saddr); + if (getsockname(fd, &saddr.sa, &len) != 0) + { + return FALSE; + } +#ifdef SO_PROTOCOL /* since 2.6.32 */ + len = sizeof(bypass.proto); + if (getsockopt(fd, SOL_SOCKET, SO_PROTOCOL, &bypass.proto, &len) != 0) +#endif + { /* assume UDP if SO_PROTOCOL not supported */ + bypass.proto = IPPROTO_UDP; + } + switch (family) + { + case AF_INET: + bypass.port = saddr.in.sin_port; + break; + case AF_INET6: + bypass.port = saddr.in6.sin6_port; + break; + default: + return FALSE; + } + + if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_IN, &bypass)) + { + return FALSE; + } + if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_OUT, &bypass)) + { + manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, &bypass); + return FALSE; + } + array_insert(this->bypass, ARRAY_TAIL, &bypass); + + return TRUE; +} + +/** + * Remove installed port based bypass policy + */ +static void remove_port_bypass(bypass_t *bypass, int idx, + private_kernel_netlink_ipsec_t *this) +{ + manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_OUT, bypass); + manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, bypass); +} + +METHOD(kernel_ipsec_t, bypass_socket, bool, + private_kernel_netlink_ipsec_t *this, int fd, int family) +{ + if (lib->settings->get_bool(lib->settings, + "%s.plugins.kernel-netlink.port_bypass", FALSE, lib->ns)) + { + return add_port_bypass(this, fd, family); + } + return add_socket_bypass(this, fd, family); +} + METHOD(kernel_ipsec_t, enable_udp_decap, bool, private_kernel_netlink_ipsec_t *this, int fd, int family, u_int16_t port) { @@ -2637,6 +2835,8 @@ METHOD(kernel_ipsec_t, destroy, void, enumerator_t *enumerator; policy_entry_t *policy; + array_destroy_function(this->bypass, + (array_callback_t)remove_port_bypass, this); if (this->socket_xfrm_events > 0) { lib->watcher->remove(lib->watcher, this->socket_xfrm_events); @@ -2688,8 +2888,11 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() (hashtable_equals_t)policy_equals, 32), .sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash, (hashtable_equals_t)ipsec_sa_equals, 32), + .bypass = array_create(sizeof(bypass_t), 0), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), .policy_history = TRUE, + .policy_update = lib->settings->get_bool(lib->settings, + "%s.plugins.kernel-netlink.policy_update", FALSE, lib->ns), .install_routes = lib->settings->get_bool(lib->settings, "%s.install_routes", TRUE, lib->ns), .proto_port_transport = lib->settings->get_bool(lib->settings, @@ -2711,7 +2914,9 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() fclose(f); } - this->socket_xfrm = netlink_socket_create(NETLINK_XFRM, xfrm_msg_names); + this->socket_xfrm = netlink_socket_create(NETLINK_XFRM, xfrm_msg_names, + lib->settings->get_bool(lib->settings, + "%s.plugins.kernel-netlink.parallel_xfrm", FALSE, lib->ns)); if (!this->socket_xfrm) { destroy(this); diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c index 9d9f15974..a431e49b7 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c @@ -1538,6 +1538,7 @@ typedef struct { u_int8_t dst_len; u_int32_t table; u_int32_t oif; + u_int32_t priority; } rt_entry_t; /** @@ -1573,6 +1574,7 @@ static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route) route->dst_len = msg->rtm_dst_len; route->table = msg->rtm_table; route->oif = 0; + route->priority = 0; } else { @@ -1601,6 +1603,12 @@ static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route) route->oif = *(u_int32_t*)RTA_DATA(rta); } break; + case RTA_PRIORITY: + if (RTA_PAYLOAD(rta) == sizeof(route->priority)) + { + route->priority = *(u_int32_t*)RTA_DATA(rta); + } + break; #ifdef HAVE_RTA_TABLE case RTA_TABLE: if (RTA_PAYLOAD(rta) == sizeof(route->table)) @@ -1724,11 +1732,16 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest, } route->src_host = src; } - /* insert route, sorted by decreasing network prefix */ + /* insert route, sorted by priority and network prefix */ enumerator = routes->create_enumerator(routes); while (enumerator->enumerate(enumerator, &other)) { - if (route->dst_len > other->dst_len) + if (route->priority < other->priority) + { + break; + } + if (route->priority == other->priority && + route->dst_len > other->dst_len) { break; } @@ -1975,6 +1988,8 @@ METHOD(kernel_net_t, add_ip, status_t, if (iface) { addr_entry_t *addr; + char *ifname; + int ifi; INIT(addr, .ip = virtual_ip->clone(virtual_ip), @@ -1983,26 +1998,30 @@ METHOD(kernel_net_t, add_ip, status_t, ); iface->addrs->insert_last(iface->addrs, addr); addr_map_entry_add(this->vips, addr, iface); + ifi = iface->ifindex; + this->lock->unlock(this->lock); if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL, - iface->ifindex, virtual_ip, prefix) == SUCCESS) + ifi, virtual_ip, prefix) == SUCCESS) { + this->lock->write_lock(this->lock); while (!is_vip_installed_or_gone(this, virtual_ip, &entry)) { /* wait until address appears */ this->condvar->wait(this->condvar, this->lock); } if (entry) { /* we fail if the interface got deleted in the meantime */ - DBG2(DBG_KNL, "virtual IP %H installed on %s", virtual_ip, - entry->iface->ifname); + ifname = strdup(entry->iface->ifname); this->lock->unlock(this->lock); + DBG2(DBG_KNL, "virtual IP %H installed on %s", + virtual_ip, ifname); /* during IKEv1 reauthentication, children get moved from * old the new SA before the virtual IP is available. This * kills the route for our virtual IP, reinstall. */ - queue_route_reinstall(this, strdup(entry->iface->ifname)); + queue_route_reinstall(this, ifname); return SUCCESS; } + this->lock->unlock(this->lock); } - this->lock->unlock(this->lock); DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip); return FAILED; } @@ -2048,20 +2067,23 @@ METHOD(kernel_net_t, del_ip, status_t, if (entry->addr->refcount == 1) { status_t status; + int ifi; /* we set this flag so that threads calling add_ip will block and wait * until the entry is gone, also so we can wait below */ entry->addr->installed = FALSE; - status = manage_ipaddr(this, RTM_DELADDR, 0, entry->iface->ifindex, - virtual_ip, prefix); + ifi = entry->iface->ifindex; + this->lock->unlock(this->lock); + status = manage_ipaddr(this, RTM_DELADDR, 0, ifi, virtual_ip, prefix); if (status == SUCCESS && wait) { /* wait until the address is really gone */ + this->lock->write_lock(this->lock); while (is_known_vip(this, virtual_ip)) { this->condvar->wait(this->condvar, this->lock); } + this->lock->unlock(this->lock); } - this->lock->unlock(this->lock); return status; } else @@ -2490,7 +2512,9 @@ kernel_netlink_net_t *kernel_netlink_net_create() .destroy = _destroy, }, }, - .socket = netlink_socket_create(NETLINK_ROUTE, rt_msg_names), + .socket = netlink_socket_create(NETLINK_ROUTE, rt_msg_names, + lib->settings->get_bool(lib->settings, + "%s.plugins.kernel-netlink.parallel_route", FALSE, lib->ns)), .rt_exclude = linked_list_create(), .routes = hashtable_create((hashtable_hash_t)route_entry_hash, (hashtable_equals_t)route_entry_equals, 16), diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c index b4cece720..a9adfe091 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c @@ -1,4 +1,6 @@ /* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG * Copyright (C) 2008 Tobias Brunner * Hochschule fuer Technik Rapperswil * @@ -16,6 +18,7 @@ #include #include #include +#include #include #include @@ -23,6 +26,9 @@ #include #include +#include +#include +#include typedef struct private_netlink_socket_t private_netlink_socket_t; @@ -30,140 +36,447 @@ typedef struct private_netlink_socket_t private_netlink_socket_t; * Private variables and functions of netlink_socket_t class. */ struct private_netlink_socket_t { + /** * public part of the netlink_socket_t object. */ netlink_socket_t public; /** - * mutex to lock access to netlink socket + * mutex to lock access entries */ mutex_t *mutex; /** - * current sequence number for netlink request + * Netlink request entries currently active, uintptr_t seq => entry_t + */ + hashtable_t *entries; + + /** + * Current sequence number for Netlink requests */ - int seq; + refcount_t seq; /** * netlink socket */ int socket; + /** + * Netlink protocol + */ + int protocol; + /** * Enum names for Netlink messages */ enum_name_t *names; + + /** + * Timeout for Netlink replies, in ms + */ + u_int timeout; + + /** + * Number of times to repeat timed out queries + */ + u_int retries; + + /** + * Use parallel netlink queries + */ + bool parallel; + + /** + * Ignore errors potentially resulting from a retransmission + */ + bool ignore_retransmit_errors; }; /** - * Imported from kernel_netlink_ipsec.c + * #definable hook to simulate request message loss */ -extern enum_name_t *xfrm_msg_names; - -METHOD(netlink_socket_t, netlink_send, status_t, - private_netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out, - size_t *out_len) -{ - union { - struct nlmsghdr hdr; - u_char bytes[4096]; - } response; - struct sockaddr_nl addr; - chunk_t result = chunk_empty; - int len; +#ifdef NETLINK_MSG_LOSS_HOOK +bool NETLINK_MSG_LOSS_HOOK(struct nlmsghdr *msg); +#define msg_loss_hook(msg) NETLINK_MSG_LOSS_HOOK(msg) +#else +#define msg_loss_hook(msg) FALSE +#endif - this->mutex->lock(this->mutex); +/** + * Request entry the answer for a waiting thread is collected in + */ +typedef struct { + /** Condition variable thread is waiting */ + condvar_t *condvar; + /** Array of hdrs in a multi-message response, as struct nlmsghdr* */ + array_t *hdrs; + /** All response messages received? */ + bool complete; +} entry_t; - in->nlmsg_seq = ++this->seq; - in->nlmsg_pid = getpid(); +/** + * Clean up a thread waiting entry + */ +static void destroy_entry(entry_t *entry) +{ + entry->condvar->destroy(entry->condvar); + array_destroy_function(entry->hdrs, (void*)free, NULL); + free(entry); +} - memset(&addr, 0, sizeof(addr)); - addr.nl_family = AF_NETLINK; - addr.nl_pid = 0; - addr.nl_groups = 0; +/** + * Write a Netlink message to socket + */ +static bool write_msg(private_netlink_socket_t *this, struct nlmsghdr *msg) +{ + struct sockaddr_nl addr = { + .nl_family = AF_NETLINK, + }; + int len; - if (this->names) + if (msg_loss_hook(msg)) { - DBG3(DBG_KNL, "sending %N: %b", - this->names, in->nlmsg_type, in, in->nlmsg_len); + return TRUE; } + while (TRUE) { - len = sendto(this->socket, in, in->nlmsg_len, 0, + len = sendto(this->socket, msg, msg->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); - - if (len != in->nlmsg_len) + if (len != msg->nlmsg_len) { if (errno == EINTR) { - /* interrupted, try again */ continue; } - this->mutex->unlock(this->mutex); - DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno)); - return FAILED; + DBG1(DBG_KNL, "netlink write error: %s", strerror(errno)); + return FALSE; } - break; + return TRUE; } +} - while (TRUE) +/** + * Read a single Netlink message from socket, return 0 on error, -1 on timeout + */ +static ssize_t read_msg(private_netlink_socket_t *this, + char buf[4096], size_t buflen, bool block) +{ + ssize_t len; + + if (block) { - len = recv(this->socket, &response, sizeof(response), 0); - if (len < 0) + fd_set set; + timeval_t tv = {}; + + FD_ZERO(&set); + FD_SET(this->socket, &set); + timeval_add_ms(&tv, this->timeout); + + if (select(this->socket + 1, &set, NULL, NULL, + this->timeout ? &tv : NULL) <= 0) { - if (errno == EINTR) + return -1; + } + } + len = recv(this->socket, buf, buflen, block ? 0 : MSG_DONTWAIT); + if (len == buflen) + { + DBG1(DBG_KNL, "netlink response exceeds buffer size"); + return 0; + } + if (len < 0) + { + if (errno != EAGAIN && errno != EWOULDBLOCK && errno != EINTR) + { + DBG1(DBG_KNL, "netlink read error: %s", strerror(errno)); + } + return 0; + } + return len; +} + +/** + * Queue received response message + */ +static bool queue(private_netlink_socket_t *this, struct nlmsghdr *buf) +{ + struct nlmsghdr *hdr; + entry_t *entry; + uintptr_t seq; + + seq = (uintptr_t)buf->nlmsg_seq; + + this->mutex->lock(this->mutex); + entry = this->entries->get(this->entries, (void*)seq); + if (entry) + { + hdr = malloc(buf->nlmsg_len); + memcpy(hdr, buf, buf->nlmsg_len); + array_insert(entry->hdrs, ARRAY_TAIL, hdr); + if (hdr->nlmsg_type == NLMSG_DONE || !(hdr->nlmsg_flags & NLM_F_MULTI)) + { + entry->complete = TRUE; + entry->condvar->signal(entry->condvar); + } + } + else + { + DBG1(DBG_KNL, "received unknown netlink seq %u, ignored", seq); + } + this->mutex->unlock(this->mutex); + + return entry != NULL; +} + +/** + * Read and queue response message, optionally blocking, returns TRUE on timeout + */ +static bool read_and_queue(private_netlink_socket_t *this, bool block) +{ + struct nlmsghdr *hdr; + union { + struct nlmsghdr hdr; + char bytes[4096]; + } buf; + ssize_t len; + + len = read_msg(this, buf.bytes, sizeof(buf.bytes), block); + if (len == -1) + { + return TRUE; + } + if (len) + { + hdr = &buf.hdr; + while (NLMSG_OK(hdr, len)) + { + if (!queue(this, hdr)) { - DBG1(DBG_KNL, "got interrupted"); - /* interrupted, try again */ - continue; + break; } - DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno)); - this->mutex->unlock(this->mutex); - free(result.ptr); - return FAILED; + hdr = NLMSG_NEXT(hdr, len); } - if (!NLMSG_OK(&response.hdr, len)) + } + return FALSE; +} + +CALLBACK(watch, bool, + private_netlink_socket_t *this, int fd, watcher_event_t event) +{ + if (event == WATCHER_READ) + { + read_and_queue(this, FALSE); + } + return TRUE; +} + +/** + * Send a netlink request, try once + */ +static status_t send_once(private_netlink_socket_t *this, struct nlmsghdr *in, + uintptr_t seq, struct nlmsghdr **out, size_t *out_len) +{ + struct nlmsghdr *hdr; + chunk_t result = {}; + entry_t *entry; + + in->nlmsg_seq = seq; + in->nlmsg_pid = getpid(); + + if (this->names) + { + DBG3(DBG_KNL, "sending %N %u: %b", this->names, in->nlmsg_type, + (u_int)seq, in, in->nlmsg_len); + } + + this->mutex->lock(this->mutex); + if (!write_msg(this, in)) + { + this->mutex->unlock(this->mutex); + return FAILED; + } + + INIT(entry, + .condvar = condvar_create(CONDVAR_TYPE_DEFAULT), + .hdrs = array_create(0, 0), + ); + this->entries->put(this->entries, (void*)seq, entry); + + while (!entry->complete) + { + if (this->parallel && + lib->watcher->get_state(lib->watcher) == WATCHER_RUNNING) { - DBG1(DBG_KNL, "received corrupted netlink message"); - this->mutex->unlock(this->mutex); - free(result.ptr); - return FAILED; + if (this->timeout) + { + if (entry->condvar->timed_wait(entry->condvar, this->mutex, + this->timeout)) + { + break; + } + } + else + { + entry->condvar->wait(entry->condvar, this->mutex); + } } - if (response.hdr.nlmsg_seq != this->seq) - { - DBG1(DBG_KNL, "received invalid netlink sequence number"); - if (response.hdr.nlmsg_seq < this->seq) + else + { /* During (de-)initialization, no watcher thread is active. + * collect responses ourselves. */ + if (read_and_queue(this, TRUE)) { - continue; + break; } - this->mutex->unlock(this->mutex); - free(result.ptr); - return FAILED; } + } + this->entries->remove(this->entries, (void*)seq); - result = chunk_cat("mc", result, chunk_create(response.bytes, len)); + this->mutex->unlock(this->mutex); - /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence - * numbers to detect multi header messages */ - len = recv(this->socket, &response.hdr, sizeof(response.hdr), - MSG_PEEK | MSG_DONTWAIT); - if (len == sizeof(response.hdr) && response.hdr.nlmsg_seq == this->seq) + if (!entry->complete) + { /* timeout */ + destroy_entry(entry); + return OUT_OF_RES; + } + + while (array_remove(entry->hdrs, ARRAY_HEAD, &hdr)) + { + if (this->names) { - /* seems to be multipart */ - continue; + DBG3(DBG_KNL, "received %N %u: %b", this->names, hdr->nlmsg_type, + hdr->nlmsg_seq, hdr, hdr->nlmsg_len); } - break; + result = chunk_cat("mm", result, + chunk_create((char*)hdr, hdr->nlmsg_len)); } + destroy_entry(entry); *out_len = result.len; *out = (struct nlmsghdr*)result.ptr; - this->mutex->unlock(this->mutex); - return SUCCESS; } +/** + * Ignore errors for message types that might have completed previously + */ +static void ignore_retransmit_error(private_netlink_socket_t *this, + struct nlmsgerr *err, int type) +{ + switch (err->error) + { + case -EEXIST: + switch (this->protocol) + { + case NETLINK_XFRM: + switch (type) + { + case XFRM_MSG_NEWPOLICY: + case XFRM_MSG_NEWSA: + err->error = 0; + break; + } + break; + case NETLINK_ROUTE: + switch (type) + { + case RTM_NEWADDR: + case RTM_NEWLINK: + case RTM_NEWNEIGH: + case RTM_NEWROUTE: + case RTM_NEWRULE: + err->error = 0; + break; + } + break; + } + break; + case -ENOENT: + switch (this->protocol) + { + case NETLINK_XFRM: + switch (type) + { + case XFRM_MSG_DELPOLICY: + case XFRM_MSG_DELSA: + err->error = 0; + break; + } + break; + case NETLINK_ROUTE: + switch (type) + { + case RTM_DELADDR: + case RTM_DELLINK: + case RTM_DELNEIGH: + case RTM_DELROUTE: + case RTM_DELRULE: + err->error = 0; + break; + } + break; + } + break; + } +} + +METHOD(netlink_socket_t, netlink_send, status_t, + private_netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out, + size_t *out_len) +{ + uintptr_t seq; + u_int try; + + seq = ref_get(&this->seq); + + for (try = 0; try <= this->retries; ++try) + { + struct nlmsghdr *hdr; + status_t status; + size_t len; + + if (try > 0) + { + DBG1(DBG_KNL, "retransmitting Netlink request (%u/%u)", + try, this->retries); + } + status = send_once(this, in, seq, &hdr, &len); + switch (status) + { + case SUCCESS: + break; + case OUT_OF_RES: + continue; + default: + return status; + } + if (hdr->nlmsg_type == NLMSG_ERROR) + { + struct nlmsgerr* err; + + err = NLMSG_DATA(hdr); + if (err->error == -EBUSY) + { + free(hdr); + try--; + continue; + } + if (this->ignore_retransmit_errors && try > 0) + { + ignore_retransmit_error(this, err, in->nlmsg_type); + } + } + *out = hdr; + *out_len = len; + return SUCCESS; + } + DBG1(DBG_KNL, "Netlink request timed out after %u retransmits", + this->retries); + return OUT_OF_RES; +} + METHOD(netlink_socket_t, netlink_send_ack, status_t, private_netlink_socket_t *this, struct nlmsghdr *in) { @@ -221,8 +534,13 @@ METHOD(netlink_socket_t, destroy, void, { if (this->socket != -1) { + if (this->parallel) + { + lib->watcher->remove(lib->watcher, this->socket); + } close(this->socket); } + this->entries->destroy(this->entries); this->mutex->destroy(this->mutex); free(this); } @@ -230,7 +548,8 @@ METHOD(netlink_socket_t, destroy, void, /** * Described in header. */ -netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names) +netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names, + bool parallel) { private_netlink_socket_t *this; struct sockaddr_nl addr = { @@ -244,9 +563,19 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names) .destroy = _destroy, }, .seq = 200, - .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .mutex = mutex_create(MUTEX_TYPE_RECURSIVE), .socket = socket(AF_NETLINK, SOCK_RAW, protocol), + .entries = hashtable_create(hashtable_hash_ptr, hashtable_equals_ptr, 4), + .protocol = protocol, .names = names, + .timeout = lib->settings->get_int(lib->settings, + "%s.plugins.kernel-netlink.timeout", 0, lib->ns), + .retries = lib->settings->get_int(lib->settings, + "%s.plugins.kernel-netlink.retries", 0, lib->ns), + .ignore_retransmit_errors = lib->settings->get_bool(lib->settings, + "%s.plugins.kernel-netlink.ignore_retransmit_errors", + FALSE, lib->ns), + .parallel = parallel, ); if (this->socket == -1) @@ -261,6 +590,10 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names) destroy(this); return NULL; } + if (this->parallel) + { + lib->watcher->add(lib->watcher, this->socket, WATCHER_READ, watch, this); + } return &this->public; } diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h index 069f746d1..66682907d 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h @@ -66,8 +66,10 @@ struct netlink_socket_t { * * @param protocol protocol type (e.g. NETLINK_XFRM or NETLINK_ROUTE) * @param names optional enum names for Netlink messages + * @param parallel support parallel queries on this Netlink socket */ -netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names); +netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names, + bool parallel); /** * Creates an rtattr and adds it to the given netlink message. diff --git a/src/libhydra/plugins/kernel_netlink/suites/test_socket.c b/src/libhydra/plugins/kernel_netlink/suites/test_socket.c new file mode 100644 index 000000000..3e8facd0a --- /dev/null +++ b/src/libhydra/plugins/kernel_netlink/suites/test_socket.c @@ -0,0 +1,302 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include + +#include "../kernel_netlink_shared.h" + +/** + * Netlink message drop configuration + */ +static int drop_interval = 0; + +/** + * Netlink message drop hook + */ +bool netlink_msg_loss(struct nlmsghdr *hdr) +{ + static refcount_t i; + + if (drop_interval) + { + return ref_get(&i) % drop_interval == drop_interval - 1; + } + return FALSE; +} + +START_TEST(test_echo) +{ + netlink_socket_t *s; + struct nlmsghdr *out; + struct rtmsg *msg; + char dst[] = { + 127,0,0,1 + }; + size_t len; + netlink_buf_t request = { + .hdr = { + .nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)), + .nlmsg_flags = NLM_F_REQUEST, + .nlmsg_type = RTM_GETROUTE, + }, + }; + + msg = NLMSG_DATA(&request.hdr); + msg->rtm_family = AF_INET; + netlink_add_attribute(&request.hdr, RTA_DST, + chunk_from_thing(dst), sizeof(request)); + + s = netlink_socket_create(NETLINK_ROUTE, NULL, _i != 0); + + ck_assert(s->send(s, &request.hdr, &out, &len) == SUCCESS); + ck_assert_int_eq(out->nlmsg_type, RTM_NEWROUTE); + free(out); + s->destroy(s); +} +END_TEST + +START_TEST(test_echo_dump) +{ + netlink_socket_t *s; + struct nlmsghdr *out, *current; + struct rtgenmsg *msg; + size_t len; + netlink_buf_t request = { + .hdr = { + .nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg)), + .nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT, + .nlmsg_type = RTM_GETLINK, + }, + }; + + s = netlink_socket_create(NETLINK_ROUTE, NULL, _i != 0); + msg = NLMSG_DATA(&request.hdr); + msg->rtgen_family = AF_UNSPEC; + + ck_assert(s->send(s, &request.hdr, &out, &len) == SUCCESS); + current = out; + while (TRUE) + { + ck_assert(NLMSG_OK(current, len)); + if (current->nlmsg_type == NLMSG_DONE) + { + break; + } + ck_assert_int_eq(current->nlmsg_type, RTM_NEWLINK); + current = NLMSG_NEXT(current, len); + } + free(out); + s->destroy(s); +} +END_TEST + +CALLBACK(stress, void*, + netlink_socket_t *s) +{ + struct nlmsghdr *out; + struct rtmsg *msg; + char dst[] = { + 127,0,0,1 + }; + size_t len; + int i; + netlink_buf_t request = { + .hdr = { + .nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)), + .nlmsg_flags = NLM_F_REQUEST, + .nlmsg_type = RTM_GETROUTE, + }, + }; + + for (i = 0; i < 10; i++) + { + msg = NLMSG_DATA(&request.hdr); + msg->rtm_family = AF_INET; + netlink_add_attribute(&request.hdr, RTA_DST, + chunk_from_thing(dst), sizeof(request)); + + ck_assert(s->send(s, &request.hdr, &out, &len) == SUCCESS); + ck_assert_int_eq(out->nlmsg_type, RTM_NEWROUTE); + free(out); + } + return NULL; +} + +CALLBACK(stress_dump, void*, + netlink_socket_t *s) +{ + struct nlmsghdr *out, *current; + struct rtgenmsg *msg; + size_t len; + int i; + netlink_buf_t request = { + .hdr = { + .nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg)), + .nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT, + .nlmsg_type = RTM_GETLINK, + }, + }; + + msg = NLMSG_DATA(&request.hdr); + msg->rtgen_family = AF_UNSPEC; + + for (i = 0; i < 10; i++) + { + ck_assert(s->send(s, &request.hdr, &out, &len) == SUCCESS); + current = out; + while (TRUE) + { + ck_assert(NLMSG_OK(current, len)); + if (current->nlmsg_type == NLMSG_DONE) + { + break; + } + ck_assert_int_eq(current->nlmsg_type, RTM_NEWLINK); + current = NLMSG_NEXT(current, len); + } + free(out); + } + return NULL; +} + +START_TEST(test_stress) +{ + thread_t *threads[10]; + netlink_socket_t *s; + int i; + + s = netlink_socket_create(NETLINK_ROUTE, NULL, _i != 0); + for (i = 0; i < countof(threads); i++) + { + threads[i] = thread_create(stress, s); + } + for (i = 0; i < countof(threads); i++) + { + threads[i]->join(threads[i]); + } + s->destroy(s); +} +END_TEST + +START_TEST(test_stress_dump) +{ + thread_t *threads[10]; + netlink_socket_t *s; + int i; + + s = netlink_socket_create(NETLINK_ROUTE, NULL, _i != 0); + for (i = 0; i < countof(threads); i++) + { + threads[i] = thread_create(stress_dump, s); + } + for (i = 0; i < countof(threads); i++) + { + threads[i]->join(threads[i]); + } + s->destroy(s); +} +END_TEST + +START_TEST(test_retransmit_success) +{ + netlink_socket_t *s; + struct nlmsghdr *out; + struct rtgenmsg *msg; + size_t len; + netlink_buf_t request = { + .hdr = { + .nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg)), + .nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT, + .nlmsg_type = RTM_GETLINK, + }, + }; + + drop_interval = 2; + + lib->settings->set_int(lib->settings, + "%s.plugins.kernel-netlink.timeout", 100, lib->ns); + lib->settings->set_int(lib->settings, + "%s.plugins.kernel-netlink.retries", 1, lib->ns); + + s = netlink_socket_create(NETLINK_ROUTE, NULL, _i != 0); + msg = NLMSG_DATA(&request.hdr); + msg->rtgen_family = AF_UNSPEC; + + ck_assert(s->send(s, &request.hdr, &out, &len) == SUCCESS); + free(out); + s->destroy(s); + + drop_interval = 0; +} +END_TEST + +START_TEST(test_retransmit_fail) +{ + netlink_socket_t *s; + struct nlmsghdr *out; + struct rtgenmsg *msg; + size_t len; + netlink_buf_t request = { + .hdr = { + .nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg)), + .nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT, + .nlmsg_type = RTM_GETLINK, + }, + }; + + drop_interval = 1; + + lib->settings->set_int(lib->settings, + "%s.plugins.kernel-netlink.timeout", 50, lib->ns); + lib->settings->set_int(lib->settings, + "%s.plugins.kernel-netlink.retries", 3, lib->ns); + + s = netlink_socket_create(NETLINK_ROUTE, NULL, _i != 0); + msg = NLMSG_DATA(&request.hdr); + msg->rtgen_family = AF_UNSPEC; + + ck_assert(s->send(s, &request.hdr, &out, &len) == OUT_OF_RES); + s->destroy(s); + + drop_interval = 0; +} +END_TEST + +Suite *socket_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("netlink socket"); + + tc = tcase_create("echo"); + tcase_add_loop_test(tc, test_echo, 0, 2); + tcase_add_loop_test(tc, test_echo_dump, 0, 2); + suite_add_tcase(s, tc); + + tc = tcase_create("stress"); + tcase_add_loop_test(tc, test_stress, 0, 2); + tcase_add_loop_test(tc, test_stress_dump, 0, 2); + suite_add_tcase(s, tc); + + tc = tcase_create("retransmit"); + tcase_add_loop_test(tc, test_retransmit_success, 0, 2); + tcase_add_loop_test(tc, test_retransmit_fail, 0, 2); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libhydra/plugins/kernel_netlink/tests.c b/src/libhydra/plugins/kernel_netlink/tests.c new file mode 100644 index 000000000..136b34d29 --- /dev/null +++ b/src/libhydra/plugins/kernel_netlink/tests.c @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include + +/* declare test suite constructors */ +#define TEST_SUITE(x) test_suite_t* x(); +#include "tests.h" +#undef TEST_SUITE + +static test_configuration_t tests[] = { +#define TEST_SUITE(x) \ + { .suite = x, }, +#include "tests.h" + { .suite = NULL, } +}; + +static bool test_runner_init(bool init) +{ + if (init) + { + dbg_default_set_level(0); + lib->processor->set_threads(lib->processor, 8); + dbg_default_set_level(1); + } + else + { + lib->processor->set_threads(lib->processor, 0); + lib->processor->cancel(lib->processor); + } + return TRUE; +} + +int main(int argc, char *argv[]) +{ + return test_runner_run("kernel-netlink", tests, test_runner_init); +} diff --git a/src/libhydra/plugins/kernel_netlink/tests.h b/src/libhydra/plugins/kernel_netlink/tests.h new file mode 100644 index 000000000..2b6715a78 --- /dev/null +++ b/src/libhydra/plugins/kernel_netlink/tests.h @@ -0,0 +1,16 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +TEST_SUITE(socket_suite_create) diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in index 821ad7710..177d2f23f 100644 --- a/src/libhydra/plugins/kernel_pfkey/Makefile.in +++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 00ab5ab5a..3b32ba553 100644 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1296,7 +1296,8 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this, { pfkey_msg_t response; u_int8_t protocol; - u_int32_t spi, reqid; + u_int32_t spi; + host_t *dst; bool hard; DBG2(DBG_KNL, "received an SADB_EXPIRE"); @@ -1309,18 +1310,18 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this, protocol = satype2proto(msg->sadb_msg_satype); spi = response.sa->sadb_sa_spi; - reqid = response.x_sa2->sadb_x_sa2_reqid; hard = response.lft_hard != NULL; - if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH) + if (protocol == IPPROTO_ESP || protocol == IPPROTO_AH) { - DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and " - "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid); - return; + dst = host_create_from_sockaddr((sockaddr_t*)(response.dst + 1)); + if (dst) + { + hydra->kernel_interface->expire(hydra->kernel_interface, protocol, + spi, dst, hard); + dst->destroy(dst); + } } - - hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol, - spi, hard); } #ifdef SADB_X_MIGRATE @@ -1387,9 +1388,9 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg) { pfkey_msg_t response; - u_int32_t spi, reqid; + u_int32_t spi; sockaddr_t *sa; - host_t *host; + host_t *dst, *new; DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING"); @@ -1407,7 +1408,6 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, } spi = response.sa->sadb_sa_spi; - reqid = response.x_sa2->sadb_x_sa2_reqid; if (satype2proto(msg->sadb_msg_satype) != IPPROTO_ESP) { @@ -1415,6 +1415,7 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, } sa = (sockaddr_t*)(response.dst + 1); + dst = host_create_from_sockaddr(sa); switch (sa->sa_family) { case AF_INET: @@ -1432,12 +1433,16 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, default: break; } - - host = host_create_from_sockaddr(sa); - if (host) + if (dst) { - hydra->kernel_interface->mapping(hydra->kernel_interface, reqid, - spi, host); + new = host_create_from_sockaddr(sa); + if (new) + { + hydra->kernel_interface->mapping(hydra->kernel_interface, + IPPROTO_ESP, spi, dst, new); + new->destroy(new); + } + dst->destroy(dst); } } #endif /*SADB_X_NAT_T_NEW_MAPPING*/ @@ -1518,11 +1523,10 @@ static bool receive_events(private_kernel_pfkey_ipsec_t *this, int fd, static status_t get_spi_internal(private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max, - u_int32_t reqid, u_int32_t *spi) + u_int32_t *spi) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; - struct sadb_x_sa2 *sa2; struct sadb_spirange *range; pfkey_msg_t response; u_int32_t received_spi = 0; @@ -1536,12 +1540,6 @@ static status_t get_spi_internal(private_kernel_pfkey_ipsec_t *this, msg->sadb_msg_satype = proto2satype(proto); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg); - sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2; - sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange)); - sa2->sadb_x_sa2_reqid = reqid; - PFKEY_EXT_ADD(msg, sa2); - add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE); add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE); @@ -1577,39 +1575,37 @@ static status_t get_spi_internal(private_kernel_pfkey_ipsec_t *this, METHOD(kernel_ipsec_t, get_spi, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) + u_int8_t protocol, u_int32_t *spi) { - DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid); - if (get_spi_internal(this, src, dst, protocol, - 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS) + 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS) { - DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid); + DBG1(DBG_KNL, "unable to get SPI"); return FAILED; } - DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid); + DBG2(DBG_KNL, "got SPI %.8x", ntohl(*spi)); return SUCCESS; } METHOD(kernel_ipsec_t, get_cpi, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t reqid, u_int16_t *cpi) + u_int16_t *cpi) { u_int32_t received_spi = 0; - DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid); + DBG2(DBG_KNL, "getting CPI"); if (get_spi_internal(this, src, dst, IPPROTO_COMP, - 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS) + 0x100, 0xEFFF, &received_spi) != SUCCESS) { - DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid); + DBG1(DBG_KNL, "unable to get CPI"); return FAILED; } *cpi = htons((u_int16_t)ntohl(received_spi)); - DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid); + DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi)); return SUCCESS; } @@ -1619,8 +1615,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window, - bool initiator, bool encap, bool esn, bool inbound, - traffic_selector_t *src_ts, traffic_selector_t *dst_ts) + bool initiator, bool encap, bool esn, bool inbound, bool update, + linked_list_t *src_ts, linked_list_t *dst_ts) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1638,12 +1634,29 @@ METHOD(kernel_ipsec_t, add_sa, status_t, add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty, mode, ipcomp, 0, 0, FALSE, FALSE, FALSE, inbound, - NULL, NULL); + update, NULL, NULL); ipcomp = IPCOMP_NONE; /* use transport mode ESP SA, IPComp uses tunnel mode */ mode = MODE_TRANSPORT; } + if (update) + { + /* As we didn't know the reqid during SPI allocation, we used reqid + * zero. Unfortunately we can't SADB_UPDATE to the new reqid, hence we + * have to delete the SPI allocation state manually. The reqid + * selector does not count for that, therefore we have to delete + * that state before installing the new SA to avoid deleting the + * the new state after installing it. */ + mark_t zeromark = {0, 0}; + + if (this->public.interface.del_sa(&this->public.interface, + src, dst, spi, protocol, 0, zeromark) != SUCCESS) + { + DBG1(DBG_KNL, "deleting SPI allocation SA failed"); + } + } + memset(&request, 0, sizeof(request)); DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", @@ -1651,7 +1664,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD; + msg->sadb_msg_type = SADB_ADD; msg->sadb_msg_satype = proto2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); @@ -1680,7 +1693,13 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } else { + /* Linux interprets sadb_sa_replay as number of packets/bits in the + * replay window, whereas on BSD it's the size of the window in bytes */ +#ifdef __linux__ sa->sadb_sa_replay = min(replay_window, 32); +#else + sa->sadb_sa_replay = (replay_window + 7) / 8; +#endif sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, int_alg); sa->sadb_sa_encrypt = lookup_algorithm(ENCRYPTION_ALGORITHM, enc_alg); } @@ -2969,6 +2988,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create() { private_kernel_pfkey_ipsec_t *this; bool register_for_events = TRUE; + int rcv_buffer; INIT(this, .public = { @@ -3025,6 +3045,18 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create() return NULL; } + rcv_buffer = lib->settings->get_int(lib->settings, + "%s.plugins.kernel-pfkey.events_buffer_size", 0, lib->ns); + if (rcv_buffer > 0) + { + if (setsockopt(this->socket_events, SOL_SOCKET, SO_RCVBUF, + &rcv_buffer, sizeof(rcv_buffer)) == -1) + { + DBG1(DBG_KNL, "unable to set receive buffer size on PF_KEY " + "event socket: %s", strerror(errno)); + } + } + /* register the event socket */ if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS || register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS) diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in index 662f2fd7d..9f676d21d 100644 --- a/src/libhydra/plugins/kernel_pfroute/Makefile.in +++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c index 26fae0d6b..0f7802270 100644 --- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c +++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c @@ -830,6 +830,15 @@ static void process_link(private_kernel_pfroute_net_t *this, DBG1(DBG_KNL, "interface %s deactivated", iface->ifname); } } +#ifdef __APPLE__ + /* There seems to be a race condition on 10.10, where we get + * the RTM_IFINFO, but getifaddrs() does not return the virtual + * IP installed on a tun device, but we also don't get a + * RTM_NEWADDR. We therefore could miss the new address, letting + * virtual IP installation fail. Delaying getifaddrs() helps, + * but is obviously not a clean fix. */ + usleep(50000); +#endif iface->flags = msg->ifm_flags; repopulate_iface(this, iface); found = TRUE; diff --git a/src/libhydra/plugins/resolve/Makefile.am b/src/libhydra/plugins/resolve/Makefile.am deleted file mode 100644 index 33c3e70fc..000000000 --- a/src/libhydra/plugins/resolve/Makefile.am +++ /dev/null @@ -1,19 +0,0 @@ -AM_CPPFLAGS = \ - -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra \ - -DRESOLV_CONF=\"${resolv_conf}\" - -AM_CFLAGS = \ - $(PLUGIN_CFLAGS) - -if MONOLITHIC -noinst_LTLIBRARIES = libstrongswan-resolve.la -else -plugin_LTLIBRARIES = libstrongswan-resolve.la -endif - -libstrongswan_resolve_la_SOURCES = \ - resolve_plugin.h resolve_plugin.c \ - resolve_handler.h resolve_handler.c - -libstrongswan_resolve_la_LDFLAGS = -module -avoid-version diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in deleted file mode 100644 index 5b4c7bc6a..000000000 --- a/src/libhydra/plugins/resolve/Makefile.in +++ /dev/null @@ -1,775 +0,0 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994-2013 Free Software Foundation, Inc. - -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' -am__make_running_with_option = \ - case $${target_option-} in \ - ?) ;; \ - *) echo "am__make_running_with_option: internal error: invalid" \ - "target option '$${target_option-}' specified" >&2; \ - exit 1;; \ - esac; \ - has_opt=no; \ - sane_makeflags=$$MAKEFLAGS; \ - if $(am__is_gnu_make); then \ - sane_makeflags=$$MFLAGS; \ - else \ - case $$MAKEFLAGS in \ - *\\[\ \ ]*) \ - bs=\\; \ - sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ - | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ - esac; \ - fi; \ - skip_next=no; \ - strip_trailopt () \ - { \ - flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ - }; \ - for flg in $$sane_makeflags; do \ - test $$skip_next = yes && { skip_next=no; continue; }; \ - case $$flg in \ - *=*|--*) continue;; \ - -*I) strip_trailopt 'I'; skip_next=yes;; \ - -*I?*) strip_trailopt 'I';; \ - -*O) strip_trailopt 'O'; skip_next=yes;; \ - -*O?*) strip_trailopt 'O';; \ - -*l) strip_trailopt 'l'; skip_next=yes;; \ - -*l?*) strip_trailopt 'l';; \ - -[dEDm]) skip_next=yes;; \ - -[JT]) skip_next=yes;; \ - esac; \ - case $$flg in \ - *$$target_option*) has_opt=yes; break;; \ - esac; \ - done; \ - test $$has_opt = yes -am__make_dryrun = (target_option=n; $(am__make_running_with_option)) -am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) -pkgdatadir = $(datadir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkglibexecdir = $(libexecdir)/@PACKAGE@ -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -build_triplet = @build@ -host_triplet = @host@ -subdir = src/libhydra/plugins/resolve -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/depcomp -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ - $(top_srcdir)/m4/config/ltoptions.m4 \ - $(top_srcdir)/m4/config/ltsugar.m4 \ - $(top_srcdir)/m4/config/ltversion.m4 \ - $(top_srcdir)/m4/config/lt~obsolete.m4 \ - $(top_srcdir)/m4/macros/split-package-version.m4 \ - $(top_srcdir)/m4/macros/with.m4 \ - $(top_srcdir)/m4/macros/enable-disable.m4 \ - $(top_srcdir)/m4/macros/add-plugin.m4 \ - $(top_srcdir)/configure.ac -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(install_sh) -d -CONFIG_HEADER = $(top_builddir)/config.h -CONFIG_CLEAN_FILES = -CONFIG_CLEAN_VPATH_FILES = -am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; -am__vpath_adj = case $$p in \ - $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ - *) f=$$p;; \ - esac; -am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; -am__install_max = 40 -am__nobase_strip_setup = \ - srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` -am__nobase_strip = \ - for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" -am__nobase_list = $(am__nobase_strip_setup); \ - for p in $$list; do echo "$$p $$p"; done | \ - sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ - $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ - if (++n[$$2] == $(am__install_max)) \ - { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ - END { for (dir in files) print dir, files[dir] }' -am__base_list = \ - sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ - sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -am__uninstall_files_from_dir = { \ - test -z "$$files" \ - || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ - || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ - $(am__cd) "$$dir" && rm -f $$files; }; \ - } -am__installdirs = "$(DESTDIR)$(plugindir)" -LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -libstrongswan_resolve_la_LIBADD = -am_libstrongswan_resolve_la_OBJECTS = resolve_plugin.lo \ - resolve_handler.lo -libstrongswan_resolve_la_OBJECTS = \ - $(am_libstrongswan_resolve_la_OBJECTS) -AM_V_lt = $(am__v_lt_@AM_V@) -am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) -am__v_lt_0 = --silent -am__v_lt_1 = -libstrongswan_resolve_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ - $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ - $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_resolve_la_LDFLAGS) \ - $(LDFLAGS) -o $@ -@MONOLITHIC_FALSE@am_libstrongswan_resolve_la_rpath = -rpath \ -@MONOLITHIC_FALSE@ $(plugindir) -@MONOLITHIC_TRUE@am_libstrongswan_resolve_la_rpath = -AM_V_P = $(am__v_P_@AM_V@) -am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) -am__v_P_0 = false -am__v_P_1 = : -AM_V_GEN = $(am__v_GEN_@AM_V@) -am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) -am__v_GEN_0 = @echo " GEN " $@; -am__v_GEN_1 = -AM_V_at = $(am__v_at_@AM_V@) -am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) -am__v_at_0 = @ -am__v_at_1 = -DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) -depcomp = $(SHELL) $(top_srcdir)/depcomp -am__depfiles_maybe = depfiles -am__mv = mv -f -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -AM_V_CC = $(am__v_CC_@AM_V@) -am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) -am__v_CC_0 = @echo " CC " $@; -am__v_CC_1 = -CCLD = $(CC) -LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -AM_V_CCLD = $(am__v_CCLD_@AM_V@) -am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) -am__v_CCLD_0 = @echo " CCLD " $@; -am__v_CCLD_1 = -SOURCES = $(libstrongswan_resolve_la_SOURCES) -DIST_SOURCES = $(libstrongswan_resolve_la_SOURCES) -am__can_run_installinfo = \ - case $$AM_UPDATE_INFO_DIR in \ - n|no|NO) false;; \ - *) (install-info --version) >/dev/null 2>&1;; \ - esac -am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) -# Read a list of newline-separated strings from the standard input, -# and print each of them once, without duplicates. Input order is -# *not* preserved. -am__uniquify_input = $(AWK) '\ - BEGIN { nonempty = 0; } \ - { items[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in items) print i; }; } \ -' -# Make sure the list of sources is unique. This is necessary because, -# e.g., the same source file might be shared among _SOURCES variables -# for different programs/libraries. -am__define_uniq_tagged_files = \ - list='$(am__tagged_files)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -ALLOCA = @ALLOCA@ -AMTAR = @AMTAR@ -AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -BFDLIB = @BFDLIB@ -BTLIB = @BTLIB@ -CC = @CC@ -CCDEPMODE = @CCDEPMODE@ -CFLAGS = @CFLAGS@ -COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ -COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DEFS = @DEFS@ -DEPDIR = @DEPDIR@ -DLLIB = @DLLIB@ -DLLTOOL = @DLLTOOL@ -DSYMUTIL = @DSYMUTIL@ -DUMPBIN = @DUMPBIN@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -FGREP = @FGREP@ -GEM = @GEM@ -GENHTML = @GENHTML@ -GPERF = @GPERF@ -GPRBUILD = @GPRBUILD@ -GREP = @GREP@ -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LCOV = @LCOV@ -LD = @LD@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIPO = @LIPO@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAKEINFO = @MAKEINFO@ -MANIFEST_TOOL = @MANIFEST_TOOL@ -MKDIR_P = @MKDIR_P@ -MYSQLCFLAG = @MYSQLCFLAG@ -MYSQLCONFIG = @MYSQLCONFIG@ -MYSQLLIB = @MYSQLLIB@ -NM = @NM@ -NMEDIT = @NMEDIT@ -OBJDUMP = @OBJDUMP@ -OBJEXT = @OBJEXT@ -OPENSSL_LIB = @OPENSSL_LIB@ -OTOOL = @OTOOL@ -OTOOL64 = @OTOOL64@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ -PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ -PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ -PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -PERL = @PERL@ -PKG_CONFIG = @PKG_CONFIG@ -PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ -PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ -PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ -PTHREADLIB = @PTHREADLIB@ -PYTHON = @PYTHON@ -PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ -PYTHON_PLATFORM = @PYTHON_PLATFORM@ -PYTHON_PREFIX = @PYTHON_PREFIX@ -PYTHON_VERSION = @PYTHON_VERSION@ -RANLIB = @RANLIB@ -RTLIB = @RTLIB@ -RUBY = @RUBY@ -RUBYGEMDIR = @RUBYGEMDIR@ -RUBYINCLUDE = @RUBYINCLUDE@ -RUBYLIB = @RUBYLIB@ -SED = @SED@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -SOCKLIB = @SOCKLIB@ -STRIP = @STRIP@ -UNWINDLIB = @UNWINDLIB@ -VERSION = @VERSION@ -YACC = @YACC@ -YFLAGS = @YFLAGS@ -abs_builddir = @abs_builddir@ -abs_srcdir = @abs_srcdir@ -abs_top_builddir = @abs_top_builddir@ -abs_top_srcdir = @abs_top_srcdir@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ -aikgen_plugins = @aikgen_plugins@ -am__include = @am__include@ -am__leading_dot = @am__leading_dot@ -am__quote = @am__quote@ -am__tar = @am__tar@ -am__untar = @am__untar@ -attest_plugins = @attest_plugins@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -builddir = @builddir@ -c_plugins = @c_plugins@ -charon_natt_port = @charon_natt_port@ -charon_plugins = @charon_plugins@ -charon_udp_port = @charon_udp_port@ -clearsilver_LIBS = @clearsilver_LIBS@ -cmd_plugins = @cmd_plugins@ -datadir = @datadir@ -datarootdir = @datarootdir@ -dbusservicedir = @dbusservicedir@ -dev_headers = @dev_headers@ -docdir = @docdir@ -dvidir = @dvidir@ -exec_prefix = @exec_prefix@ -fips_mode = @fips_mode@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ -h_plugins = @h_plugins@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -htmldir = @htmldir@ -imcvdir = @imcvdir@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -ipsec_script = @ipsec_script@ -ipsec_script_upper = @ipsec_script_upper@ -ipsecdir = @ipsecdir@ -ipsecgroup = @ipsecgroup@ -ipseclibdir = @ipseclibdir@ -ipsecuser = @ipsecuser@ -json_CFLAGS = @json_CFLAGS@ -json_LIBS = @json_LIBS@ -libdir = @libdir@ -libexecdir = @libexecdir@ -linux_headers = @linux_headers@ -localedir = @localedir@ -localstatedir = @localstatedir@ -maemo_CFLAGS = @maemo_CFLAGS@ -maemo_LIBS = @maemo_LIBS@ -manager_plugins = @manager_plugins@ -mandir = @mandir@ -medsrv_plugins = @medsrv_plugins@ -mkdir_p = @mkdir_p@ -nm_CFLAGS = @nm_CFLAGS@ -nm_LIBS = @nm_LIBS@ -nm_ca_dir = @nm_ca_dir@ -nm_plugins = @nm_plugins@ -oldincludedir = @oldincludedir@ -pcsclite_CFLAGS = @pcsclite_CFLAGS@ -pcsclite_LIBS = @pcsclite_LIBS@ -pdfdir = @pdfdir@ -piddir = @piddir@ -pkgpyexecdir = @pkgpyexecdir@ -pkgpythondir = @pkgpythondir@ -pki_plugins = @pki_plugins@ -plugindir = @plugindir@ -pool_plugins = @pool_plugins@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -psdir = @psdir@ -pyexecdir = @pyexecdir@ -pythondir = @pythondir@ -random_device = @random_device@ -resolv_conf = @resolv_conf@ -routing_table = @routing_table@ -routing_table_prio = @routing_table_prio@ -s_plugins = @s_plugins@ -sbindir = @sbindir@ -scepclient_plugins = @scepclient_plugins@ -scripts_plugins = @scripts_plugins@ -sharedstatedir = @sharedstatedir@ -soup_CFLAGS = @soup_CFLAGS@ -soup_LIBS = @soup_LIBS@ -srcdir = @srcdir@ -starter_plugins = @starter_plugins@ -strongswan_conf = @strongswan_conf@ -strongswan_options = @strongswan_options@ -swanctldir = @swanctldir@ -sysconfdir = @sysconfdir@ -systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ -systemd_daemon_LIBS = @systemd_daemon_LIBS@ -systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ -systemd_journal_LIBS = @systemd_journal_LIBS@ -systemdsystemunitdir = @systemdsystemunitdir@ -t_plugins = @t_plugins@ -target_alias = @target_alias@ -top_build_prefix = @top_build_prefix@ -top_builddir = @top_builddir@ -top_srcdir = @top_srcdir@ -urandom_device = @urandom_device@ -xml_CFLAGS = @xml_CFLAGS@ -xml_LIBS = @xml_LIBS@ -AM_CPPFLAGS = \ - -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra \ - -DRESOLV_CONF=\"${resolv_conf}\" - -AM_CFLAGS = \ - $(PLUGIN_CFLAGS) - -@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-resolve.la -@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-resolve.la -libstrongswan_resolve_la_SOURCES = \ - resolve_plugin.h resolve_plugin.c \ - resolve_handler.h resolve_handler.c - -libstrongswan_resolve_la_LDFLAGS = -module -avoid-version -all: all-am - -.SUFFIXES: -.SUFFIXES: .c .lo .o .obj -$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ - && { if test -f $@; then exit 0; else break; fi; }; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/resolve/Makefile'; \ - $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libhydra/plugins/resolve/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(am__aclocal_m4_deps): - -clean-noinstLTLIBRARIES: - -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) - @list='$(noinst_LTLIBRARIES)'; \ - locs=`for p in $$list; do echo $$p; done | \ - sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ - sort -u`; \ - test -z "$$locs" || { \ - echo rm -f $${locs}; \ - rm -f $${locs}; \ - } - -install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) - @$(NORMAL_INSTALL) - @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ - list2=; for p in $$list; do \ - if test -f $$p; then \ - list2="$$list2 $$p"; \ - else :; fi; \ - done; \ - test -z "$$list2" || { \ - echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ - } - -uninstall-pluginLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ - for p in $$list; do \ - $(am__strip_dir) \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ - done - -clean-pluginLTLIBRARIES: - -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) - @list='$(plugin_LTLIBRARIES)'; \ - locs=`for p in $$list; do echo $$p; done | \ - sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ - sort -u`; \ - test -z "$$locs" || { \ - echo rm -f $${locs}; \ - rm -f $${locs}; \ - } - -libstrongswan-resolve.la: $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_DEPENDENCIES) $(EXTRA_libstrongswan_resolve_la_DEPENDENCIES) - $(AM_V_CCLD)$(libstrongswan_resolve_la_LINK) $(am_libstrongswan_resolve_la_rpath) $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_LIBADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_handler.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_plugin.Plo@am__quote@ - -.c.o: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< - -.c.obj: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` - -.c.lo: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ -@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -ID: $(am__tagged_files) - $(am__define_uniq_tagged_files); mkid -fID $$unique -tags: tags-am -TAGS: tags - -tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) - set x; \ - here=`pwd`; \ - $(am__define_uniq_tagged_files); \ - shift; \ - if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ - test -n "$$unique" || unique=$$empty_fix; \ - if test $$# -gt 0; then \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - "$$@" $$unique; \ - else \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$unique; \ - fi; \ - fi -ctags: ctags-am - -CTAGS: ctags -ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) - $(am__define_uniq_tagged_files); \ - test -z "$(CTAGS_ARGS)$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && $(am__cd) $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) "$$here" -cscopelist: cscopelist-am - -cscopelist-am: $(am__tagged_files) - list='$(am__tagged_files)'; \ - case "$(srcdir)" in \ - [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ - *) sdir=$(subdir)/$(srcdir) ;; \ - esac; \ - for i in $$list; do \ - if test -f "$$i"; then \ - echo "$(subdir)/$$i"; \ - else \ - echo "$$sdir/$$i"; \ - fi; \ - done >> $(top_builddir)/cscope.files - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - list='$(DISTFILES)'; \ - dist_files=`for file in $$list; do echo $$file; done | \ - sed -e "s|^$$srcdirstrip/||;t" \ - -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ - case $$dist_files in \ - */*) $(MKDIR_P) `echo "$$dist_files" | \ - sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ - sort -u` ;; \ - esac; \ - for file in $$dist_files; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - if test -d $$d/$$file; then \ - dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test -d "$(distdir)/$$file"; then \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ - else \ - test -f "$(distdir)/$$file" \ - || cp -p $$d/$$file "$(distdir)/$$file" \ - || exit 1; \ - fi; \ - done -check-am: all-am -check: check-am -all-am: Makefile $(LTLIBRARIES) -installdirs: - for dir in "$(DESTDIR)$(plugindir)"; do \ - test -z "$$dir" || $(MKDIR_P) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - if test -z '$(STRIP)'; then \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - install; \ - else \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ - fi -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) - -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ - clean-pluginLTLIBRARIES mostlyclean-am - -distclean: distclean-am - -rm -rf ./$(DEPDIR) - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -html-am: - -info: info-am - -info-am: - -install-data-am: install-pluginLTLIBRARIES - -install-dvi: install-dvi-am - -install-dvi-am: - -install-exec-am: - -install-html: install-html-am - -install-html-am: - -install-info: install-info-am - -install-info-am: - -install-man: - -install-pdf: install-pdf-am - -install-pdf-am: - -install-ps: install-ps-am - -install-ps-am: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-pluginLTLIBRARIES - -.MAKE: install-am install-strip - -.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ - clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-pdf \ - install-pdf-am install-pluginLTLIBRARIES install-ps \ - install-ps-am install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ - uninstall-am uninstall-pluginLTLIBRARIES - - -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/src/libhydra/plugins/resolve/resolve_handler.c b/src/libhydra/plugins/resolve/resolve_handler.c deleted file mode 100644 index 069466ab5..000000000 --- a/src/libhydra/plugins/resolve/resolve_handler.c +++ /dev/null @@ -1,377 +0,0 @@ -/* - * Copyright (C) 2012 Tobias Brunner - * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "resolve_handler.h" - -#include -#include -#include - -#include -#include -#include - -/* path to resolvconf executable */ -#define RESOLVCONF_EXEC "/sbin/resolvconf" - -/* default prefix used for resolvconf interfaces (should have high prio) */ -#define RESOLVCONF_PREFIX "lo.inet.ipsec." - -typedef struct private_resolve_handler_t private_resolve_handler_t; - -/** - * Private data of an resolve_handler_t object. - */ -struct private_resolve_handler_t { - - /** - * Public resolve_handler_t interface. - */ - resolve_handler_t public; - - /** - * resolv.conf file to use - */ - char *file; - - /** - * use resolvconf instead of writing directly to resolv.conf - */ - bool use_resolvconf; - - /** - * prefix to be used for interface names sent to resolvconf - */ - char *iface_prefix; - - /** - * Mutex to access file exclusively - */ - mutex_t *mutex; -}; - -/** - * Writes the given nameserver to resolv.conf - */ -static bool write_nameserver(private_resolve_handler_t *this, - identification_t *server, host_t *addr) -{ - FILE *in, *out; - char buf[1024]; - size_t len; - bool handled = FALSE; - - in = fopen(this->file, "r"); - /* allows us to stream from in to out */ - unlink(this->file); - out = fopen(this->file, "w"); - if (out) - { - fprintf(out, "nameserver %H # by strongSwan, from %Y\n", addr, - server); - DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file); - handled = TRUE; - - /* copy rest of the file */ - if (in) - { - while ((len = fread(buf, 1, sizeof(buf), in))) - { - ignore_result(fwrite(buf, 1, len, out)); - } - } - fclose(out); - } - if (in) - { - fclose(in); - } - return handled; -} - -/** - * Removes the given nameserver from resolv.conf - */ -static void remove_nameserver(private_resolve_handler_t *this, - identification_t *server, host_t *addr) -{ - FILE *in, *out; - char line[1024], matcher[512]; - - in = fopen(this->file, "r"); - if (in) - { - /* allows us to stream from in to out */ - unlink(this->file); - out = fopen(this->file, "w"); - if (out) - { - snprintf(matcher, sizeof(matcher), - "nameserver %H # by strongSwan, from %Y\n", - addr, server); - - /* copy all, but matching line */ - while (fgets(line, sizeof(line), in)) - { - if (strpfx(line, matcher)) - { - DBG1(DBG_IKE, "removing DNS server %H from %s", - addr, this->file); - } - else - { - fputs(line, out); - } - } - fclose(out); - } - fclose(in); - } -} - -/** - * Add or remove the given nameserver by invoking resolvconf. - */ -static bool invoke_resolvconf(private_resolve_handler_t *this, - identification_t *server, host_t *addr, - bool install) -{ - char cmd[128]; - bool success = TRUE; - - /* we use the nameserver's IP address as part of the interface name to - * make them unique */ - if (snprintf(cmd, sizeof(cmd), "%s %s %s%H", RESOLVCONF_EXEC, - install ? "-a" : "-d", this->iface_prefix, addr) >= sizeof(cmd)) - { - return FALSE; - } - - if (install) - { - FILE *out; - - out = popen(cmd, "w"); - if (!out) - { - return FALSE; - } - DBG1(DBG_IKE, "installing DNS server %H via resolvconf", addr); - fprintf(out, "nameserver %H\n", addr); - success = !ferror(out); - if (pclose(out)) - { - return FALSE; - } - } - else - { - ignore_result(system(cmd)); - } - return success; -} - -METHOD(attribute_handler_t, handle, bool, - private_resolve_handler_t *this, identification_t *server, - configuration_attribute_type_t type, chunk_t data) -{ - host_t *addr; - bool handled; - - switch (type) - { - case INTERNAL_IP4_DNS: - addr = host_create_from_chunk(AF_INET, data, 0); - break; - case INTERNAL_IP6_DNS: - addr = host_create_from_chunk(AF_INET6, data, 0); - break; - default: - return FALSE; - } - - if (!addr || addr->is_anyaddr(addr)) - { - DESTROY_IF(addr); - return FALSE; - } - - this->mutex->lock(this->mutex); - if (this->use_resolvconf) - { - handled = invoke_resolvconf(this, server, addr, TRUE); - } - else - { - handled = write_nameserver(this, server, addr); - } - this->mutex->unlock(this->mutex); - addr->destroy(addr); - - if (!handled) - { - DBG1(DBG_IKE, "adding DNS server failed"); - } - return handled; -} - -METHOD(attribute_handler_t, release, void, - private_resolve_handler_t *this, identification_t *server, - configuration_attribute_type_t type, chunk_t data) -{ - host_t *addr; - int family; - - switch (type) - { - case INTERNAL_IP4_DNS: - family = AF_INET; - break; - case INTERNAL_IP6_DNS: - family = AF_INET6; - break; - default: - return; - } - addr = host_create_from_chunk(family, data, 0); - - this->mutex->lock(this->mutex); - if (this->use_resolvconf) - { - invoke_resolvconf(this, server, addr, FALSE); - } - else - { - remove_nameserver(this, server, addr); - } - this->mutex->unlock(this->mutex); - - addr->destroy(addr); -} - -/** - * Attribute enumerator implementation - */ -typedef struct { - /** implements enumerator_t interface */ - enumerator_t public; - /** request IPv4 DNS? */ - bool v4; - /** request IPv6 DNS? */ - bool v6; -} attribute_enumerator_t; - -static bool attribute_enumerate(attribute_enumerator_t *this, - configuration_attribute_type_t *type, - chunk_t *data) -{ - if (this->v4) - { - *type = INTERNAL_IP4_DNS; - *data = chunk_empty; - this->v4 = FALSE; - return TRUE; - } - if (this->v6) - { - *type = INTERNAL_IP6_DNS; - *data = chunk_empty; - this->v6 = FALSE; - return TRUE; - } - return FALSE; -} - -/** - * Check if a list has a host of given family - */ -static bool has_host_family(linked_list_t *list, int family) -{ - enumerator_t *enumerator; - host_t *host; - bool found = FALSE; - - enumerator = list->create_enumerator(list); - while (enumerator->enumerate(enumerator, &host)) - { - if (host->get_family(host) == family) - { - found = TRUE; - break; - } - } - enumerator->destroy(enumerator); - - return found; -} - -METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*, - private_resolve_handler_t *this, identification_t *server, - linked_list_t *vips) -{ - attribute_enumerator_t *enumerator; - - INIT(enumerator, - .public = { - .enumerate = (void*)attribute_enumerate, - .destroy = (void*)free, - }, - .v4 = has_host_family(vips, AF_INET), - .v6 = has_host_family(vips, AF_INET6), - ); - return &enumerator->public; -} - -METHOD(resolve_handler_t, destroy, void, - private_resolve_handler_t *this) -{ - this->mutex->destroy(this->mutex); - free(this); -} - -/** - * See header - */ -resolve_handler_t *resolve_handler_create() -{ - private_resolve_handler_t *this; - struct stat st; - - INIT(this, - .public = { - .handler = { - .handle = _handle, - .release = _release, - .create_attribute_enumerator = _create_attribute_enumerator, - }, - .destroy = _destroy, - }, - .mutex = mutex_create(MUTEX_TYPE_DEFAULT), - .file = lib->settings->get_str(lib->settings, "%s.plugins.resolve.file", - RESOLV_CONF, lib->ns), - ); - - if (stat(RESOLVCONF_EXEC, &st) == 0) - { - this->use_resolvconf = TRUE; - this->iface_prefix = lib->settings->get_str(lib->settings, - "%s.plugins.resolve.resolvconf.iface_prefix", - RESOLVCONF_PREFIX, lib->ns); - } - - return &this->public; -} - diff --git a/src/libhydra/plugins/resolve/resolve_handler.h b/src/libhydra/plugins/resolve/resolve_handler.h deleted file mode 100644 index 77bf9781c..000000000 --- a/src/libhydra/plugins/resolve/resolve_handler.h +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup resolve_handler resolve_handler - * @{ @ingroup resolve - */ - -#ifndef RESOLVE_HANDLER_H_ -#define RESOLVE_HANDLER_H_ - -#include - -typedef struct resolve_handler_t resolve_handler_t; - -/** - * Handle DNS configuration attributes by mangling a resolv.conf file. - */ -struct resolve_handler_t { - - /** - * Implements the attribute_handler_t interface - */ - attribute_handler_t handler; - - /** - * Destroy a resolve_handler_t. - */ - void (*destroy)(resolve_handler_t *this); -}; - -/** - * Create a resolve_handler instance. - */ -resolve_handler_t *resolve_handler_create(); - -#endif /** RESOLVE_HANDLER_H_ @}*/ diff --git a/src/libhydra/plugins/resolve/resolve_plugin.c b/src/libhydra/plugins/resolve/resolve_plugin.c deleted file mode 100644 index 2fef09a49..000000000 --- a/src/libhydra/plugins/resolve/resolve_plugin.c +++ /dev/null @@ -1,102 +0,0 @@ -/* - * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "resolve_plugin.h" -#include "resolve_handler.h" - -#include - -typedef struct private_resolve_plugin_t private_resolve_plugin_t; - -/** - * private data of resolve plugin - */ -struct private_resolve_plugin_t { - - /** - * implements plugin interface - */ - resolve_plugin_t public; - - /** - * The registered DNS attribute handler - */ - resolve_handler_t *handler; -}; - -METHOD(plugin_t, get_name, char*, - private_resolve_plugin_t *this) -{ - return "resolve"; -} - -/** - * Register handler - */ -static bool plugin_cb(private_resolve_plugin_t *this, - plugin_feature_t *feature, bool reg, void *cb_data) -{ - if (reg) - { - hydra->attributes->add_handler(hydra->attributes, - &this->handler->handler); - } - else - { - hydra->attributes->remove_handler(hydra->attributes, - &this->handler->handler); - } - return TRUE; -} - -METHOD(plugin_t, get_features, int, - private_resolve_plugin_t *this, plugin_feature_t *features[]) -{ - static plugin_feature_t f[] = { - PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL), - PLUGIN_PROVIDE(CUSTOM, "resolve"), - }; - *features = f; - return countof(f); -} - -METHOD(plugin_t, destroy, void, - private_resolve_plugin_t *this) -{ - this->handler->destroy(this->handler); - free(this); -} - -/* - * see header file - */ -plugin_t *resolve_plugin_create() -{ - private_resolve_plugin_t *this; - - INIT(this, - .public = { - .plugin = { - .get_name = _get_name, - .get_features = _get_features, - .destroy = _destroy, - }, - }, - .handler = resolve_handler_create(), - ); - - return &this->public.plugin; -} - diff --git a/src/libhydra/plugins/resolve/resolve_plugin.h b/src/libhydra/plugins/resolve/resolve_plugin.h deleted file mode 100644 index 0148b10d7..000000000 --- a/src/libhydra/plugins/resolve/resolve_plugin.h +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup resolve resolve - * @ingroup cplugins - * - * @defgroup resolve_plugin resolve_plugin - * @{ @ingroup resolve - */ - -#ifndef RESOLVE_PLUGIN_H_ -#define RESOLVE_PLUGIN_H_ - -#include - -typedef struct resolve_plugin_t resolve_plugin_t; - -/** - * Plugin that writes received DNS servers in a resolv.conf file. - */ -struct resolve_plugin_t { - - /** - * implements plugin interface - */ - plugin_t plugin; -}; - -#endif /** RESOLVE_PLUGIN_H_ @}*/ diff --git a/src/libhydra/tests/Makefile.am b/src/libhydra/tests/Makefile.am new file mode 100644 index 000000000..5acd5c28c --- /dev/null +++ b/src/libhydra/tests/Makefile.am @@ -0,0 +1,18 @@ +TESTS = hydra_tests + +check_PROGRAMS = $(TESTS) + +hydra_tests_SOURCES = \ + hydra_tests.h hydra_tests.c + +hydra_tests_CFLAGS = \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libstrongswan/tests \ + @COVERAGE_CFLAGS@ + +hydra_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +hydra_tests_LDADD = \ + $(top_builddir)/src/libhydra/libhydra.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la diff --git a/src/libhydra/tests/Makefile.in b/src/libhydra/tests/Makefile.in new file mode 100644 index 000000000..1fa889d67 --- /dev/null +++ b/src/libhydra/tests/Makefile.in @@ -0,0 +1,839 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +TESTS = hydra_tests$(EXEEXT) +check_PROGRAMS = $(am__EXEEXT_1) +subdir = src/libhydra/tests +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__EXEEXT_1 = hydra_tests$(EXEEXT) +am_hydra_tests_OBJECTS = hydra_tests-hydra_tests.$(OBJEXT) +hydra_tests_OBJECTS = $(am_hydra_tests_OBJECTS) +hydra_tests_DEPENDENCIES = $(top_builddir)/src/libhydra/libhydra.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +hydra_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(hydra_tests_CFLAGS) \ + $(CFLAGS) $(hydra_tests_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(hydra_tests_SOURCES) +DIST_SOURCES = $(hydra_tests_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__tty_colors_dummy = \ + mgn= red= grn= lgn= blu= brg= std=; \ + am__color_tests=no +am__tty_colors = { \ + $(am__tty_colors_dummy); \ + if test "X$(AM_COLOR_TESTS)" = Xno; then \ + am__color_tests=no; \ + elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ + am__color_tests=yes; \ + elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ + am__color_tests=yes; \ + fi; \ + if test $$am__color_tests = yes; then \ + red=''; \ + grn=''; \ + lgn=''; \ + blu=''; \ + mgn=''; \ + brg=''; \ + std=''; \ + fi; \ +} +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +hydra_tests_SOURCES = \ + hydra_tests.h hydra_tests.c + +hydra_tests_CFLAGS = \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libstrongswan/tests \ + @COVERAGE_CFLAGS@ + +hydra_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +hydra_tests_LDADD = \ + $(top_builddir)/src/libhydra/libhydra.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/tests/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libhydra/tests/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + +hydra_tests$(EXEEXT): $(hydra_tests_OBJECTS) $(hydra_tests_DEPENDENCIES) $(EXTRA_hydra_tests_DEPENDENCIES) + @rm -f hydra_tests$(EXEEXT) + $(AM_V_CCLD)$(hydra_tests_LINK) $(hydra_tests_OBJECTS) $(hydra_tests_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hydra_tests-hydra_tests.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +hydra_tests-hydra_tests.o: hydra_tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -MT hydra_tests-hydra_tests.o -MD -MP -MF $(DEPDIR)/hydra_tests-hydra_tests.Tpo -c -o hydra_tests-hydra_tests.o `test -f 'hydra_tests.c' || echo '$(srcdir)/'`hydra_tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/hydra_tests-hydra_tests.Tpo $(DEPDIR)/hydra_tests-hydra_tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='hydra_tests.c' object='hydra_tests-hydra_tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -c -o hydra_tests-hydra_tests.o `test -f 'hydra_tests.c' || echo '$(srcdir)/'`hydra_tests.c + +hydra_tests-hydra_tests.obj: hydra_tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -MT hydra_tests-hydra_tests.obj -MD -MP -MF $(DEPDIR)/hydra_tests-hydra_tests.Tpo -c -o hydra_tests-hydra_tests.obj `if test -f 'hydra_tests.c'; then $(CYGPATH_W) 'hydra_tests.c'; else $(CYGPATH_W) '$(srcdir)/hydra_tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/hydra_tests-hydra_tests.Tpo $(DEPDIR)/hydra_tests-hydra_tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='hydra_tests.c' object='hydra_tests-hydra_tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -c -o hydra_tests-hydra_tests.obj `if test -f 'hydra_tests.c'; then $(CYGPATH_W) 'hydra_tests.c'; else $(CYGPATH_W) '$(srcdir)/hydra_tests.c'; fi` + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + $(am__tty_colors); \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + col=$$red; res=XPASS; \ + ;; \ + *) \ + col=$$grn; res=PASS; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xfail=`expr $$xfail + 1`; \ + col=$$lgn; res=XFAIL; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + col=$$red; res=FAIL; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + col=$$blu; res=SKIP; \ + fi; \ + echo "$${col}$$res$${std}: $$tst"; \ + done; \ + if test "$$all" -eq 1; then \ + tests="test"; \ + All=""; \ + else \ + tests="tests"; \ + All="All "; \ + fi; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="$$All$$all $$tests passed"; \ + else \ + if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ + banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all $$tests failed"; \ + else \ + if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ + banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + if test "$$skip" -eq 1; then \ + skipped="($$skip test was not run)"; \ + else \ + skipped="($$skip tests were not run)"; \ + fi; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + if test "$$failed" -eq 0; then \ + col="$$grn"; \ + else \ + col="$$red"; \ + fi; \ + echo "$${col}$$dashes$${std}"; \ + echo "$${col}$$banner$${std}"; \ + test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \ + test -z "$$report" || echo "$${col}$$report$${std}"; \ + echo "$${col}$$dashes$${std}"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile +installdirs: +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: + +.MAKE: check-am install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ + clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libhydra/tests/hydra_tests.c b/src/libhydra/tests/hydra_tests.c new file mode 100644 index 000000000..90abd8369 --- /dev/null +++ b/src/libhydra/tests/hydra_tests.c @@ -0,0 +1,53 @@ +/* + * Copyright (C) 2014 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include + +/* declare test suite constructors */ +#define TEST_SUITE(x) test_suite_t* x(); +#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x) +#include "hydra_tests.h" +#undef TEST_SUITE +#undef TEST_SUITE_DEPEND + +static test_configuration_t tests[] = { +#define TEST_SUITE(x) \ + { .suite = x, }, +#define TEST_SUITE_DEPEND(x, type, args) \ + { .suite = x, .feature = PLUGIN_DEPENDS(type, args) }, +#include "hydra_tests.h" + { .suite = NULL, } +}; + +static bool test_runner_init(bool init) +{ + if (init) + { + libhydra_init(); + } + else + { + lib->processor->set_threads(lib->processor, 0); + lib->processor->cancel(lib->processor); + libhydra_deinit(); + } + return TRUE; +} + +int main(int argc, char *argv[]) +{ + return test_runner_run("libhydra", tests, test_runner_init); +} diff --git a/src/libhydra/tests/hydra_tests.h b/src/libhydra/tests/hydra_tests.h new file mode 100644 index 000000000..6b213d026 --- /dev/null +++ b/src/libhydra/tests/hydra_tests.h @@ -0,0 +1,14 @@ +/* + * Copyright (C) 2014 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ diff --git a/src/libimcv/Makefile.am b/src/libimcv/Makefile.am index d9a5cd50d..a61382723 100644 --- a/src/libimcv/Makefile.am +++ b/src/libimcv/Makefile.am @@ -127,7 +127,8 @@ imv_policy_manager_SOURCES = \ imv/imv_policy_manager.c \ imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c imv_policy_manager_LDADD = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libtncif/libtncif.la #imv/imv_policy_manager.o : $(top_builddir)/config.status SUBDIRS = . diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in index 239e62a17..03778a22c 100644 --- a/src/libimcv/Makefile.in +++ b/src/libimcv/Makefile.in @@ -237,7 +237,8 @@ am_imv_policy_manager_OBJECTS = imv/imv_policy_manager.$(OBJEXT) \ imv/imv_policy_manager_usage.$(OBJEXT) imv_policy_manager_OBJECTS = $(am_imv_policy_manager_OBJECTS) imv_policy_manager_DEPENDENCIES = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libtncif/libtncif.la SCRIPTS = $(ipsec_SCRIPTS) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) @@ -395,6 +396,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -455,10 +457,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -532,6 +536,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -708,7 +714,8 @@ imv_policy_manager_SOURCES = \ imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c imv_policy_manager_LDADD = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libtncif/libtncif.la #imv/imv_policy_manager.o : $(top_builddir)/config.status SUBDIRS = . $(am__append_3) $(am__append_4) $(am__append_5) \ diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql index 425748f59..ff6191117 100644 --- a/src/libimcv/imv/data.sql +++ b/src/libimcv/imv/data.sql @@ -323,6 +323,71 @@ INSERT INTO products ( /* 54 */ 'Debian 7.6 armv6l' ); +INSERT INTO products ( /* 55 */ + name +) VALUES ( + 'Debian 7.7 i686' +); + +INSERT INTO products ( /* 56 */ + name +) VALUES ( + 'Debian 7.7 x86_64' +); +INSERT INTO products ( /* 57 */ + name +) VALUES ( + 'Debian 7.7 armv6l' +); + +INSERT INTO products ( /* 58 */ + name +) VALUES ( + 'Debian 7.8 i686' +); + +INSERT INTO products ( /* 59 */ + name +) VALUES ( + 'Debian 7.8 x86_64' +); + +INSERT INTO products ( /* 60 */ + name +) VALUES ( + 'Debian 7.8 armv6l' +); + +INSERT INTO products ( /* 61 */ + name +) VALUES ( + 'Ubuntu 14.10 i686' +); + +INSERT INTO products ( /* 62 */ + name +) VALUES ( + 'Ubuntu 14.10 x86_64' +); + +INSERT INTO products ( /* 63 */ + name +) VALUES ( + 'Android 5.0' +); + +INSERT INTO products ( /* 64 */ + name +) VALUES ( + 'Android 5.0.1' +); + +INSERT INTO products ( /* 65 */ + name +) VALUES ( + 'Debian 7.8 armv7l' +); + /* Directories */ INSERT INTO directories ( /* 1 */ @@ -741,6 +806,18 @@ INSERT INTO groups ( /* 14 */ 'Debian armv6l', 2 ); +INSERT INTO groups ( /* 15 */ + name, parent +) VALUES ( + 'Debian armv7l', 2 +); + +INSERT INTO groups ( /* 16 */ + name +) VALUES ( + 'TPM TBOOT' +); + /* Default Product Groups */ INSERT INTO groups_product_defaults ( @@ -797,6 +874,18 @@ INSERT INTO groups_product_defaults ( 4, 52 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 55 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 58 +); + INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( @@ -851,6 +940,18 @@ INSERT INTO groups_product_defaults ( 5, 53 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 56 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 59 +); + INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( @@ -899,6 +1000,12 @@ INSERT INTO groups_product_defaults ( 6, 35 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 6, 61 +); + INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( @@ -953,6 +1060,12 @@ INSERT INTO groups_product_defaults ( 7, 36 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 7, 62 +); + INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( @@ -1013,6 +1126,18 @@ INSERT INTO groups_product_defaults ( 3, 50 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 3, 63 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 3, 64 +); + INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( @@ -1061,6 +1186,24 @@ INSERT INTO groups_product_defaults ( 14, 54 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 14, 57 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 14, 60 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 15, 65 +); + /* Policies */ INSERT INTO policies ( /* 1 */ @@ -1189,6 +1332,12 @@ INSERT INTO policies ( /* 21 */ 16, 'TPM BIOS/IMA Measurements', 'BI', 2, 2 ); +INSERT INTO policies ( /* 22 */ + type, name, argument, rec_fail, rec_noresult +) VALUES ( + 16, 'TPM TBOOT Measurements', 'T', 2, 2 +); + /* Enforcements */ INSERT INTO enforcements ( /* 1 */ @@ -1293,6 +1442,12 @@ INSERT INTO enforcements ( /* 17 */ 21, 13, 60 ); +INSERT INTO enforcements ( /* 18 */ + policy, group_id, max_age +) VALUES ( + 22, 16, 60 +); + /* swid_entities */ INSERT INTO "swid_entities" ( /* 1 */ diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c index 6b24f4b28..d0508624d 100644 --- a/src/libimcv/imv/imv_agent.c +++ b/src/libimcv/imv/imv_agent.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2014 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -412,14 +412,10 @@ METHOD(imv_agent_t, create_state, TNC_Result, { TNC_ConnectionID conn_id; char *tnccs_p = NULL, *tnccs_v = NULL, *t_p = NULL, *t_v = NULL; - bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE, first = TRUE; + bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE; linked_list_t *ar_identities; - enumerator_t *enumerator; - tncif_identity_t *tnc_id; imv_session_t *session; uint32_t max_msg_len; - uint32_t ar_id_type = TNC_ID_UNKNOWN; - chunk_t ar_id_value = chunk_empty; conn_id = state->get_connection_id(state); if (find_connection(this, conn_id)) @@ -431,15 +427,24 @@ METHOD(imv_agent_t, create_state, TNC_Result, } /* Get and display attributes from TNCS via IF-IMV */ - has_long = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_LONG_TYPES); - has_excl = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_EXCLUSIVE); - has_soh = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_SOH); - tnccs_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL); - tnccs_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_VERSION); - t_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_PROTOCOL); - t_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_VERSION); - max_msg_len = get_uint_attribute(this, conn_id, TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE); - ar_identities = get_identity_attribute(this, conn_id, TNC_ATTRIBUTEID_AR_IDENTITIES); + has_long = get_bool_attribute(this, conn_id, + TNC_ATTRIBUTEID_HAS_LONG_TYPES); + has_excl = get_bool_attribute(this, conn_id, + TNC_ATTRIBUTEID_HAS_EXCLUSIVE); + has_soh = get_bool_attribute(this, conn_id, + TNC_ATTRIBUTEID_HAS_SOH); + tnccs_p = get_str_attribute(this, conn_id, + TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL); + tnccs_v = get_str_attribute(this, conn_id, + TNC_ATTRIBUTEID_IFTNCCS_VERSION); + t_p = get_str_attribute(this, conn_id, + TNC_ATTRIBUTEID_IFT_PROTOCOL); + t_v = get_str_attribute(this, conn_id, + TNC_ATTRIBUTEID_IFT_VERSION); + max_msg_len = get_uint_attribute(this, conn_id, + TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE); + ar_identities = get_identity_attribute(this, conn_id, + TNC_ATTRIBUTEID_AR_IDENTITIES); state->set_flags(state, has_long, has_excl); state->set_max_msg_len(state, max_msg_len); @@ -451,48 +456,9 @@ METHOD(imv_agent_t, create_state, TNC_Result, DBG2(DBG_IMV, " over %s %s with maximum PA-TNC message size of %u bytes", t_p ? t_p:"?", t_v ? t_v :"?", max_msg_len); - enumerator = ar_identities->create_enumerator(ar_identities); - while (enumerator->enumerate(enumerator, &tnc_id)) - { - pen_type_t id_type, subject_type, auth_type; - uint32_t tcg_id_type, tcg_subject_type, tcg_auth_type; - chunk_t id_value; - - id_type = tnc_id->get_identity_type(tnc_id); - id_value = tnc_id->get_identity_value(tnc_id); - subject_type = tnc_id->get_subject_type(tnc_id); - auth_type = tnc_id->get_auth_type(tnc_id); - - tcg_id_type = (id_type.vendor_id == PEN_TCG) ? - id_type.type : TNC_ID_UNKNOWN; - tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ? - subject_type.type : TNC_SUBJECT_UNKNOWN; - tcg_auth_type = (auth_type.vendor_id == PEN_TCG) ? - auth_type.type : TNC_AUTH_UNKNOWN; - - - DBG2(DBG_IMV, " %N AR identity '%.*s' authenticated by %N", - TNC_Subject_names, tcg_subject_type, - id_value.len, id_value.ptr, - TNC_Authentication_names, tcg_auth_type); - - /* keep the first access requestor ID */ - if (first) - { - ar_id_type = tcg_id_type; - ar_id_value = id_value; - first = FALSE; - } - } - enumerator->destroy(enumerator); - - session = imcv_sessions->add_session(imcv_sessions, conn_id, - ar_id_type, ar_id_value); + session = imcv_sessions->add_session(imcv_sessions, conn_id, ar_identities); state->set_session(state, session); - /* clean up temporary variables */ - ar_identities->destroy_offset(ar_identities, - offsetof(tncif_identity_t, destroy)); free(tnccs_p); free(tnccs_v); free(t_p); diff --git a/src/libimcv/imv/imv_database.c b/src/libimcv/imv/imv_database.c index 0c4bb7514..0a18cd71b 100644 --- a/src/libimcv/imv/imv_database.c +++ b/src/libimcv/imv/imv_database.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013-2014 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -22,6 +22,8 @@ #include "imv_database.h" +#include + #include #include @@ -60,41 +62,14 @@ METHOD(imv_database_t, get_database, database_t*, */ static bool create_session(private_imv_database_t *this, imv_session_t *session) { - enumerator_t *e; + enumerator_t *enumerator, *e; imv_os_info_t *os_info; - chunk_t device_id, ar_id_value; + chunk_t device_id; + tncif_identity_t *tnc_id; TNC_ConnectionID conn_id; - uint32_t ar_id_type; char *product, *device; - int session_id = 0, ar_id = 0, pid = 0, did = 0, trusted = 0, created; - - ar_id_value = session->get_ar_id(session, &ar_id_type); - if (ar_id_value.len) - { - /* get primary key of AR identity if it exists */ - e = this->db->query(this->db, - "SELECT id FROM identities WHERE type = ? AND value = ?", - DB_INT, ar_id_type, DB_BLOB, ar_id_value, DB_INT); - if (e) - { - e->enumerate(e, &ar_id); - e->destroy(e); - } - - /* if AR identity has not been found - register it */ - if (!ar_id) - { - this->db->execute(this->db, &ar_id, - "INSERT INTO identities (type, value) VALUES (?, ?)", - DB_INT, ar_id_type, DB_BLOB, ar_id_value); - } - - if (!ar_id) - { - DBG1(DBG_IMV, "imv_db: registering access requestor failed"); - return FALSE; - } - } + int session_id = 0, pid = 0, did = 0, trusted = 0, created; + bool first = TRUE, success = TRUE; /* get product info string */ os_info = session->get_os_info(session); @@ -170,10 +145,9 @@ static bool create_session(private_imv_database_t *this, imv_session_t *session) created = session->get_creation_time(session); conn_id = session->get_connection_id(session); this->db->execute(this->db, &session_id, - "INSERT INTO sessions (time, connection, identity, product, device) " - "VALUES (?, ?, ?, ?, ?)", - DB_INT, created, DB_INT, conn_id, DB_INT, ar_id, - DB_INT, pid, DB_INT, did); + "INSERT INTO sessions (time, connection, product, device) " + "VALUES (?, ?, ?, ?)", + DB_INT, created, DB_INT, conn_id, DB_INT, pid, DB_INT, did); if (session_id) { @@ -187,7 +161,68 @@ static bool create_session(private_imv_database_t *this, imv_session_t *session) } session->set_session_id(session, session_id, pid, did); - return TRUE; + enumerator = session->create_ar_identities_enumerator(session); + while (enumerator->enumerate(enumerator, &tnc_id)) + { + pen_type_t ar_id_type; + chunk_t ar_id_value; + int ar_id = 0, si_id = 0; + + ar_id_type = tnc_id->get_identity_type(tnc_id); + ar_id_value = tnc_id->get_identity_value(tnc_id); + + if (ar_id_type.vendor_id != PEN_TCG || ar_id_value.len == 0) + { + continue; + } + + /* get primary key of AR identity if it exists */ + e = this->db->query(this->db, + "SELECT id FROM identities WHERE type = ? AND value = ?", + DB_INT, ar_id_type.type, DB_BLOB, ar_id_value, DB_INT); + if (e) + { + e->enumerate(e, &ar_id); + e->destroy(e); + } + + /* if AR identity has not been found - register it */ + if (!ar_id) + { + this->db->execute(this->db, &ar_id, + "INSERT INTO identities (type, value) VALUES (?, ?)", + DB_INT, ar_id_type.type, DB_BLOB, ar_id_value); + } + if (!ar_id) + { + DBG1(DBG_IMV, "imv_db: registering access requestor failed"); + success = FALSE; + break; + } + + this->db->execute(this->db, &si_id, + "INSERT INTO sessions_identities (session_id, identity_id) " + "VALUES (?, ?)", + DB_INT, session_id, DB_INT, ar_id); + + if (!si_id) + { + DBG1(DBG_IMV, "imv_db: assigning identity to session failed"); + success = FALSE; + break; + } + + if (first) + { + this->db->execute(this->db, NULL, + "UPDATE sessions SET identity = ? WHERE id = ?", + DB_INT, ar_id, DB_INT, session_id); + first = FALSE; + } + } + enumerator->destroy(enumerator); + + return success; } static bool add_workitems(private_imv_database_t *this, imv_session_t *session) diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c index 50f7f2e39..9f7e4e8f4 100644 --- a/src/libimcv/imv/imv_policy_manager.c +++ b/src/libimcv/imv/imv_policy_manager.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -19,6 +19,8 @@ #include #include +#include + #include #include #include @@ -251,9 +253,12 @@ static bool policy_start(database_t *db, int session_id) static bool policy_stop(database_t *db, int session_id) { enumerator_t *e; - int rec, policy; - char *result; + int rec, policy, final_rec, id_type; + chunk_t id_value; + char *result, *ip_address = NULL; + bool success = TRUE; + /* store all workitem results for this session in the results table */ e = db->query(db, "SELECT w.rec_final, w.result, e.policy FROM workitems AS w " "JOIN enforcements AS e ON w.enforcement = e.id " @@ -270,9 +275,68 @@ static bool policy_stop(database_t *db, int session_id) } e->destroy(e); } - return db->execute(db, NULL, - "DELETE FROM workitems WHERE session = ?", - DB_UINT, session_id) >= 0; + else + { + success = FALSE; + } + + /* delete all workitems for this session from the database */ + if (db->execute(db, NULL, + "DELETE FROM workitems WHERE session = ?", + DB_UINT, session_id) < 0) + { + success = FALSE; + } + + final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION; + + /* retrieve the final recommendation for this session */ + e = db->query(db, + "SELECT rec FROM sessions WHERE id = ?", + DB_INT, session_id, DB_INT); + if (e) + { + if (!e->enumerate(e, &final_rec)) + { + success = FALSE; + } + e->destroy(e); + } + else + { + success = FALSE; + } + + /* retrieve client IP address for this session */ + e = db->query(db, + "SELECT i.type, i.value FROM identities AS i " + "JOIN sessions_identities AS si ON si.identity_id = i.id " + "WHERE si.session_id = ? AND (i.type = ? OR i.type = ?)", + DB_INT, session_id, DB_INT, TNC_ID_IPV4_ADDR, DB_INT, + TNC_ID_IPV6_ADDR, DB_INT, DB_BLOB); + if (e) + { + if (e->enumerate(e, &id_type, &id_value)) + { + ip_address = strndup(id_value.ptr, id_value.len); + } + else + { + success = FALSE; + } + e->destroy(e); + } + else + { + success = FALSE; + } + + fprintf(stderr, "recommendation for access requestor %s is %N\n", + ip_address ? ip_address : "0.0.0.0", + TNC_IMV_Action_Recommendation_names, final_rec); + free(ip_address); + + return success; } int main(int argc, char *argv[]) diff --git a/src/libimcv/imv/imv_session.c b/src/libimcv/imv/imv_session.c index 1f0d8cf14..bc6b5a8d1 100644 --- a/src/libimcv/imv/imv_session.c +++ b/src/libimcv/imv/imv_session.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -15,6 +15,8 @@ #include "imv_session.h" +#include + #include typedef struct private_imv_session_t private_imv_session_t; @@ -55,14 +57,9 @@ struct private_imv_session_t { time_t created; /** - * Access Requestor ID type - */ - uint32_t ar_id_type; - - /** - * Access Requestor ID value + * List of Access Requestor identities */ - chunk_t ar_id_value; + linked_list_t *ar_identities; /** * OS information @@ -130,14 +127,10 @@ METHOD(imv_session_t, get_creation_time, time_t, return this->created; } -METHOD(imv_session_t, get_ar_id, chunk_t, - private_imv_session_t *this, uint32_t *ar_id_type) +METHOD(imv_session_t, create_ar_identities_enumerator, enumerator_t*, + private_imv_session_t *this) { - if (ar_id_type) - { - *ar_id_type = this->ar_id_type; - } - return this->ar_id_value; + return this->ar_identities->create_enumerator(this->ar_identities); } METHOD(imv_session_t, get_os_info, imv_os_info_t*, @@ -256,7 +249,8 @@ METHOD(imv_session_t, destroy, void, this->workitems->destroy_offset(this->workitems, offsetof(imv_workitem_t, destroy)); this->os_info->destroy(this->os_info); - free(this->ar_id_value.ptr); + this->ar_identities->destroy_offset(this->ar_identities, + offsetof(tncif_identity_t, destroy)); free(this->device_id.ptr); free(this); } @@ -266,7 +260,7 @@ METHOD(imv_session_t, destroy, void, * See header */ imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created, - uint32_t ar_id_type, chunk_t ar_id_value) + linked_list_t *ar_identities) { private_imv_session_t *this; @@ -276,7 +270,7 @@ imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created, .get_session_id = _get_session_id, .get_connection_id = _get_connection_id, .get_creation_time = _get_creation_time, - .get_ar_id = _get_ar_id, + .create_ar_identities_enumerator = _create_ar_identities_enumerator, .get_os_info = _get_os_info, .set_device_id = _set_device_id, .get_device_id = _get_device_id, @@ -293,8 +287,7 @@ imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created, }, .conn_id = conn_id, .created = created, - .ar_id_type = ar_id_type, - .ar_id_value = chunk_clone(ar_id_value), + .ar_identities = ar_identities, .os_info = imv_os_info_create(), .workitems = linked_list_create(), .ref = 1, diff --git a/src/libimcv/imv/imv_session.h b/src/libimcv/imv/imv_session.h index 42b9118a6..107716f30 100644 --- a/src/libimcv/imv/imv_session.h +++ b/src/libimcv/imv/imv_session.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013-2014 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -70,12 +70,11 @@ struct imv_session_t { time_t (*get_creation_time)(imv_session_t *this); /** - * Get Access Requestor ID + * Get list of Access Requestor identities * - * @param id_type Access Requestor TCG Standard ID Type - * @return Access Requestor TCG Standard ID Value + * @return List of Access Requestor identities */ - chunk_t (*get_ar_id)(imv_session_t *this, uint32_t *id_type); + enumerator_t* (*create_ar_identities_enumerator)(imv_session_t *this); /** * Get OS Information @@ -172,10 +171,9 @@ struct imv_session_t { * * @param id Associated Connection ID * @param created Session creation time - * @param ar_id_type Access Requestor ID type - * @param ar_id_value Access Requestor ID value + * @param ar_identities List of Access Requestor identities */ imv_session_t* imv_session_create(TNC_ConnectionID id, time_t created, - uint32_t ar_id_type, chunk_t ar_id_value); + linked_list_t *ar_identities); #endif /** IMV_SESSION_H_ @}*/ diff --git a/src/libimcv/imv/imv_session_manager.c b/src/libimcv/imv/imv_session_manager.c index 0fb8de45e..c97602998 100644 --- a/src/libimcv/imv/imv_session_manager.c +++ b/src/libimcv/imv/imv_session_manager.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 Andreas Steffen + * Copyright (C) 2014-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -15,6 +15,9 @@ #include "imv_session_manager.h" +#include +#include + #include typedef struct private_imv_session_manager_t private_imv_session_manager_t; @@ -43,9 +46,10 @@ struct private_imv_session_manager_t { METHOD(imv_session_manager_t, add_session, imv_session_t*, private_imv_session_manager_t *this, TNC_ConnectionID conn_id, - uint32_t ar_id_type, chunk_t ar_id_value) + linked_list_t *ar_identities) { enumerator_t *enumerator; + tncif_identity_t *tnc_id; imv_session_t *current, *session = NULL; time_t created; @@ -66,13 +70,43 @@ METHOD(imv_session_manager_t, add_session, imv_session_t*, /* session already exists */ if (session) { + ar_identities->destroy_offset(ar_identities, + offsetof(tncif_identity_t, destroy)); this->mutex->unlock(this->mutex); return session->get_ref(session); } + /* Output list of Access Requestor identities */ + enumerator = ar_identities->create_enumerator(ar_identities); + while (enumerator->enumerate(enumerator, &tnc_id)) + { + pen_type_t id_type, subject_type, auth_type; + uint32_t tcg_id_type, tcg_subject_type, tcg_auth_type; + chunk_t id_value; + + id_type = tnc_id->get_identity_type(tnc_id); + id_value = tnc_id->get_identity_value(tnc_id); + subject_type = tnc_id->get_subject_type(tnc_id); + auth_type = tnc_id->get_auth_type(tnc_id); + + tcg_id_type = (subject_type.vendor_id == PEN_TCG) ? + id_type.type : TNC_SUBJECT_UNKNOWN; + tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ? + subject_type.type : TNC_SUBJECT_UNKNOWN; + tcg_auth_type = (auth_type.vendor_id == PEN_TCG) ? + auth_type.type : TNC_AUTH_UNKNOWN; + + DBG2(DBG_IMV, " %N AR identity '%.*s' of type %N authenticated by %N", + TNC_Subject_names, tcg_subject_type, + id_value.len, id_value.ptr, + TNC_Identity_names, tcg_id_type, + TNC_Authentication_names, tcg_auth_type); + } + enumerator->destroy(enumerator); + /* create a new session entry */ created = time(NULL); - session = imv_session_create(conn_id, created, ar_id_type, ar_id_value); + session = imv_session_create(conn_id, created, ar_identities); this->sessions->insert_last(this->sessions, session); this->mutex->unlock(this->mutex); diff --git a/src/libimcv/imv/imv_session_manager.h b/src/libimcv/imv/imv_session_manager.h index 8a733accb..cfae23bc9 100644 --- a/src/libimcv/imv/imv_session_manager.h +++ b/src/libimcv/imv/imv_session_manager.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 Andreas Steffen + * Copyright (C) 2014-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -39,13 +39,12 @@ struct imv_session_manager_t { * Create or get a session associated with a TNCCS connection * * @param conn_id TNCCS Connection ID - * @param ar_id_type Access Requestor identity type - * @param ar_id_value Access Requestor identity value + * @param ar_identities List of Access Requestor identities * @return Session associated with TNCCS Connection */ imv_session_t* (*add_session)(imv_session_manager_t *this, TNC_ConnectionID conn_id, - uint32_t ar_id_type, chunk_t ar_id_value); + linked_list_t *ar_identities); /** * Remove a session diff --git a/src/libimcv/imv/tables-mysql.sql b/src/libimcv/imv/tables-mysql.sql index 47ee41c86..cf50742c3 100644 --- a/src/libimcv/imv/tables-mysql.sql +++ b/src/libimcv/imv/tables-mysql.sql @@ -99,6 +99,14 @@ CREATE TABLE `sessions` ( `rec` INTEGER DEFAULT 3 ); +DROP TABLE IF EXISTS `sessions_identities`; +CREATE TABLE `sessions_identities` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `session_id` INTEGER NOT NULL REFERENCES `sessions`(`id`), + `identity_id` INTEGER NOT NULL REFERENCES `identities`(`id`), + UNIQUE (`session_id`, `identity_id`) +); + DROP TABLE IF EXISTS `workitems`; CREATE TABLE `workitems` ( `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, diff --git a/src/libimcv/imv/tables.sql b/src/libimcv/imv/tables.sql index f7324896e..5c2a6563b 100644 --- a/src/libimcv/imv/tables.sql +++ b/src/libimcv/imv/tables.sql @@ -104,6 +104,14 @@ CREATE TABLE sessions ( rec INTEGER DEFAULT 3 ); +DROP TABLE IF EXISTS sessions_identities; +CREATE TABLE sessions_identities ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + session_id INTEGER NOT NULL REFERENCES sessions(id), + identity_id INTEGER NOT NULL REFERENCES identities(id), + UNIQUE (session_id, identity_id) +); + DROP TABLE IF EXISTS workitems; CREATE TABLE workitems ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, diff --git a/src/libimcv/plugins/imc_attestation/Makefile.in b/src/libimcv/plugins/imc_attestation/Makefile.in index 3c5017f32..8ad56181e 100644 --- a/src/libimcv/plugins/imc_attestation/Makefile.in +++ b/src/libimcv/plugins/imc_attestation/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/plugins/imc_attestation/imc_attestation_process.c b/src/libimcv/plugins/imc_attestation/imc_attestation_process.c index 2fc2998e1..f24aec881 100644 --- a/src/libimcv/plugins/imc_attestation/imc_attestation_process.c +++ b/src/libimcv/plugins/imc_attestation/imc_attestation_process.c @@ -137,7 +137,11 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg, { return FALSE; } - pts->get_my_public_value(pts, &responder_value, &responder_nonce); + if (!pts->get_my_public_value(pts, &responder_value, + &responder_nonce)) + { + return FALSE; + } /* Send DH Nonce Parameters Response attribute */ attr = tcg_pts_attr_dh_nonce_params_resp_create(selected_dh_group, @@ -174,8 +178,10 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg, return FALSE; } - pts->set_peer_public_value(pts, initiator_value, initiator_nonce); - if (!pts->calculate_secret(pts)) + + if (!pts->set_peer_public_value(pts, initiator_value, + initiator_nonce) || + !pts->calculate_secret(pts)) { return FALSE; } diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in index 3f4cf41a9..3b7538688 100644 --- a/src/libimcv/plugins/imc_os/Makefile.in +++ b/src/libimcv/plugins/imc_os/Makefile.in @@ -224,6 +224,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -284,10 +285,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -361,6 +364,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in index a192b0a41..7b696896f 100644 --- a/src/libimcv/plugins/imc_scanner/Makefile.in +++ b/src/libimcv/plugins/imc_scanner/Makefile.in @@ -225,6 +225,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -285,10 +286,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -362,6 +365,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/plugins/imc_swid/Makefile.in b/src/libimcv/plugins/imc_swid/Makefile.in index f1859a2cb..2847f09b4 100644 --- a/src/libimcv/plugins/imc_swid/Makefile.in +++ b/src/libimcv/plugins/imc_swid/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in index 3e1d0232f..2048caa4d 100644 --- a/src/libimcv/plugins/imc_test/Makefile.in +++ b/src/libimcv/plugins/imc_test/Makefile.in @@ -224,6 +224,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -284,10 +285,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -361,6 +364,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/plugins/imv_attestation/Makefile.in b/src/libimcv/plugins/imv_attestation/Makefile.in index 3ba7c8c88..09a0ab0ce 100644 --- a/src/libimcv/plugins/imv_attestation/Makefile.in +++ b/src/libimcv/plugins/imv_attestation/Makefile.in @@ -236,6 +236,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -296,10 +297,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -373,6 +376,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/plugins/imv_attestation/attest_db.c b/src/libimcv/plugins/imv_attestation/attest_db.c index f85a02b3d..f1a1f923e 100644 --- a/src/libimcv/plugins/imv_attestation/attest_db.c +++ b/src/libimcv/plugins/imv_attestation/attest_db.c @@ -849,29 +849,31 @@ METHOD(attest_db_t, list_devices, void, { enumerator_t *e, *e_ar; chunk_t ar_id_value = chunk_empty; - char *product, *device; + char *product, *device, *description; time_t timestamp; - int id, last_id = 0, ar_id = 0, last_ar_id = 0, device_count = 0; + int id, last_id = 0, ar_id = 0, last_ar_id = 0, device_count = 0, trusted; int session_id, rec; u_int32_t ar_id_type; u_int tstamp; e = this->db->query(this->db, - "SELECT d.id, d.value, s.id, s.time, s.identity, s.rec, p.name " + "SELECT d.id, d.value, d.trusted, d.description, " + "s.id, s.time, s.identity, s.rec, p.name " "FROM devices AS d " "JOIN sessions AS s ON d.id = s.device " "JOIN products AS p ON p.id = s.product " - "ORDER BY d.value, s.time DESC", DB_INT, DB_TEXT, DB_INT, DB_UINT, - DB_INT, DB_INT, DB_TEXT); + "ORDER BY d.value, s.time DESC", DB_INT, DB_TEXT, DB_INT, DB_TEXT, + DB_INT, DB_UINT, DB_INT, DB_INT, DB_TEXT); if (e) { - while (e->enumerate(e, &id, &device, &session_id, &tstamp, &ar_id, &rec, - &product)) + while (e->enumerate(e, &id, &device, &trusted, &description, + &session_id, &tstamp, &ar_id, &rec, &product)) { if (id != last_id) { - printf("%4d: %s - %s\n", id, device, product); + printf("%4d: %s %s - %s - %s\n", id, trusted ? "+" : "-", + device, product, description); device_count++; last_id = id; } diff --git a/src/libimcv/plugins/imv_attestation/build-database.sh b/src/libimcv/plugins/imv_attestation/build-database.sh index ca2939b49..0babb5366 100755 --- a/src/libimcv/plugins/imv_attestation/build-database.sh +++ b/src/libimcv/plugins/imv_attestation/build-database.sh @@ -2,7 +2,7 @@ p="Ubuntu 14.04 x86_64" a="x86_64-linux-gnu" -k="3.13.0-37-generic" +k="3.13.0-46-generic" for hash in sha1 sha256 do diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c index c39fe8d47..db93ac45f 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c @@ -69,7 +69,11 @@ bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state, /* Send DH nonce finish attribute */ selected_algorithm = pts->get_meas_algorithm(pts); - pts->get_my_public_value(pts, &initiator_value, &initiator_nonce); + if (!pts->get_my_public_value(pts, &initiator_value, + &initiator_nonce)) + { + return FALSE; + } attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm, initiator_value, initiator_nonce); attr->set_noskip_flag(attr, TRUE); diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c index 89a1f02cf..fbeb6618e 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c @@ -134,11 +134,11 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, } responder_value = attr_cast->get_responder_value(attr_cast); - pts->set_peer_public_value(pts, responder_value, - responder_nonce); /* Calculate secret assessment value */ - if (!pts->calculate_secret(pts)) + if (!pts->set_peer_public_value(pts, responder_value, + responder_nonce) || + !pts->calculate_secret(pts)) { return FALSE; } @@ -198,7 +198,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, e = pts_credmgr->create_trusted_enumerator(pts_credmgr, KEY_ANY, aik->get_issuer(aik), FALSE); - while (e->enumerate(e, &issuer)) + while (e->enumerate(e, &issuer, NULL)) { if (aik->issued_by(aik, issuer, NULL)) { diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in index 36e708fc9..ec3488992 100644 --- a/src/libimcv/plugins/imv_os/Makefile.in +++ b/src/libimcv/plugins/imv_os/Makefile.in @@ -232,6 +232,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in index 2677b339a..08abbf596 100644 --- a/src/libimcv/plugins/imv_scanner/Makefile.in +++ b/src/libimcv/plugins/imv_scanner/Makefile.in @@ -226,6 +226,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/plugins/imv_swid/Makefile.in b/src/libimcv/plugins/imv_swid/Makefile.in index 815722f9c..936bee86e 100644 --- a/src/libimcv/plugins/imv_swid/Makefile.in +++ b/src/libimcv/plugins/imv_swid/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in index 66da75a1e..8e0e22353 100644 --- a/src/libimcv/plugins/imv_test/Makefile.in +++ b/src/libimcv/plugins/imv_test/Makefile.in @@ -225,6 +225,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -285,10 +286,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -362,6 +365,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/pts/components/ita/ita_comp_tboot.c b/src/libimcv/pts/components/ita/ita_comp_tboot.c index 273c18f31..ce318ec84 100644 --- a/src/libimcv/pts/components/ita/ita_comp_tboot.c +++ b/src/libimcv/pts/components/ita/ita_comp_tboot.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2014 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -60,11 +60,6 @@ struct pts_ita_comp_tboot_t { */ int cid; - /** - * Primary key for AIK database entry - */ - int kid; - /** * Component is registering measurements */ @@ -243,7 +238,7 @@ METHOD(pts_component_t, verify, status_t, else { status = this->pts_db->check_comp_measurement(this->pts_db, - measurement, this->cid, this->kid, + measurement, this->cid, this->aik_id, ++this->seq_no, extended_pcr, algo); if (status != SUCCESS) { diff --git a/src/libimcv/pts/pts.c b/src/libimcv/pts/pts.c index 2fff4c901..1ca72098e 100644 --- a/src/libimcv/pts/pts.c +++ b/src/libimcv/pts/pts.c @@ -224,17 +224,24 @@ METHOD(pts_t, create_dh_nonce, bool, return TRUE; } -METHOD(pts_t, get_my_public_value, void, +METHOD(pts_t, get_my_public_value, bool, private_pts_t *this, chunk_t *value, chunk_t *nonce) { - this->dh->get_my_public_value(this->dh, value); + if (!this->dh->get_my_public_value(this->dh, value)) + { + return FALSE; + } *nonce = this->is_imc ? this->responder_nonce : this->initiator_nonce; + return TRUE; } -METHOD(pts_t, set_peer_public_value, void, +METHOD(pts_t, set_peer_public_value, bool, private_pts_t *this, chunk_t value, chunk_t nonce) { - this->dh->set_other_public_value(this->dh, value); + if (!this->dh->set_other_public_value(this->dh, value)) + { + return FALSE; + } nonce = chunk_clone(nonce); if (this->is_imc) @@ -245,6 +252,7 @@ METHOD(pts_t, set_peer_public_value, void, { this->responder_nonce = nonce; } + return TRUE; } METHOD(pts_t, calculate_secret, bool, @@ -264,7 +272,7 @@ METHOD(pts_t, calculate_secret, bool, DBG3(DBG_PTS, "responder nonce: %B", &this->responder_nonce); /* Calculate the DH secret */ - if (this->dh->get_shared_secret(this->dh, &shared_secret) != SUCCESS) + if (!this->dh->get_shared_secret(this->dh, &shared_secret)) { DBG1(DBG_PTS, "shared DH secret computation failed"); return FALSE; diff --git a/src/libimcv/pts/pts.h b/src/libimcv/pts/pts.h index be32a3464..d525306dd 100644 --- a/src/libimcv/pts/pts.h +++ b/src/libimcv/pts/pts.h @@ -143,16 +143,18 @@ struct pts_t { * * @param value My public DH value * @param nonce My DH nonce + * @return TRUE if public value retrieved successfully */ - void (*get_my_public_value)(pts_t *this, chunk_t *value, chunk_t *nonce); + bool (*get_my_public_value)(pts_t *this, chunk_t *value, chunk_t *nonce); /** * Set peer Diffie.Hellman public value * * @param value Peer public DH value * @param nonce Peer DH nonce + * @return TRUE if public value set successfully */ - void (*set_peer_public_value) (pts_t *this, chunk_t value, chunk_t nonce); + bool (*set_peer_public_value) (pts_t *this, chunk_t value, chunk_t nonce); /** * Calculates assessment secret to be used for TPM Quote as ExternalData diff --git a/src/libimcv/seg/seg_env.c b/src/libimcv/seg/seg_env.c index c47ce2934..f38419248 100644 --- a/src/libimcv/seg/seg_env.c +++ b/src/libimcv/seg/seg_env.c @@ -219,6 +219,7 @@ seg_env_t *seg_env_create(uint32_t base_attr_id, pa_tnc_attr_t *base_attr, if (max_seg_size < PA_TNC_ATTR_HEADER_SIZE || max_seg_size >= PA_TNC_ATTR_HEADER_SIZE + value.len) { + base_attr->destroy(base_attr); return NULL; } @@ -233,7 +234,7 @@ seg_env_t *seg_env_create(uint32_t base_attr_id, pa_tnc_attr_t *base_attr, .destroy = _destroy, }, .base_attr_id = base_attr_id, - .base_attr = base_attr->get_ref(base_attr), + .base_attr = base_attr, .max_seg_size = max_seg_size, .data = base_attr->get_value(base_attr), ); diff --git a/src/libimcv/seg/seg_env.h b/src/libimcv/seg/seg_env.h index 08d33d752..611f9a98a 100644 --- a/src/libimcv/seg/seg_env.h +++ b/src/libimcv/seg/seg_env.h @@ -98,7 +98,7 @@ struct seg_env_t { * Create a PA-TNC attribute segment envelope object * * @param base_attr_id Base Attribute ID - * @param base_attr Base Attribute to be segmented + * @param base_attr Base Attribute to be segmented, owned by seg_env_t * @param max_seg_size Maximum segment size */ seg_env_t* seg_env_create(uint32_t base_attr_id, pa_tnc_attr_t *base_attr, diff --git a/src/libimcv/suites/test_imcv_seg.c b/src/libimcv/suites/test_imcv_seg.c index 469b1110d..8b51eda05 100644 --- a/src/libimcv/suites/test_imcv_seg.c +++ b/src/libimcv/suites/test_imcv_seg.c @@ -64,10 +64,11 @@ START_TEST(test_imcv_seg_env) libimcv_init(FALSE); max_seg_size = seg_env_tests[_i].max_seg_size; last_seg_size = seg_env_tests[_i].last_seg_size; + base_attr = ita_attr_command_create(command); base_attr->build(base_attr); - seg_env = seg_env_create(id, base_attr, max_seg_size); + if (seg_env_tests[_i].next_segs == 0) { ck_assert(seg_env == NULL); @@ -156,7 +157,6 @@ START_TEST(test_imcv_seg_env) seg_env1->destroy(seg_env1); base_attr1->destroy(base_attr1); } - base_attr->destroy(base_attr); libimcv_deinit(); } END_TEST @@ -226,7 +226,6 @@ START_TEST(test_imcv_seg_env_special) /* cleanup */ attr->destroy(attr); seg_env->destroy(seg_env); - base_attr->destroy(base_attr); } END_TEST @@ -306,7 +305,8 @@ START_TEST(test_imcv_seg_contract) TRUE, issuer_id, FALSE); contract_r = seg_contract_create(msg_type, max_attr_size, max_seg_size, FALSE, issuer_id, TRUE); - attr = contract_r->first_segment(contract_r, base_attr_r); + attr = contract_r->first_segment(contract_r, + base_attr_r->get_ref(base_attr_r)); if (seg_env_tests[_i].next_segs == 0) { @@ -422,8 +422,8 @@ START_TEST(test_imcv_seg_contract_special) ck_assert(!oversize); /* get first segment of each base attribute */ - attr1_f = contract_r->first_segment(contract_r, base_attr1_r); - attr2_f = contract_r->first_segment(contract_r, base_attr2_r); + attr1_f = contract_r->first_segment(contract_r, base_attr1_r->get_ref(base_attr1_r)); + attr2_f = contract_r->first_segment(contract_r, base_attr2_r->get_ref(base_attr2_r)); ck_assert(attr1_f); ck_assert(attr2_f); seg_env_attr1 = (tcg_seg_attr_seg_env_t*)attr1_f; diff --git a/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c b/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c index 5b4cc273b..397882926 100644 --- a/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c +++ b/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c @@ -242,6 +242,8 @@ METHOD(pa_tnc_attr_t, process, status_t, this->count--; } + status = SUCCESS; + if (this->length != this->offset) { DBG1(DBG_TNC, "inconsistent length for %N/%N", pen_names, PEN_TCG, @@ -249,7 +251,6 @@ METHOD(pa_tnc_attr_t, process, status_t, *offset = this->offset; status = FAILED; } - status = SUCCESS; end: reader->destroy(reader); diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in index 3663cf825..a80d28ac6 100644 --- a/src/libipsec/Makefile.in +++ b/src/libipsec/Makefile.in @@ -266,6 +266,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -326,10 +327,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -403,6 +406,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libipsec/ip_packet.c b/src/libipsec/ip_packet.c index 0998efa9d..21dbd5e89 100644 --- a/src/libipsec/ip_packet.c +++ b/src/libipsec/ip_packet.c @@ -443,7 +443,7 @@ ip_packet_t *ip_packet_create_from_data(host_t *src, host_t *dst, { struct ip6_hdr ip = { .ip6_flow = htonl(6), - .ip6_plen = htons(40 + data.len), + .ip6_plen = htons(data.len), .ip6_nxt = next_header, .ip6_hlim = 0x80, }; diff --git a/src/libipsec/ipsec_event_listener.h b/src/libipsec/ipsec_event_listener.h index c5c39b0f1..f15f6fe52 100644 --- a/src/libipsec/ipsec_event_listener.h +++ b/src/libipsec/ipsec_event_listener.h @@ -35,14 +35,12 @@ struct ipsec_event_listener_t { /** * Called when the lifetime of an IPsec SA expired * - * @param reqid reqid of the expired SA * @param protocol protocol of the expired SA * @param spi spi of the expired SA + * @param dst destination address of expired SA * @param hard TRUE if this is a hard expire, FALSE otherwise */ - void (*expire)(u_int32_t reqid, u_int8_t protocol, u_int32_t spi, - bool hard); - + void (*expire)(u_int8_t protocol, u_int32_t spi, host_t *dst, bool hard); }; #endif /** IPSEC_EVENT_LISTENER_H_ @}*/ diff --git a/src/libipsec/ipsec_event_relay.c b/src/libipsec/ipsec_event_relay.c index c6b2a550d..048063053 100644 --- a/src/libipsec/ipsec_event_relay.c +++ b/src/libipsec/ipsec_event_relay.c @@ -65,23 +65,26 @@ typedef struct { } type; /** - * Reqid of the SA, if any + * Protocol of the SA */ - u_int32_t reqid; + u_int8_t protocol; /** * SPI of the SA, if any */ u_int32_t spi; + /** + * SA destination address + */ + host_t *dst; + /** * Additional data for specific event types */ union { struct { - /** Protocol of the SA */ - u_int8_t protocol; /** TRUE in case of a hard expire */ bool hard; } expire; @@ -90,6 +93,15 @@ typedef struct { } ipsec_event_t; +/** + * Destroy IPsec event data + */ +static void ipsec_event_destroy(ipsec_event_t *event) +{ + event->dst->destroy(event->dst); + free(event); +} + /** * Dequeue events and relay them to listeners */ @@ -110,31 +122,31 @@ static job_requeue_t handle_events(private_ipsec_event_relay_t *this) case IPSEC_EVENT_EXPIRE: if (current->expire) { - current->expire(event->reqid, event->data.expire.protocol, - event->spi, event->data.expire.hard); + current->expire(event->protocol, event->spi, event->dst, + event->data.expire.hard); } break; } } enumerator->destroy(enumerator); this->lock->unlock(this->lock); - free(event); + ipsec_event_destroy(event); return JOB_REQUEUE_DIRECT; } METHOD(ipsec_event_relay_t, expire, void, - private_ipsec_event_relay_t *this, u_int32_t reqid, u_int8_t protocol, - u_int32_t spi, bool hard) + private_ipsec_event_relay_t *this, u_int8_t protocol, u_int32_t spi, + host_t *dst, bool hard) { ipsec_event_t *event; INIT(event, .type = IPSEC_EVENT_EXPIRE, - .reqid = reqid, + .protocol = protocol, .spi = spi, + .dst = dst->clone(dst), .data = { .expire = { - .protocol = protocol, .hard = hard, }, }, diff --git a/src/libipsec/ipsec_event_relay.h b/src/libipsec/ipsec_event_relay.h index c6935d546..1dddf121b 100644 --- a/src/libipsec/ipsec_event_relay.h +++ b/src/libipsec/ipsec_event_relay.h @@ -38,13 +38,13 @@ struct ipsec_event_relay_t { /** * Raise an expire event. * - * @param reqid reqid of the expired IPsec SA * @param protocol protocol (e.g ESP) of the expired SA * @param spi SPI of the expired SA + * @param dst destination address of expired SA * @param hard TRUE for a hard expire, FALSE otherwise */ - void (*expire)(ipsec_event_relay_t *this, u_int32_t reqid, - u_int8_t protocol, u_int32_t spi, bool hard); + void (*expire)(ipsec_event_relay_t *this, u_int8_t protocol, u_int32_t spi, + host_t *dst, bool hard); /** * Register a listener to events raised by this manager diff --git a/src/libipsec/ipsec_sa.c b/src/libipsec/ipsec_sa.c index 6ec8bd25e..ccbbb1b3c 100644 --- a/src/libipsec/ipsec_sa.c +++ b/src/libipsec/ipsec_sa.c @@ -194,8 +194,8 @@ METHOD(ipsec_sa_t, expire, void, if (!this->hard_expired) { this->hard_expired = TRUE; - ipsec->events->expire(ipsec->events, this->reqid, this->protocol, - this->spi, TRUE); + ipsec->events->expire(ipsec->events, this->protocol, this->spi, + this->dst, TRUE); } } else @@ -203,8 +203,8 @@ METHOD(ipsec_sa_t, expire, void, if (!this->hard_expired && !this->soft_expired) { this->soft_expired = TRUE; - ipsec->events->expire(ipsec->events, this->reqid, this->protocol, - this->spi, FALSE); + ipsec->events->expire(ipsec->events, this->protocol, this->spi, + this->dst, FALSE); } } } @@ -275,8 +275,7 @@ ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst, u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, - u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound, - traffic_selector_t *src_ts, traffic_selector_t *dst_ts) + u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound) { private_ipsec_sa_t *this; diff --git a/src/libipsec/ipsec_sa.h b/src/libipsec/ipsec_sa.h index 5e69f18cf..8dad29ac5 100644 --- a/src/libipsec/ipsec_sa.h +++ b/src/libipsec/ipsec_sa.h @@ -197,8 +197,6 @@ struct ipsec_sa_t { * @param encap enable UDP encapsulation (must be TRUE) * @param esn Extended Sequence Numbers (currently not supported) * @param inbound TRUE if this is an inbound SA, FALSE otherwise - * @param src_ts source traffic selector - * @param dst_ts destination traffic selector * @return the IPsec SA, or NULL if the creation failed */ ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst, @@ -207,8 +205,6 @@ ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool encap, bool esn, bool inbound, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts); + bool encap, bool esn, bool inbound); #endif /** IPSEC_SA_H_ @}*/ diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c index 1db1776c0..07ffa9e4f 100644 --- a/src/libipsec/ipsec_sa_mgr.c +++ b/src/libipsec/ipsec_sa_mgr.c @@ -396,12 +396,10 @@ static bool allocate_spi(private_ipsec_sa_mgr_t *this, u_int32_t spi) METHOD(ipsec_sa_mgr_t, get_spi, status_t, private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, u_int8_t protocol, - u_int32_t reqid, u_int32_t *spi) + u_int32_t *spi) { u_int32_t spi_new; - DBG2(DBG_ESP, "allocating SPI for reqid {%u}", reqid); - this->mutex->lock(this->mutex); if (!this->rng) { @@ -420,7 +418,7 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t, (u_int8_t*)&spi_new)) { this->mutex->unlock(this->mutex); - DBG1(DBG_ESP, "failed to allocate SPI for reqid {%u}", reqid); + DBG1(DBG_ESP, "failed to allocate SPI"); return FAILED; } /* make sure the SPI is valid (not in range 0-255) */ @@ -432,7 +430,7 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t, *spi = spi_new; - DBG2(DBG_ESP, "allocated SPI %.8x for reqid {%u}", ntohl(*spi), reqid); + DBG2(DBG_ESP, "allocated SPI %.8x", ntohl(*spi)); return SUCCESS; } @@ -442,7 +440,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound, - traffic_selector_t *src_ts, traffic_selector_t *dst_ts) + bool update) { ipsec_sa_entry_t *entry; ipsec_sa_t *sa_new; @@ -456,7 +454,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t, sa_new = ipsec_sa_create(spi, src, dst, protocol, reqid, mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode, - ipcomp, cpi, encap, esn, inbound, src_ts, dst_ts); + ipcomp, cpi, encap, esn, inbound); if (!sa_new) { DBG1(DBG_ESP, "failed to create SAD entry"); @@ -465,7 +463,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t, this->mutex->lock(this->mutex); - if (inbound) + if (update) { /* remove any pre-allocated SPIs */ u_int32_t *spi_alloc; diff --git a/src/libipsec/ipsec_sa_mgr.h b/src/libipsec/ipsec_sa_mgr.h index 8c234cefa..a57eab4e7 100644 --- a/src/libipsec/ipsec_sa_mgr.h +++ b/src/libipsec/ipsec_sa_mgr.h @@ -45,12 +45,11 @@ struct ipsec_sa_mgr_t { * @param src source address of the SA * @param dst destination address of the SA * @param protocol protocol of the SA (only ESP supported) - * @param reqid reqid for the SA * @param spi the allocated SPI * @return SUCCESS of operation successful */ status_t (*get_spi)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst, - u_int8_t protocol, u_int32_t reqid, u_int32_t *spi); + u_int8_t protocol, u_int32_t *spi); /** * Add a new SA @@ -74,8 +73,7 @@ struct ipsec_sa_mgr_t { * @param encap enable UDP encapsulation (must be TRUE) * @param esn Extended Sequence Numbers (currently not supported) * @param inbound TRUE if this is an inbound SA, FALSE otherwise - * @param src_ts source traffic selector - * @param dst_ts destination traffic selector + * @param update TRUE if an SPI has already been allocated for SA * @return SUCCESS if operation completed */ status_t (*add_sa)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst, @@ -84,8 +82,7 @@ struct ipsec_sa_mgr_t { u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool initiator, bool encap, bool esn, - bool inbound, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts); + bool inbound, bool update); /** * Update the hosts on an installed SA. diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in index 74cd8084a..96d1ae4aa 100644 --- a/src/libpttls/Makefile.in +++ b/src/libpttls/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in index faaae70fe..5dd8ac56b 100644 --- a/src/libradius/Makefile.in +++ b/src/libradius/Makefile.in @@ -222,6 +222,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -282,10 +283,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -359,6 +362,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libradius/radius_socket.c b/src/libradius/radius_socket.c index f432151c0..fe9cf3c01 100644 --- a/src/libradius/radius_socket.c +++ b/src/libradius/radius_socket.c @@ -129,7 +129,7 @@ METHOD(radius_socket_t, request, radius_message_t*, private_radius_socket_t *this, radius_message_t *request) { chunk_t data; - int i, *fd; + int i, *fd, retransmit = 0; u_int16_t port; rng_t *rng = NULL; @@ -166,64 +166,59 @@ METHOD(radius_socket_t, request, radius_message_t*, for (i = 2; i <= 5; i++) { radius_message_t *response; - bool retransmit = FALSE; - struct timeval tv; char buf[4096]; - fd_set fds; int res; + struct pollfd pfd = { + .fd = *fd, + .events = POLLIN, + }; + if (retransmit) + { + DBG1(DBG_CFG, "retransmitting RADIUS %N (attempt %d)", + radius_message_code_names, request->get_code(request), + retransmit); + } if (send(*fd, data.ptr, data.len, 0) != data.len) { DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno)); return NULL; } - tv.tv_sec = i; - tv.tv_usec = 0; - - while (TRUE) + res = poll(&pfd, 1, i * 1000); + if (res < 0) { - FD_ZERO(&fds); - FD_SET(*fd, &fds); - res = select((*fd) + 1, &fds, NULL, NULL, &tv); - /* TODO: updated tv to time not waited. Linux does this for us. */ - if (res < 0) - { /* failed */ - DBG1(DBG_CFG, "waiting for RADIUS message failed: %s", - strerror(errno)); - break; - } - if (res == 0) - { /* timeout */ - DBG1(DBG_CFG, "retransmitting RADIUS message"); - retransmit = TRUE; - break; - } - res = recv(*fd, buf, sizeof(buf), MSG_DONTWAIT); - if (res <= 0) - { - DBG1(DBG_CFG, "receiving RADIUS message failed: %s", - strerror(errno)); - break; - } - response = radius_message_parse(chunk_create(buf, res)); - if (response) - { - if (response->verify(response, - request->get_authenticator(request), this->secret, - this->hasher, this->signer)) - { - return response; - } - response->destroy(response); - } - DBG1(DBG_CFG, "received invalid RADIUS message, ignored"); + DBG1(DBG_CFG, "waiting for RADIUS message failed: %s", + strerror(errno)); + return NULL; + } + if (res == 0) + { /* timeout */ + retransmit++; + continue; } - if (!retransmit) + res = recv(*fd, buf, sizeof(buf), MSG_DONTWAIT); + if (res <= 0) { - break; + DBG1(DBG_CFG, "receiving RADIUS message failed: %s", + strerror(errno)); + return NULL; } + response = radius_message_parse(chunk_create(buf, res)); + if (response) + { + if (response->verify(response, + request->get_authenticator(request), this->secret, + this->hasher, this->signer)) + { + return response; + } + response->destroy(response); + } + DBG1(DBG_CFG, "received invalid RADIUS message, ignored"); + return NULL; } - DBG1(DBG_CFG, "RADIUS server is not responding"); + DBG1(DBG_CFG, "RADIUS %N timed out after %d retransmits", + radius_message_code_names, request->get_code(request), retransmit - 1); return NULL; } diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in index a16991927..79962d3bd 100644 --- a/src/libsimaka/Makefile.in +++ b/src/libsimaka/Makefile.in @@ -222,6 +222,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -282,10 +283,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -359,6 +362,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk index 9b775f9b3..2a8894b0e 100644 --- a/src/libstrongswan/Android.mk +++ b/src/libstrongswan/Android.mk @@ -8,12 +8,14 @@ asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \ collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \ collections/array.c \ collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \ +crypto/hashers/hash_algorithm_set.c \ crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \ crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \ crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \ crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \ crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \ crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \ +crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \ credentials/credential_factory.c credentials/builder.c \ credentials/cred_encoding.c credentials/keys/private_key.c \ credentials/keys/public_key.c credentials/keys/shared_key.c \ diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index 0083ffe6b..fbc752687 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -6,12 +6,14 @@ asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \ collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \ collections/array.c \ collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \ +crypto/hashers/hash_algorithm_set.c \ crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \ crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \ crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \ crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \ crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \ crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \ +crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \ credentials/credential_factory.c credentials/builder.c \ credentials/cred_encoding.c credentials/keys/private_key.c \ credentials/keys/public_key.c credentials/keys/shared_key.c \ @@ -60,13 +62,15 @@ library.h \ asn1/asn1.h asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h bio/bio_writer.h \ collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \ collections/linked_list.h collections/array.h collections/dictionary.h \ -crypto/crypters/crypter.h crypto/hashers/hasher.h crypto/mac.h \ +crypto/crypters/crypter.h crypto/hashers/hasher.h \ +crypto/hashers/hash_algorithm_set.h crypto/mac.h \ crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \ crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \ crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \ crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \ crypto/aead.h crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \ crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \ +crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \ credentials/credential_factory.h credentials/builder.h \ credentials/cred_encoding.h credentials/keys/private_key.h \ credentials/keys/public_key.h credentials/keys/shared_key.h \ @@ -101,8 +105,8 @@ utils/utils.h utils/chunk.h utils/debug.h utils/enum.h utils/identification.h \ utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \ utils/leak_detective.h utils/printf_hook/printf_hook.h \ utils/printf_hook/printf_hook_vstr.h utils/printf_hook/printf_hook_builtin.h \ -utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/windows.h \ -utils/process.h utils/utils/strerror.h +utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/process.h \ +utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h endif library.lo : $(top_builddir)/config.status @@ -133,7 +137,7 @@ if USE_WINDOWS threading/windows/rwlock.c \ threading/windows/spinlock.c \ threading/windows/semaphore.c \ - utils/windows.c + utils/compat/windows.c else libstrongswan_la_LIBADD += $(PTHREADLIB) endif @@ -425,6 +429,13 @@ if MONOLITHIC endif endif +if USE_FILES + SUBDIRS += plugins/files +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/files/libstrongswan-files.la +endif +endif + if USE_WINHTTP SUBDIRS += plugins/winhttp if MONOLITHIC @@ -544,6 +555,13 @@ if MONOLITHIC endif endif +if USE_BLISS + SUBDIRS += plugins/bliss +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/bliss/libstrongswan-bliss.la +endif +endif + if USE_TEST_VECTORS SUBDIRS += plugins/test_vectors if MONOLITHIC @@ -555,3 +573,6 @@ if MONOLITHIC SUBDIRS += . endif SUBDIRS += tests +if USE_BLISS + SUBDIRS += plugins/bliss/tests +endif diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index 40678cbde..99b18a757 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -97,7 +97,7 @@ host_triplet = @host@ @USE_WINDOWS_TRUE@ threading/windows/rwlock.c \ @USE_WINDOWS_TRUE@ threading/windows/spinlock.c \ @USE_WINDOWS_TRUE@ threading/windows/semaphore.c \ -@USE_WINDOWS_TRUE@ utils/windows.c +@USE_WINDOWS_TRUE@ utils/compat/windows.c @USE_WINDOWS_FALSE@am__append_4 = $(PTHREADLIB) @USE_DBGHELP_TRUE@am__append_5 = -ldbghelp @@ -173,42 +173,47 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_75 = plugins/pem/libstrongswan-pem.la @USE_CURL_TRUE@am__append_76 = plugins/curl @MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_77 = plugins/curl/libstrongswan-curl.la -@USE_WINHTTP_TRUE@am__append_78 = plugins/winhttp -@MONOLITHIC_TRUE@@USE_WINHTTP_TRUE@am__append_79 = plugins/winhttp/libstrongswan-winhttp.la -@USE_UNBOUND_TRUE@am__append_80 = plugins/unbound -@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_81 = plugins/unbound/libstrongswan-unbound.la -@USE_SOUP_TRUE@am__append_82 = plugins/soup -@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_83 = plugins/soup/libstrongswan-soup.la -@USE_LDAP_TRUE@am__append_84 = plugins/ldap -@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_85 = plugins/ldap/libstrongswan-ldap.la -@USE_MYSQL_TRUE@am__append_86 = plugins/mysql -@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_87 = plugins/mysql/libstrongswan-mysql.la -@USE_SQLITE_TRUE@am__append_88 = plugins/sqlite -@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_89 = plugins/sqlite/libstrongswan-sqlite.la -@USE_PADLOCK_TRUE@am__append_90 = plugins/padlock -@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_91 = plugins/padlock/libstrongswan-padlock.la -@USE_OPENSSL_TRUE@am__append_92 = plugins/openssl -@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_93 = plugins/openssl/libstrongswan-openssl.la -@USE_GCRYPT_TRUE@am__append_94 = plugins/gcrypt -@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_95 = plugins/gcrypt/libstrongswan-gcrypt.la -@USE_FIPS_PRF_TRUE@am__append_96 = plugins/fips_prf -@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_97 = plugins/fips_prf/libstrongswan-fips-prf.la -@USE_AGENT_TRUE@am__append_98 = plugins/agent -@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_99 = plugins/agent/libstrongswan-agent.la -@USE_KEYCHAIN_TRUE@am__append_100 = plugins/keychain -@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_101 = plugins/keychain/libstrongswan-keychain.la -@USE_PKCS11_TRUE@am__append_102 = plugins/pkcs11 -@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_103 = plugins/pkcs11/libstrongswan-pkcs11.la -@USE_CTR_TRUE@am__append_104 = plugins/ctr -@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_105 = plugins/ctr/libstrongswan-ctr.la -@USE_CCM_TRUE@am__append_106 = plugins/ccm -@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_107 = plugins/ccm/libstrongswan-ccm.la -@USE_GCM_TRUE@am__append_108 = plugins/gcm -@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_109 = plugins/gcm/libstrongswan-gcm.la -@USE_NTRU_TRUE@am__append_110 = plugins/ntru -@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_111 = plugins/ntru/libstrongswan-ntru.la -@USE_TEST_VECTORS_TRUE@am__append_112 = plugins/test_vectors -@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_113 = plugins/test_vectors/libstrongswan-test-vectors.la +@USE_FILES_TRUE@am__append_78 = plugins/files +@MONOLITHIC_TRUE@@USE_FILES_TRUE@am__append_79 = plugins/files/libstrongswan-files.la +@USE_WINHTTP_TRUE@am__append_80 = plugins/winhttp +@MONOLITHIC_TRUE@@USE_WINHTTP_TRUE@am__append_81 = plugins/winhttp/libstrongswan-winhttp.la +@USE_UNBOUND_TRUE@am__append_82 = plugins/unbound +@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_83 = plugins/unbound/libstrongswan-unbound.la +@USE_SOUP_TRUE@am__append_84 = plugins/soup +@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_85 = plugins/soup/libstrongswan-soup.la +@USE_LDAP_TRUE@am__append_86 = plugins/ldap +@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_87 = plugins/ldap/libstrongswan-ldap.la +@USE_MYSQL_TRUE@am__append_88 = plugins/mysql +@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_89 = plugins/mysql/libstrongswan-mysql.la +@USE_SQLITE_TRUE@am__append_90 = plugins/sqlite +@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_91 = plugins/sqlite/libstrongswan-sqlite.la +@USE_PADLOCK_TRUE@am__append_92 = plugins/padlock +@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_93 = plugins/padlock/libstrongswan-padlock.la +@USE_OPENSSL_TRUE@am__append_94 = plugins/openssl +@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_95 = plugins/openssl/libstrongswan-openssl.la +@USE_GCRYPT_TRUE@am__append_96 = plugins/gcrypt +@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_97 = plugins/gcrypt/libstrongswan-gcrypt.la +@USE_FIPS_PRF_TRUE@am__append_98 = plugins/fips_prf +@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_99 = plugins/fips_prf/libstrongswan-fips-prf.la +@USE_AGENT_TRUE@am__append_100 = plugins/agent +@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_101 = plugins/agent/libstrongswan-agent.la +@USE_KEYCHAIN_TRUE@am__append_102 = plugins/keychain +@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_103 = plugins/keychain/libstrongswan-keychain.la +@USE_PKCS11_TRUE@am__append_104 = plugins/pkcs11 +@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_105 = plugins/pkcs11/libstrongswan-pkcs11.la +@USE_CTR_TRUE@am__append_106 = plugins/ctr +@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_107 = plugins/ctr/libstrongswan-ctr.la +@USE_CCM_TRUE@am__append_108 = plugins/ccm +@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_109 = plugins/ccm/libstrongswan-ccm.la +@USE_GCM_TRUE@am__append_110 = plugins/gcm +@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_111 = plugins/gcm/libstrongswan-gcm.la +@USE_NTRU_TRUE@am__append_112 = plugins/ntru +@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_113 = plugins/ntru/libstrongswan-ntru.la +@USE_BLISS_TRUE@am__append_114 = plugins/bliss +@MONOLITHIC_TRUE@@USE_BLISS_TRUE@am__append_115 = plugins/bliss/libstrongswan-bliss.la +@USE_TEST_VECTORS_TRUE@am__append_116 = plugins/test_vectors +@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_117 = plugins/test_vectors/libstrongswan-test-vectors.la +@USE_BLISS_TRUE@am__append_118 = plugins/bliss/tests subdir = src/libstrongswan DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ settings/settings_parser.h settings/settings_parser.c \ @@ -287,13 +292,14 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__append_95) $(am__append_97) $(am__append_99) \ $(am__append_101) $(am__append_103) $(am__append_105) \ $(am__append_107) $(am__append_109) $(am__append_111) \ - $(am__append_113) + $(am__append_113) $(am__append_115) $(am__append_117) am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \ bio/bio_writer.c collections/blocking_queue.c \ collections/enumerator.c collections/hashtable.c \ collections/array.c collections/linked_list.c \ crypto/crypters/crypter.c crypto/hashers/hasher.c \ + crypto/hashers/hash_algorithm_set.c \ crypto/proposal/proposal_keywords.c \ crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \ crypto/prfs/mac_prf.c crypto/pkcs5.c crypto/rngs/rng.c \ @@ -301,7 +307,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ crypto/signers/mac_signer.c crypto/crypto_factory.c \ crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \ crypto/transform.c crypto/iv/iv_gen_rand.c \ - crypto/iv/iv_gen_seq.c credentials/credential_factory.c \ + crypto/iv/iv_gen_seq.c crypto/mgf1/mgf1.c \ + crypto/mgf1/mgf1_bitspender.c credentials/credential_factory.c \ credentials/builder.c credentials/cred_encoding.c \ credentials/keys/private_key.c credentials/keys/public_key.c \ credentials/keys/shared_key.c \ @@ -342,7 +349,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ threading/windows/thread.c threading/windows/thread_value.c \ threading/windows/mutex.c threading/windows/rwlock.c \ threading/windows/spinlock.c threading/windows/semaphore.c \ - utils/windows.c utils/leak_detective.c \ + utils/compat/windows.c utils/leak_detective.c \ utils/integrity_checker.c utils/printf_hook/printf_hook_vstr.c \ utils/printf_hook/printf_hook_builtin.c \ utils/printf_hook/printf_hook_glibc.c @@ -360,7 +367,7 @@ am__dirstamp = $(am__leading_dot)dirstamp @USE_WINDOWS_TRUE@ threading/windows/rwlock.lo \ @USE_WINDOWS_TRUE@ threading/windows/spinlock.lo \ @USE_WINDOWS_TRUE@ threading/windows/semaphore.lo \ -@USE_WINDOWS_TRUE@ utils/windows.lo +@USE_WINDOWS_TRUE@ utils/compat/windows.lo @USE_LEAK_DETECTIVE_TRUE@am__objects_3 = utils/leak_detective.lo @USE_INTEGRITY_TEST_TRUE@am__objects_4 = utils/integrity_checker.lo @USE_VSTR_TRUE@am__objects_5 = utils/printf_hook/printf_hook_vstr.lo @@ -372,6 +379,7 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \ collections/enumerator.lo collections/hashtable.lo \ collections/array.lo collections/linked_list.lo \ crypto/crypters/crypter.lo crypto/hashers/hasher.lo \ + crypto/hashers/hash_algorithm_set.lo \ crypto/proposal/proposal_keywords.lo \ crypto/proposal/proposal_keywords_static.lo crypto/prfs/prf.lo \ crypto/prfs/mac_prf.lo crypto/pkcs5.lo crypto/rngs/rng.lo \ @@ -379,10 +387,11 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \ crypto/signers/mac_signer.lo crypto/crypto_factory.lo \ crypto/crypto_tester.lo crypto/diffie_hellman.lo \ crypto/aead.lo crypto/transform.lo crypto/iv/iv_gen_rand.lo \ - crypto/iv/iv_gen_seq.lo credentials/credential_factory.lo \ - credentials/builder.lo credentials/cred_encoding.lo \ - credentials/keys/private_key.lo credentials/keys/public_key.lo \ - credentials/keys/shared_key.lo \ + crypto/iv/iv_gen_seq.lo crypto/mgf1/mgf1.lo \ + crypto/mgf1/mgf1_bitspender.lo \ + credentials/credential_factory.lo credentials/builder.lo \ + credentials/cred_encoding.lo credentials/keys/private_key.lo \ + credentials/keys/public_key.lo credentials/keys/shared_key.lo \ credentials/certificates/certificate.lo \ credentials/certificates/crl.lo \ credentials/certificates/ocsp_response.lo \ @@ -493,8 +502,8 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \ collections/enumerator.h collections/hashtable.h \ collections/linked_list.h collections/array.h \ collections/dictionary.h crypto/crypters/crypter.h \ - crypto/hashers/hasher.h crypto/mac.h \ - crypto/proposal/proposal_keywords.h \ + crypto/hashers/hasher.h crypto/hashers/hash_algorithm_set.h \ + crypto/mac.h crypto/proposal/proposal_keywords.h \ crypto/proposal/proposal_keywords_static.h crypto/prfs/prf.h \ crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \ crypto/prf_plus.h crypto/signers/signer.h \ @@ -502,6 +511,7 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \ crypto/crypto_tester.h crypto/diffie_hellman.h crypto/aead.h \ crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \ crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \ + crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \ credentials/credential_factory.h credentials/builder.h \ credentials/cred_encoding.h credentials/keys/private_key.h \ credentials/keys/public_key.h credentials/keys/shared_key.h \ @@ -548,8 +558,9 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \ utils/printf_hook/printf_hook.h \ utils/printf_hook/printf_hook_vstr.h \ utils/printf_hook/printf_hook_builtin.h utils/parser_helper.h \ - utils/test.h utils/integrity_checker.h utils/windows.h \ - utils/process.h utils/utils/strerror.h + utils/test.h utils/integrity_checker.h utils/process.h \ + utils/utils/strerror.h utils/compat/windows.h \ + utils/compat/apple.h HEADERS = $(nobase_strongswan_include_HEADERS) $(noinst_HEADERS) RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive @@ -586,11 +597,12 @@ DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \ plugins/constraints plugins/acert plugins/pubkey plugins/pkcs1 \ plugins/pkcs7 plugins/pkcs8 plugins/pkcs12 plugins/pgp \ plugins/dnskey plugins/sshkey plugins/pem plugins/curl \ - plugins/winhttp plugins/unbound plugins/soup plugins/ldap \ - plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \ - plugins/gcrypt plugins/fips_prf plugins/agent plugins/keychain \ - plugins/pkcs11 plugins/ctr plugins/ccm plugins/gcm \ - plugins/ntru plugins/test_vectors tests + plugins/files plugins/winhttp plugins/unbound plugins/soup \ + plugins/ldap plugins/mysql plugins/sqlite plugins/padlock \ + plugins/openssl plugins/gcrypt plugins/fips_prf plugins/agent \ + plugins/keychain plugins/pkcs11 plugins/ctr plugins/ccm \ + plugins/gcm plugins/ntru plugins/bliss plugins/test_vectors \ + tests plugins/bliss/tests DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -642,6 +654,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -702,10 +715,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -779,6 +794,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -843,14 +860,16 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \ collections/blocking_queue.c collections/enumerator.c \ collections/hashtable.c collections/array.c \ collections/linked_list.c crypto/crypters/crypter.c \ - crypto/hashers/hasher.c crypto/proposal/proposal_keywords.c \ + crypto/hashers/hasher.c crypto/hashers/hash_algorithm_set.c \ + crypto/proposal/proposal_keywords.c \ crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \ crypto/prfs/mac_prf.c crypto/pkcs5.c crypto/rngs/rng.c \ crypto/prf_plus.c crypto/signers/signer.c \ crypto/signers/mac_signer.c crypto/crypto_factory.c \ crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \ crypto/transform.c crypto/iv/iv_gen_rand.c \ - crypto/iv/iv_gen_seq.c credentials/credential_factory.c \ + crypto/iv/iv_gen_seq.c crypto/mgf1/mgf1.c \ + crypto/mgf1/mgf1_bitspender.c credentials/credential_factory.c \ credentials/builder.c credentials/cred_encoding.c \ credentials/keys/private_key.c credentials/keys/public_key.c \ credentials/keys/shared_key.c \ @@ -898,13 +917,15 @@ settings/settings_types.h @USE_DEV_HEADERS_TRUE@asn1/asn1.h asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h bio/bio_writer.h \ @USE_DEV_HEADERS_TRUE@collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \ @USE_DEV_HEADERS_TRUE@collections/linked_list.h collections/array.h collections/dictionary.h \ -@USE_DEV_HEADERS_TRUE@crypto/crypters/crypter.h crypto/hashers/hasher.h crypto/mac.h \ +@USE_DEV_HEADERS_TRUE@crypto/crypters/crypter.h crypto/hashers/hasher.h \ +@USE_DEV_HEADERS_TRUE@crypto/hashers/hash_algorithm_set.h crypto/mac.h \ @USE_DEV_HEADERS_TRUE@crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \ @USE_DEV_HEADERS_TRUE@crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \ @USE_DEV_HEADERS_TRUE@crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \ @USE_DEV_HEADERS_TRUE@crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \ @USE_DEV_HEADERS_TRUE@crypto/aead.h crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \ @USE_DEV_HEADERS_TRUE@crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \ +@USE_DEV_HEADERS_TRUE@crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \ @USE_DEV_HEADERS_TRUE@credentials/credential_factory.h credentials/builder.h \ @USE_DEV_HEADERS_TRUE@credentials/cred_encoding.h credentials/keys/private_key.h \ @USE_DEV_HEADERS_TRUE@credentials/keys/public_key.h credentials/keys/shared_key.h \ @@ -939,8 +960,8 @@ settings/settings_types.h @USE_DEV_HEADERS_TRUE@utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \ @USE_DEV_HEADERS_TRUE@utils/leak_detective.h utils/printf_hook/printf_hook.h \ @USE_DEV_HEADERS_TRUE@utils/printf_hook/printf_hook_vstr.h utils/printf_hook/printf_hook_builtin.h \ -@USE_DEV_HEADERS_TRUE@utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/windows.h \ -@USE_DEV_HEADERS_TRUE@utils/process.h utils/utils/strerror.h +@USE_DEV_HEADERS_TRUE@utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/process.h \ +@USE_DEV_HEADERS_TRUE@utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h libstrongswan_la_LIBADD = $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB) \ $(BFDLIB) $(UNWINDLIB) $(am__append_2) $(am__append_4) \ @@ -961,7 +982,7 @@ libstrongswan_la_LIBADD = $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB) \ $(am__append_95) $(am__append_97) $(am__append_99) \ $(am__append_101) $(am__append_103) $(am__append_105) \ $(am__append_107) $(am__append_109) $(am__append_111) \ - $(am__append_113) + $(am__append_113) $(am__append_115) $(am__append_117) AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \ -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \ -DPLUGINDIR=\"${plugindir}\" \ @@ -1011,7 +1032,9 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c @MONOLITHIC_FALSE@ $(am__append_98) $(am__append_100) \ @MONOLITHIC_FALSE@ $(am__append_102) $(am__append_104) \ @MONOLITHIC_FALSE@ $(am__append_106) $(am__append_108) \ -@MONOLITHIC_FALSE@ $(am__append_110) $(am__append_112) tests +@MONOLITHIC_FALSE@ $(am__append_110) $(am__append_112) \ +@MONOLITHIC_FALSE@ $(am__append_114) $(am__append_116) tests \ +@MONOLITHIC_FALSE@ $(am__append_118) # build plugins with their own Makefile ####################################### @@ -1038,7 +1061,9 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c @MONOLITHIC_TRUE@ $(am__append_98) $(am__append_100) \ @MONOLITHIC_TRUE@ $(am__append_102) $(am__append_104) \ @MONOLITHIC_TRUE@ $(am__append_106) $(am__append_108) \ -@MONOLITHIC_TRUE@ $(am__append_110) $(am__append_112) . tests +@MONOLITHIC_TRUE@ $(am__append_110) $(am__append_112) \ +@MONOLITHIC_TRUE@ $(am__append_114) $(am__append_116) . tests \ +@MONOLITHIC_TRUE@ $(am__append_118) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -1159,6 +1184,8 @@ crypto/hashers/$(DEPDIR)/$(am__dirstamp): @: > crypto/hashers/$(DEPDIR)/$(am__dirstamp) crypto/hashers/hasher.lo: crypto/hashers/$(am__dirstamp) \ crypto/hashers/$(DEPDIR)/$(am__dirstamp) +crypto/hashers/hash_algorithm_set.lo: crypto/hashers/$(am__dirstamp) \ + crypto/hashers/$(DEPDIR)/$(am__dirstamp) crypto/proposal/$(am__dirstamp): @$(MKDIR_P) crypto/proposal @: > crypto/proposal/$(am__dirstamp) @@ -1228,6 +1255,16 @@ crypto/iv/iv_gen_rand.lo: crypto/iv/$(am__dirstamp) \ crypto/iv/$(DEPDIR)/$(am__dirstamp) crypto/iv/iv_gen_seq.lo: crypto/iv/$(am__dirstamp) \ crypto/iv/$(DEPDIR)/$(am__dirstamp) +crypto/mgf1/$(am__dirstamp): + @$(MKDIR_P) crypto/mgf1 + @: > crypto/mgf1/$(am__dirstamp) +crypto/mgf1/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) crypto/mgf1/$(DEPDIR) + @: > crypto/mgf1/$(DEPDIR)/$(am__dirstamp) +crypto/mgf1/mgf1.lo: crypto/mgf1/$(am__dirstamp) \ + crypto/mgf1/$(DEPDIR)/$(am__dirstamp) +crypto/mgf1/mgf1_bitspender.lo: crypto/mgf1/$(am__dirstamp) \ + crypto/mgf1/$(DEPDIR)/$(am__dirstamp) credentials/$(am__dirstamp): @$(MKDIR_P) credentials @: > credentials/$(am__dirstamp) @@ -1517,8 +1554,14 @@ threading/windows/spinlock.lo: threading/windows/$(am__dirstamp) \ threading/windows/$(DEPDIR)/$(am__dirstamp) threading/windows/semaphore.lo: threading/windows/$(am__dirstamp) \ threading/windows/$(DEPDIR)/$(am__dirstamp) -utils/windows.lo: utils/$(am__dirstamp) \ - utils/$(DEPDIR)/$(am__dirstamp) +utils/compat/$(am__dirstamp): + @$(MKDIR_P) utils/compat + @: > utils/compat/$(am__dirstamp) +utils/compat/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) utils/compat/$(DEPDIR) + @: > utils/compat/$(DEPDIR)/$(am__dirstamp) +utils/compat/windows.lo: utils/compat/$(am__dirstamp) \ + utils/compat/$(DEPDIR)/$(am__dirstamp) utils/leak_detective.lo: utils/$(am__dirstamp) \ utils/$(DEPDIR)/$(am__dirstamp) utils/integrity_checker.lo: utils/$(am__dirstamp) \ @@ -1568,6 +1611,8 @@ mostlyclean-compile: -rm -f crypto/hashers/*.lo -rm -f crypto/iv/*.$(OBJEXT) -rm -f crypto/iv/*.lo + -rm -f crypto/mgf1/*.$(OBJEXT) + -rm -f crypto/mgf1/*.lo -rm -f crypto/prfs/*.$(OBJEXT) -rm -f crypto/prfs/*.lo -rm -f crypto/proposal/*.$(OBJEXT) @@ -1608,6 +1653,8 @@ mostlyclean-compile: -rm -f threading/windows/*.lo -rm -f utils/*.$(OBJEXT) -rm -f utils/*.lo + -rm -f utils/compat/*.$(OBJEXT) + -rm -f utils/compat/*.lo -rm -f utils/printf_hook/*.$(OBJEXT) -rm -f utils/printf_hook/*.lo -rm -f utils/utils/*.$(OBJEXT) @@ -1653,9 +1700,12 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@crypto/$(DEPDIR)/prf_plus.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/$(DEPDIR)/transform.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/crypters/$(DEPDIR)/crypter.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@crypto/hashers/$(DEPDIR)/hash_algorithm_set.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/hashers/$(DEPDIR)/hasher.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen_rand.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen_seq.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@crypto/mgf1/$(DEPDIR)/mgf1.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@crypto/mgf1/$(DEPDIR)/mgf1_bitspender.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/prfs/$(DEPDIR)/mac_prf.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/prfs/$(DEPDIR)/prf.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/proposal/$(DEPDIR)/proposal_keywords.Plo@am__quote@ @@ -1721,7 +1771,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/process.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/test.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/utils.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/windows.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@utils/compat/$(DEPDIR)/windows.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/printf_hook/$(DEPDIR)/printf_hook_builtin.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/printf_hook/$(DEPDIR)/printf_hook_glibc.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/printf_hook/$(DEPDIR)/printf_hook_vstr.Plo@am__quote@ @@ -1774,6 +1824,7 @@ clean-libtool: -rm -rf crypto/crypters/.libs crypto/crypters/_libs -rm -rf crypto/hashers/.libs crypto/hashers/_libs -rm -rf crypto/iv/.libs crypto/iv/_libs + -rm -rf crypto/mgf1/.libs crypto/mgf1/_libs -rm -rf crypto/prfs/.libs crypto/prfs/_libs -rm -rf crypto/proposal/.libs crypto/proposal/_libs -rm -rf crypto/rngs/.libs crypto/rngs/_libs @@ -1794,6 +1845,7 @@ clean-libtool: -rm -rf threading/.libs threading/_libs -rm -rf threading/windows/.libs threading/windows/_libs -rm -rf utils/.libs utils/_libs + -rm -rf utils/compat/.libs utils/compat/_libs -rm -rf utils/printf_hook/.libs utils/printf_hook/_libs -rm -rf utils/utils/.libs utils/utils/_libs install-nobase_strongswan_includeHEADERS: $(nobase_strongswan_include_HEADERS) @@ -2035,6 +2087,8 @@ distclean-generic: -rm -f crypto/hashers/$(am__dirstamp) -rm -f crypto/iv/$(DEPDIR)/$(am__dirstamp) -rm -f crypto/iv/$(am__dirstamp) + -rm -f crypto/mgf1/$(DEPDIR)/$(am__dirstamp) + -rm -f crypto/mgf1/$(am__dirstamp) -rm -f crypto/prfs/$(DEPDIR)/$(am__dirstamp) -rm -f crypto/prfs/$(am__dirstamp) -rm -f crypto/proposal/$(DEPDIR)/$(am__dirstamp) @@ -2075,6 +2129,8 @@ distclean-generic: -rm -f threading/windows/$(am__dirstamp) -rm -f utils/$(DEPDIR)/$(am__dirstamp) -rm -f utils/$(am__dirstamp) + -rm -f utils/compat/$(DEPDIR)/$(am__dirstamp) + -rm -f utils/compat/$(am__dirstamp) -rm -f utils/printf_hook/$(DEPDIR)/$(am__dirstamp) -rm -f utils/printf_hook/$(am__dirstamp) -rm -f utils/utils/$(DEPDIR)/$(am__dirstamp) @@ -2094,7 +2150,7 @@ clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-recursive - -rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) settings/$(DEPDIR) threading/$(DEPDIR) threading/windows/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR) + -rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/mgf1/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) settings/$(DEPDIR) threading/$(DEPDIR) threading/windows/$(DEPDIR) utils/$(DEPDIR) utils/compat/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -2141,7 +2197,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive - -rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) settings/$(DEPDIR) threading/$(DEPDIR) threading/windows/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR) + -rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/mgf1/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) settings/$(DEPDIR) threading/$(DEPDIR) threading/windows/$(DEPDIR) utils/$(DEPDIR) utils/compat/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index b479b0f4b..a750f7fcb 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -199,12 +199,12 @@ const oid_t oid_names[] = { { 0x02, 187, 0, 7, "ecdsa-with-SHA256" }, /* 186 */ { 0x03, 188, 0, 7, "ecdsa-with-SHA384" }, /* 187 */ { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 188 */ - {0x2B, 391, 1, 0, "" }, /* 189 */ - { 0x06, 305, 1, 1, "dod" }, /* 190 */ + {0x2B, 413, 1, 0, "" }, /* 189 */ + { 0x06, 327, 1, 1, "dod" }, /* 190 */ { 0x01, 0, 1, 2, "internet" }, /* 191 */ - { 0x04, 256, 1, 3, "private" }, /* 192 */ + { 0x04, 278, 1, 3, "private" }, /* 192 */ { 0x01, 0, 1, 4, "enterprise" }, /* 193 */ - { 0x82, 210, 1, 5, "" }, /* 194 */ + { 0x82, 228, 1, 5, "" }, /* 194 */ { 0x37, 207, 1, 6, "Microsoft" }, /* 195 */ { 0x0A, 200, 1, 7, "" }, /* 196 */ { 0x03, 0, 1, 8, "" }, /* 197 */ @@ -219,248 +219,270 @@ const oid_t oid_names[] = { { 0x0A, 0, 0, 8, "msApplicationCertPolicies" }, /* 206 */ { 0xA0, 0, 1, 6, "" }, /* 207 */ { 0x2A, 0, 1, 7, "ITA" }, /* 208 */ - { 0x01, 0, 0, 8, "strongSwan" }, /* 209 */ - { 0x89, 217, 1, 5, "" }, /* 210 */ - { 0x31, 0, 1, 6, "" }, /* 211 */ - { 0x01, 0, 1, 7, "" }, /* 212 */ - { 0x01, 0, 1, 8, "" }, /* 213 */ - { 0x02, 0, 1, 9, "" }, /* 214 */ - { 0x02, 0, 1, 10, "" }, /* 215 */ - { 0x4B, 0, 0, 11, "TCGID" }, /* 216 */ - { 0xC1, 0, 1, 5, "" }, /* 217 */ - { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 218 */ - { 0x01, 0, 1, 7, "eess" }, /* 219 */ - { 0x01, 0, 1, 8, "eess1" }, /* 220 */ - { 0x01, 225, 1, 9, "eess1-algs" }, /* 221 */ - { 0x01, 223, 0, 10, "ntru-EESS1v1-SVES" }, /* 222 */ - { 0x02, 224, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 223 */ - { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 224 */ - { 0x02, 255, 1, 9, "eess1-params" }, /* 225 */ - { 0x01, 227, 0, 10, "ees251ep1" }, /* 226 */ - { 0x02, 228, 0, 10, "ees347ep1" }, /* 227 */ - { 0x03, 229, 0, 10, "ees503ep1" }, /* 228 */ - { 0x07, 230, 0, 10, "ees251sp2" }, /* 229 */ - { 0x0C, 231, 0, 10, "ees251ep4" }, /* 230 */ - { 0x0D, 232, 0, 10, "ees251ep5" }, /* 231 */ - { 0x0E, 233, 0, 10, "ees251sp3" }, /* 232 */ - { 0x0F, 234, 0, 10, "ees251sp4" }, /* 233 */ - { 0x10, 235, 0, 10, "ees251sp5" }, /* 234 */ - { 0x11, 236, 0, 10, "ees251sp6" }, /* 235 */ - { 0x12, 237, 0, 10, "ees251sp7" }, /* 236 */ - { 0x13, 238, 0, 10, "ees251sp8" }, /* 237 */ - { 0x14, 239, 0, 10, "ees251sp9" }, /* 238 */ - { 0x22, 240, 0, 10, "ees401ep1" }, /* 239 */ - { 0x23, 241, 0, 10, "ees449ep1" }, /* 240 */ - { 0x24, 242, 0, 10, "ees677ep1" }, /* 241 */ - { 0x25, 243, 0, 10, "ees1087ep2" }, /* 242 */ - { 0x26, 244, 0, 10, "ees541ep1" }, /* 243 */ - { 0x27, 245, 0, 10, "ees613ep1" }, /* 244 */ - { 0x28, 246, 0, 10, "ees887ep1" }, /* 245 */ - { 0x29, 247, 0, 10, "ees1171ep1" }, /* 246 */ - { 0x2A, 248, 0, 10, "ees659ep1" }, /* 247 */ - { 0x2B, 249, 0, 10, "ees761ep1" }, /* 248 */ - { 0x2C, 250, 0, 10, "ees1087ep1" }, /* 249 */ - { 0x2D, 251, 0, 10, "ees1499ep1" }, /* 250 */ - { 0x2E, 252, 0, 10, "ees401ep2" }, /* 251 */ - { 0x2F, 253, 0, 10, "ees439ep1" }, /* 252 */ - { 0x30, 254, 0, 10, "ees593ep1" }, /* 253 */ - { 0x31, 0, 0, 10, "ees743ep1" }, /* 254 */ - { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 255 */ - { 0x05, 0, 1, 3, "security" }, /* 256 */ - { 0x05, 0, 1, 4, "mechanisms" }, /* 257 */ - { 0x07, 302, 1, 5, "id-pkix" }, /* 258 */ - { 0x01, 263, 1, 6, "id-pe" }, /* 259 */ - { 0x01, 261, 0, 7, "authorityInfoAccess" }, /* 260 */ - { 0x03, 262, 0, 7, "qcStatements" }, /* 261 */ - { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 262 */ - { 0x02, 266, 1, 6, "id-qt" }, /* 263 */ - { 0x01, 265, 0, 7, "cps" }, /* 264 */ - { 0x02, 0, 0, 7, "unotice" }, /* 265 */ - { 0x03, 276, 1, 6, "id-kp" }, /* 266 */ - { 0x01, 268, 0, 7, "serverAuth" }, /* 267 */ - { 0x02, 269, 0, 7, "clientAuth" }, /* 268 */ - { 0x03, 270, 0, 7, "codeSigning" }, /* 269 */ - { 0x04, 271, 0, 7, "emailProtection" }, /* 270 */ - { 0x05, 272, 0, 7, "ipsecEndSystem" }, /* 271 */ - { 0x06, 273, 0, 7, "ipsecTunnel" }, /* 272 */ - { 0x07, 274, 0, 7, "ipsecUser" }, /* 273 */ - { 0x08, 275, 0, 7, "timeStamping" }, /* 274 */ - { 0x09, 0, 0, 7, "ocspSigning" }, /* 275 */ - { 0x08, 284, 1, 6, "id-otherNames" }, /* 276 */ - { 0x01, 278, 0, 7, "personalData" }, /* 277 */ - { 0x02, 279, 0, 7, "userGroup" }, /* 278 */ - { 0x03, 280, 0, 7, "id-on-permanentIdentifier" }, /* 279 */ - { 0x04, 281, 0, 7, "id-on-hardwareModuleName" }, /* 280 */ - { 0x05, 282, 0, 7, "xmppAddr" }, /* 281 */ - { 0x06, 283, 0, 7, "id-on-SIM" }, /* 282 */ - { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 283 */ - { 0x0A, 289, 1, 6, "id-aca" }, /* 284 */ - { 0x01, 286, 0, 7, "authenticationInfo" }, /* 285 */ - { 0x02, 287, 0, 7, "accessIdentity" }, /* 286 */ - { 0x03, 288, 0, 7, "chargingIdentity" }, /* 287 */ - { 0x04, 0, 0, 7, "group" }, /* 288 */ - { 0x0B, 290, 0, 6, "subjectInfoAccess" }, /* 289 */ - { 0x30, 0, 1, 6, "id-ad" }, /* 290 */ - { 0x01, 299, 1, 7, "ocsp" }, /* 291 */ - { 0x01, 293, 0, 8, "basic" }, /* 292 */ - { 0x02, 294, 0, 8, "nonce" }, /* 293 */ - { 0x03, 295, 0, 8, "crl" }, /* 294 */ - { 0x04, 296, 0, 8, "response" }, /* 295 */ - { 0x05, 297, 0, 8, "noCheck" }, /* 296 */ - { 0x06, 298, 0, 8, "archiveCutoff" }, /* 297 */ - { 0x07, 0, 0, 8, "serviceLocator" }, /* 298 */ - { 0x02, 300, 0, 7, "caIssuers" }, /* 299 */ - { 0x03, 301, 0, 7, "timeStamping" }, /* 300 */ - { 0x05, 0, 0, 7, "caRepository" }, /* 301 */ - { 0x08, 0, 1, 5, "ipsec" }, /* 302 */ - { 0x02, 0, 1, 6, "certificate" }, /* 303 */ - { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 304 */ - { 0x0E, 311, 1, 1, "oiw" }, /* 305 */ - { 0x03, 0, 1, 2, "secsig" }, /* 306 */ - { 0x02, 0, 1, 3, "algorithms" }, /* 307 */ - { 0x07, 309, 0, 4, "des-cbc" }, /* 308 */ - { 0x1A, 310, 0, 4, "sha-1" }, /* 309 */ - { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 310 */ - { 0x24, 357, 1, 1, "TeleTrusT" }, /* 311 */ - { 0x03, 0, 1, 2, "algorithm" }, /* 312 */ - { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 313 */ - { 0x01, 318, 1, 4, "rsaSignature" }, /* 314 */ - { 0x02, 316, 0, 5, "rsaSigWithripemd160" }, /* 315 */ - { 0x03, 317, 0, 5, "rsaSigWithripemd128" }, /* 316 */ - { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 317 */ - { 0x02, 0, 1, 4, "ecSign" }, /* 318 */ - { 0x01, 320, 0, 5, "ecSignWithsha1" }, /* 319 */ - { 0x02, 321, 0, 5, "ecSignWithripemd160" }, /* 320 */ - { 0x03, 322, 0, 5, "ecSignWithmd2" }, /* 321 */ - { 0x04, 323, 0, 5, "ecSignWithmd5" }, /* 322 */ - { 0x05, 340, 1, 5, "ttt-ecg" }, /* 323 */ - { 0x01, 328, 1, 6, "fieldType" }, /* 324 */ - { 0x01, 0, 1, 7, "characteristictwoField" }, /* 325 */ - { 0x01, 0, 1, 8, "basisType" }, /* 326 */ - { 0x01, 0, 0, 9, "ipBasis" }, /* 327 */ - { 0x02, 330, 1, 6, "keyType" }, /* 328 */ - { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 329 */ - { 0x03, 331, 0, 6, "curve" }, /* 330 */ - { 0x04, 338, 1, 6, "signatures" }, /* 331 */ - { 0x01, 333, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 332 */ - { 0x02, 334, 0, 7, "ecgdsa-with-SHA1" }, /* 333 */ - { 0x03, 335, 0, 7, "ecgdsa-with-SHA224" }, /* 334 */ - { 0x04, 336, 0, 7, "ecgdsa-with-SHA256" }, /* 335 */ - { 0x05, 337, 0, 7, "ecgdsa-with-SHA384" }, /* 336 */ - { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 337 */ - { 0x05, 0, 1, 6, "module" }, /* 338 */ - { 0x01, 0, 0, 7, "1" }, /* 339 */ - { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 340 */ - { 0x01, 0, 1, 6, "ellipticCurve" }, /* 341 */ - { 0x01, 0, 1, 7, "versionOne" }, /* 342 */ - { 0x01, 344, 0, 8, "brainpoolP160r1" }, /* 343 */ - { 0x02, 345, 0, 8, "brainpoolP160t1" }, /* 344 */ - { 0x03, 346, 0, 8, "brainpoolP192r1" }, /* 345 */ - { 0x04, 347, 0, 8, "brainpoolP192t1" }, /* 346 */ - { 0x05, 348, 0, 8, "brainpoolP224r1" }, /* 347 */ - { 0x06, 349, 0, 8, "brainpoolP224t1" }, /* 348 */ - { 0x07, 350, 0, 8, "brainpoolP256r1" }, /* 349 */ - { 0x08, 351, 0, 8, "brainpoolP256t1" }, /* 350 */ - { 0x09, 352, 0, 8, "brainpoolP320r1" }, /* 351 */ - { 0x0A, 353, 0, 8, "brainpoolP320t1" }, /* 352 */ - { 0x0B, 354, 0, 8, "brainpoolP384r1" }, /* 353 */ - { 0x0C, 355, 0, 8, "brainpoolP384t1" }, /* 354 */ - { 0x0D, 356, 0, 8, "brainpoolP512r1" }, /* 355 */ - { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 356 */ - { 0x81, 0, 1, 1, "" }, /* 357 */ - { 0x04, 0, 1, 2, "Certicom" }, /* 358 */ - { 0x00, 0, 1, 3, "curve" }, /* 359 */ - { 0x01, 361, 0, 4, "sect163k1" }, /* 360 */ - { 0x02, 362, 0, 4, "sect163r1" }, /* 361 */ - { 0x03, 363, 0, 4, "sect239k1" }, /* 362 */ - { 0x04, 364, 0, 4, "sect113r1" }, /* 363 */ - { 0x05, 365, 0, 4, "sect113r2" }, /* 364 */ - { 0x06, 366, 0, 4, "secp112r1" }, /* 365 */ - { 0x07, 367, 0, 4, "secp112r2" }, /* 366 */ - { 0x08, 368, 0, 4, "secp160r1" }, /* 367 */ - { 0x09, 369, 0, 4, "secp160k1" }, /* 368 */ - { 0x0A, 370, 0, 4, "secp256k1" }, /* 369 */ - { 0x0F, 371, 0, 4, "sect163r2" }, /* 370 */ - { 0x10, 372, 0, 4, "sect283k1" }, /* 371 */ - { 0x11, 373, 0, 4, "sect283r1" }, /* 372 */ - { 0x16, 374, 0, 4, "sect131r1" }, /* 373 */ - { 0x17, 375, 0, 4, "sect131r2" }, /* 374 */ - { 0x18, 376, 0, 4, "sect193r1" }, /* 375 */ - { 0x19, 377, 0, 4, "sect193r2" }, /* 376 */ - { 0x1A, 378, 0, 4, "sect233k1" }, /* 377 */ - { 0x1B, 379, 0, 4, "sect233r1" }, /* 378 */ - { 0x1C, 380, 0, 4, "secp128r1" }, /* 379 */ - { 0x1D, 381, 0, 4, "secp128r2" }, /* 380 */ - { 0x1E, 382, 0, 4, "secp160r2" }, /* 381 */ - { 0x1F, 383, 0, 4, "secp192k1" }, /* 382 */ - { 0x20, 384, 0, 4, "secp224k1" }, /* 383 */ - { 0x21, 385, 0, 4, "secp224r1" }, /* 384 */ - { 0x22, 386, 0, 4, "secp384r1" }, /* 385 */ - { 0x23, 387, 0, 4, "secp521r1" }, /* 386 */ - { 0x24, 388, 0, 4, "sect409k1" }, /* 387 */ - { 0x25, 389, 0, 4, "sect409r1" }, /* 388 */ - { 0x26, 390, 0, 4, "sect571k1" }, /* 389 */ - { 0x27, 0, 0, 4, "sect571r1" }, /* 390 */ - {0x60, 445, 1, 0, "" }, /* 391 */ - { 0x86, 0, 1, 1, "" }, /* 392 */ - { 0x48, 0, 1, 2, "" }, /* 393 */ - { 0x01, 0, 1, 3, "organization" }, /* 394 */ - { 0x65, 421, 1, 4, "gov" }, /* 395 */ - { 0x03, 0, 1, 5, "csor" }, /* 396 */ - { 0x04, 0, 1, 6, "nistalgorithm" }, /* 397 */ - { 0x01, 408, 1, 7, "aes" }, /* 398 */ - { 0x02, 400, 0, 8, "id-aes128-CBC" }, /* 399 */ - { 0x06, 401, 0, 8, "id-aes128-GCM" }, /* 400 */ - { 0x07, 402, 0, 8, "id-aes128-CCM" }, /* 401 */ - { 0x16, 403, 0, 8, "id-aes192-CBC" }, /* 402 */ - { 0x1A, 404, 0, 8, "id-aes192-GCM" }, /* 403 */ - { 0x1B, 405, 0, 8, "id-aes192-CCM" }, /* 404 */ - { 0x2A, 406, 0, 8, "id-aes256-CBC" }, /* 405 */ - { 0x2E, 407, 0, 8, "id-aes256-GCM" }, /* 406 */ - { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 407 */ - { 0x02, 0, 1, 7, "hashalgs" }, /* 408 */ - { 0x01, 410, 0, 8, "id-sha256" }, /* 409 */ - { 0x02, 411, 0, 8, "id-sha384" }, /* 410 */ - { 0x03, 412, 0, 8, "id-sha512" }, /* 411 */ - { 0x04, 413, 0, 8, "id-sha224" }, /* 412 */ - { 0x05, 414, 0, 8, "id-sha512-224" }, /* 413 */ - { 0x06, 415, 0, 8, "id-sha512-256" }, /* 414 */ - { 0x07, 416, 0, 8, "id-sha3-224" }, /* 415 */ - { 0x08, 417, 0, 8, "id-sha3-256" }, /* 416 */ - { 0x09, 418, 0, 8, "id-sha3-384" }, /* 417 */ - { 0x0A, 419, 0, 8, "id-sha3-512" }, /* 418 */ - { 0x0B, 420, 0, 8, "id-shake128" }, /* 419 */ - { 0x0C, 0, 0, 8, "id-shake256" }, /* 420 */ - { 0x86, 0, 1, 4, "" }, /* 421 */ - { 0xf8, 0, 1, 5, "" }, /* 422 */ - { 0x42, 435, 1, 6, "netscape" }, /* 423 */ - { 0x01, 430, 1, 7, "" }, /* 424 */ - { 0x01, 426, 0, 8, "nsCertType" }, /* 425 */ - { 0x03, 427, 0, 8, "nsRevocationUrl" }, /* 426 */ - { 0x04, 428, 0, 8, "nsCaRevocationUrl" }, /* 427 */ - { 0x08, 429, 0, 8, "nsCaPolicyUrl" }, /* 428 */ - { 0x0d, 0, 0, 8, "nsComment" }, /* 429 */ - { 0x03, 433, 1, 7, "directory" }, /* 430 */ - { 0x01, 0, 1, 8, "" }, /* 431 */ - { 0x03, 0, 0, 9, "employeeNumber" }, /* 432 */ - { 0x04, 0, 1, 7, "policy" }, /* 433 */ - { 0x01, 0, 0, 8, "nsSGC" }, /* 434 */ - { 0x45, 0, 1, 6, "verisign" }, /* 435 */ - { 0x01, 0, 1, 7, "pki" }, /* 436 */ - { 0x09, 0, 1, 8, "attributes" }, /* 437 */ - { 0x02, 439, 0, 9, "messageType" }, /* 438 */ - { 0x03, 440, 0, 9, "pkiStatus" }, /* 439 */ - { 0x04, 441, 0, 9, "failInfo" }, /* 440 */ - { 0x05, 442, 0, 9, "senderNonce" }, /* 441 */ - { 0x06, 443, 0, 9, "recipientNonce" }, /* 442 */ - { 0x07, 444, 0, 9, "transID" }, /* 443 */ - { 0x08, 0, 0, 9, "extensionReq" }, /* 444 */ - {0x67, 0, 1, 0, "" }, /* 445 */ - { 0x81, 0, 1, 1, "" }, /* 446 */ - { 0x05, 0, 1, 2, "" }, /* 447 */ - { 0x02, 0, 1, 3, "tcg-attribute" }, /* 448 */ - { 0x01, 450, 0, 4, "tcg-at-tpmManufacturer" }, /* 449 */ - { 0x02, 451, 0, 4, "tcg-at-tpmModel" }, /* 450 */ - { 0x03, 452, 0, 4, "tcg-at-tpmVersion" }, /* 451 */ - { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 452 */ + { 0x01, 210, 0, 8, "strongSwan" }, /* 209 */ + { 0x02, 211, 0, 8, "cps" }, /* 210 */ + { 0x03, 212, 0, 8, "e-voting" }, /* 211 */ + { 0x05, 0, 1, 8, "BLISS" }, /* 212 */ + { 0x01, 215, 1, 9, "keyType" }, /* 213 */ + { 0x01, 0, 0, 10, "blissPublicKey" }, /* 214 */ + { 0x02, 224, 1, 9, "parameters" }, /* 215 */ + { 0x01, 217, 0, 10, "BLISS-I" }, /* 216 */ + { 0x02, 218, 0, 10, "BLISS-II" }, /* 217 */ + { 0x03, 219, 0, 10, "BLISS-III" }, /* 218 */ + { 0x04, 220, 0, 10, "BLISS-IV" }, /* 219 */ + { 0x05, 221, 0, 10, "BLISS-B-I" }, /* 220 */ + { 0x06, 222, 0, 10, "BLISS-B-II" }, /* 221 */ + { 0x07, 223, 0, 10, "BLISS-B-III" }, /* 222 */ + { 0x08, 0, 0, 10, "BLISS-B-IV" }, /* 223 */ + { 0x03, 0, 1, 9, "blissSigType" }, /* 224 */ + { 0x01, 226, 0, 10, "BLISS-with-SHA512" }, /* 225 */ + { 0x02, 227, 0, 10, "BLISS-with-SHA384" }, /* 226 */ + { 0x03, 0, 0, 10, "BLISS-with-SHA256" }, /* 227 */ + { 0x89, 235, 1, 5, "" }, /* 228 */ + { 0x31, 0, 1, 6, "" }, /* 229 */ + { 0x01, 0, 1, 7, "" }, /* 230 */ + { 0x01, 0, 1, 8, "" }, /* 231 */ + { 0x02, 0, 1, 9, "" }, /* 232 */ + { 0x02, 0, 1, 10, "" }, /* 233 */ + { 0x4B, 0, 0, 11, "TCGID" }, /* 234 */ + { 0x97, 239, 1, 5, "" }, /* 235 */ + { 0x55, 0, 1, 6, "" }, /* 236 */ + { 0x01, 0, 1, 7, "" }, /* 237 */ + { 0x02, 0, 0, 8, "blowfish-cbc" }, /* 238 */ + { 0xC1, 0, 1, 5, "" }, /* 239 */ + { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 240 */ + { 0x01, 0, 1, 7, "eess" }, /* 241 */ + { 0x01, 0, 1, 8, "eess1" }, /* 242 */ + { 0x01, 247, 1, 9, "eess1-algs" }, /* 243 */ + { 0x01, 245, 0, 10, "ntru-EESS1v1-SVES" }, /* 244 */ + { 0x02, 246, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 245 */ + { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 246 */ + { 0x02, 277, 1, 9, "eess1-params" }, /* 247 */ + { 0x01, 249, 0, 10, "ees251ep1" }, /* 248 */ + { 0x02, 250, 0, 10, "ees347ep1" }, /* 249 */ + { 0x03, 251, 0, 10, "ees503ep1" }, /* 250 */ + { 0x07, 252, 0, 10, "ees251sp2" }, /* 251 */ + { 0x0C, 253, 0, 10, "ees251ep4" }, /* 252 */ + { 0x0D, 254, 0, 10, "ees251ep5" }, /* 253 */ + { 0x0E, 255, 0, 10, "ees251sp3" }, /* 254 */ + { 0x0F, 256, 0, 10, "ees251sp4" }, /* 255 */ + { 0x10, 257, 0, 10, "ees251sp5" }, /* 256 */ + { 0x11, 258, 0, 10, "ees251sp6" }, /* 257 */ + { 0x12, 259, 0, 10, "ees251sp7" }, /* 258 */ + { 0x13, 260, 0, 10, "ees251sp8" }, /* 259 */ + { 0x14, 261, 0, 10, "ees251sp9" }, /* 260 */ + { 0x22, 262, 0, 10, "ees401ep1" }, /* 261 */ + { 0x23, 263, 0, 10, "ees449ep1" }, /* 262 */ + { 0x24, 264, 0, 10, "ees677ep1" }, /* 263 */ + { 0x25, 265, 0, 10, "ees1087ep2" }, /* 264 */ + { 0x26, 266, 0, 10, "ees541ep1" }, /* 265 */ + { 0x27, 267, 0, 10, "ees613ep1" }, /* 266 */ + { 0x28, 268, 0, 10, "ees887ep1" }, /* 267 */ + { 0x29, 269, 0, 10, "ees1171ep1" }, /* 268 */ + { 0x2A, 270, 0, 10, "ees659ep1" }, /* 269 */ + { 0x2B, 271, 0, 10, "ees761ep1" }, /* 270 */ + { 0x2C, 272, 0, 10, "ees1087ep1" }, /* 271 */ + { 0x2D, 273, 0, 10, "ees1499ep1" }, /* 272 */ + { 0x2E, 274, 0, 10, "ees401ep2" }, /* 273 */ + { 0x2F, 275, 0, 10, "ees439ep1" }, /* 274 */ + { 0x30, 276, 0, 10, "ees593ep1" }, /* 275 */ + { 0x31, 0, 0, 10, "ees743ep1" }, /* 276 */ + { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 277 */ + { 0x05, 0, 1, 3, "security" }, /* 278 */ + { 0x05, 0, 1, 4, "mechanisms" }, /* 279 */ + { 0x07, 324, 1, 5, "id-pkix" }, /* 280 */ + { 0x01, 285, 1, 6, "id-pe" }, /* 281 */ + { 0x01, 283, 0, 7, "authorityInfoAccess" }, /* 282 */ + { 0x03, 284, 0, 7, "qcStatements" }, /* 283 */ + { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 284 */ + { 0x02, 288, 1, 6, "id-qt" }, /* 285 */ + { 0x01, 287, 0, 7, "cps" }, /* 286 */ + { 0x02, 0, 0, 7, "unotice" }, /* 287 */ + { 0x03, 298, 1, 6, "id-kp" }, /* 288 */ + { 0x01, 290, 0, 7, "serverAuth" }, /* 289 */ + { 0x02, 291, 0, 7, "clientAuth" }, /* 290 */ + { 0x03, 292, 0, 7, "codeSigning" }, /* 291 */ + { 0x04, 293, 0, 7, "emailProtection" }, /* 292 */ + { 0x05, 294, 0, 7, "ipsecEndSystem" }, /* 293 */ + { 0x06, 295, 0, 7, "ipsecTunnel" }, /* 294 */ + { 0x07, 296, 0, 7, "ipsecUser" }, /* 295 */ + { 0x08, 297, 0, 7, "timeStamping" }, /* 296 */ + { 0x09, 0, 0, 7, "ocspSigning" }, /* 297 */ + { 0x08, 306, 1, 6, "id-otherNames" }, /* 298 */ + { 0x01, 300, 0, 7, "personalData" }, /* 299 */ + { 0x02, 301, 0, 7, "userGroup" }, /* 300 */ + { 0x03, 302, 0, 7, "id-on-permanentIdentifier" }, /* 301 */ + { 0x04, 303, 0, 7, "id-on-hardwareModuleName" }, /* 302 */ + { 0x05, 304, 0, 7, "xmppAddr" }, /* 303 */ + { 0x06, 305, 0, 7, "id-on-SIM" }, /* 304 */ + { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 305 */ + { 0x0A, 311, 1, 6, "id-aca" }, /* 306 */ + { 0x01, 308, 0, 7, "authenticationInfo" }, /* 307 */ + { 0x02, 309, 0, 7, "accessIdentity" }, /* 308 */ + { 0x03, 310, 0, 7, "chargingIdentity" }, /* 309 */ + { 0x04, 0, 0, 7, "group" }, /* 310 */ + { 0x0B, 312, 0, 6, "subjectInfoAccess" }, /* 311 */ + { 0x30, 0, 1, 6, "id-ad" }, /* 312 */ + { 0x01, 321, 1, 7, "ocsp" }, /* 313 */ + { 0x01, 315, 0, 8, "basic" }, /* 314 */ + { 0x02, 316, 0, 8, "nonce" }, /* 315 */ + { 0x03, 317, 0, 8, "crl" }, /* 316 */ + { 0x04, 318, 0, 8, "response" }, /* 317 */ + { 0x05, 319, 0, 8, "noCheck" }, /* 318 */ + { 0x06, 320, 0, 8, "archiveCutoff" }, /* 319 */ + { 0x07, 0, 0, 8, "serviceLocator" }, /* 320 */ + { 0x02, 322, 0, 7, "caIssuers" }, /* 321 */ + { 0x03, 323, 0, 7, "timeStamping" }, /* 322 */ + { 0x05, 0, 0, 7, "caRepository" }, /* 323 */ + { 0x08, 0, 1, 5, "ipsec" }, /* 324 */ + { 0x02, 0, 1, 6, "certificate" }, /* 325 */ + { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 326 */ + { 0x0E, 333, 1, 1, "oiw" }, /* 327 */ + { 0x03, 0, 1, 2, "secsig" }, /* 328 */ + { 0x02, 0, 1, 3, "algorithms" }, /* 329 */ + { 0x07, 331, 0, 4, "des-cbc" }, /* 330 */ + { 0x1A, 332, 0, 4, "sha-1" }, /* 331 */ + { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 332 */ + { 0x24, 379, 1, 1, "TeleTrusT" }, /* 333 */ + { 0x03, 0, 1, 2, "algorithm" }, /* 334 */ + { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 335 */ + { 0x01, 340, 1, 4, "rsaSignature" }, /* 336 */ + { 0x02, 338, 0, 5, "rsaSigWithripemd160" }, /* 337 */ + { 0x03, 339, 0, 5, "rsaSigWithripemd128" }, /* 338 */ + { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 339 */ + { 0x02, 0, 1, 4, "ecSign" }, /* 340 */ + { 0x01, 342, 0, 5, "ecSignWithsha1" }, /* 341 */ + { 0x02, 343, 0, 5, "ecSignWithripemd160" }, /* 342 */ + { 0x03, 344, 0, 5, "ecSignWithmd2" }, /* 343 */ + { 0x04, 345, 0, 5, "ecSignWithmd5" }, /* 344 */ + { 0x05, 362, 1, 5, "ttt-ecg" }, /* 345 */ + { 0x01, 350, 1, 6, "fieldType" }, /* 346 */ + { 0x01, 0, 1, 7, "characteristictwoField" }, /* 347 */ + { 0x01, 0, 1, 8, "basisType" }, /* 348 */ + { 0x01, 0, 0, 9, "ipBasis" }, /* 349 */ + { 0x02, 352, 1, 6, "keyType" }, /* 350 */ + { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 351 */ + { 0x03, 353, 0, 6, "curve" }, /* 352 */ + { 0x04, 360, 1, 6, "signatures" }, /* 353 */ + { 0x01, 355, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 354 */ + { 0x02, 356, 0, 7, "ecgdsa-with-SHA1" }, /* 355 */ + { 0x03, 357, 0, 7, "ecgdsa-with-SHA224" }, /* 356 */ + { 0x04, 358, 0, 7, "ecgdsa-with-SHA256" }, /* 357 */ + { 0x05, 359, 0, 7, "ecgdsa-with-SHA384" }, /* 358 */ + { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 359 */ + { 0x05, 0, 1, 6, "module" }, /* 360 */ + { 0x01, 0, 0, 7, "1" }, /* 361 */ + { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 362 */ + { 0x01, 0, 1, 6, "ellipticCurve" }, /* 363 */ + { 0x01, 0, 1, 7, "versionOne" }, /* 364 */ + { 0x01, 366, 0, 8, "brainpoolP160r1" }, /* 365 */ + { 0x02, 367, 0, 8, "brainpoolP160t1" }, /* 366 */ + { 0x03, 368, 0, 8, "brainpoolP192r1" }, /* 367 */ + { 0x04, 369, 0, 8, "brainpoolP192t1" }, /* 368 */ + { 0x05, 370, 0, 8, "brainpoolP224r1" }, /* 369 */ + { 0x06, 371, 0, 8, "brainpoolP224t1" }, /* 370 */ + { 0x07, 372, 0, 8, "brainpoolP256r1" }, /* 371 */ + { 0x08, 373, 0, 8, "brainpoolP256t1" }, /* 372 */ + { 0x09, 374, 0, 8, "brainpoolP320r1" }, /* 373 */ + { 0x0A, 375, 0, 8, "brainpoolP320t1" }, /* 374 */ + { 0x0B, 376, 0, 8, "brainpoolP384r1" }, /* 375 */ + { 0x0C, 377, 0, 8, "brainpoolP384t1" }, /* 376 */ + { 0x0D, 378, 0, 8, "brainpoolP512r1" }, /* 377 */ + { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 378 */ + { 0x81, 0, 1, 1, "" }, /* 379 */ + { 0x04, 0, 1, 2, "Certicom" }, /* 380 */ + { 0x00, 0, 1, 3, "curve" }, /* 381 */ + { 0x01, 383, 0, 4, "sect163k1" }, /* 382 */ + { 0x02, 384, 0, 4, "sect163r1" }, /* 383 */ + { 0x03, 385, 0, 4, "sect239k1" }, /* 384 */ + { 0x04, 386, 0, 4, "sect113r1" }, /* 385 */ + { 0x05, 387, 0, 4, "sect113r2" }, /* 386 */ + { 0x06, 388, 0, 4, "secp112r1" }, /* 387 */ + { 0x07, 389, 0, 4, "secp112r2" }, /* 388 */ + { 0x08, 390, 0, 4, "secp160r1" }, /* 389 */ + { 0x09, 391, 0, 4, "secp160k1" }, /* 390 */ + { 0x0A, 392, 0, 4, "secp256k1" }, /* 391 */ + { 0x0F, 393, 0, 4, "sect163r2" }, /* 392 */ + { 0x10, 394, 0, 4, "sect283k1" }, /* 393 */ + { 0x11, 395, 0, 4, "sect283r1" }, /* 394 */ + { 0x16, 396, 0, 4, "sect131r1" }, /* 395 */ + { 0x17, 397, 0, 4, "sect131r2" }, /* 396 */ + { 0x18, 398, 0, 4, "sect193r1" }, /* 397 */ + { 0x19, 399, 0, 4, "sect193r2" }, /* 398 */ + { 0x1A, 400, 0, 4, "sect233k1" }, /* 399 */ + { 0x1B, 401, 0, 4, "sect233r1" }, /* 400 */ + { 0x1C, 402, 0, 4, "secp128r1" }, /* 401 */ + { 0x1D, 403, 0, 4, "secp128r2" }, /* 402 */ + { 0x1E, 404, 0, 4, "secp160r2" }, /* 403 */ + { 0x1F, 405, 0, 4, "secp192k1" }, /* 404 */ + { 0x20, 406, 0, 4, "secp224k1" }, /* 405 */ + { 0x21, 407, 0, 4, "secp224r1" }, /* 406 */ + { 0x22, 408, 0, 4, "secp384r1" }, /* 407 */ + { 0x23, 409, 0, 4, "secp521r1" }, /* 408 */ + { 0x24, 410, 0, 4, "sect409k1" }, /* 409 */ + { 0x25, 411, 0, 4, "sect409r1" }, /* 410 */ + { 0x26, 412, 0, 4, "sect571k1" }, /* 411 */ + { 0x27, 0, 0, 4, "sect571r1" }, /* 412 */ + {0x60, 467, 1, 0, "" }, /* 413 */ + { 0x86, 0, 1, 1, "" }, /* 414 */ + { 0x48, 0, 1, 2, "" }, /* 415 */ + { 0x01, 0, 1, 3, "organization" }, /* 416 */ + { 0x65, 443, 1, 4, "gov" }, /* 417 */ + { 0x03, 0, 1, 5, "csor" }, /* 418 */ + { 0x04, 0, 1, 6, "nistalgorithm" }, /* 419 */ + { 0x01, 430, 1, 7, "aes" }, /* 420 */ + { 0x02, 422, 0, 8, "id-aes128-CBC" }, /* 421 */ + { 0x06, 423, 0, 8, "id-aes128-GCM" }, /* 422 */ + { 0x07, 424, 0, 8, "id-aes128-CCM" }, /* 423 */ + { 0x16, 425, 0, 8, "id-aes192-CBC" }, /* 424 */ + { 0x1A, 426, 0, 8, "id-aes192-GCM" }, /* 425 */ + { 0x1B, 427, 0, 8, "id-aes192-CCM" }, /* 426 */ + { 0x2A, 428, 0, 8, "id-aes256-CBC" }, /* 427 */ + { 0x2E, 429, 0, 8, "id-aes256-GCM" }, /* 428 */ + { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 429 */ + { 0x02, 0, 1, 7, "hashalgs" }, /* 430 */ + { 0x01, 432, 0, 8, "id-sha256" }, /* 431 */ + { 0x02, 433, 0, 8, "id-sha384" }, /* 432 */ + { 0x03, 434, 0, 8, "id-sha512" }, /* 433 */ + { 0x04, 435, 0, 8, "id-sha224" }, /* 434 */ + { 0x05, 436, 0, 8, "id-sha512-224" }, /* 435 */ + { 0x06, 437, 0, 8, "id-sha512-256" }, /* 436 */ + { 0x07, 438, 0, 8, "id-sha3-224" }, /* 437 */ + { 0x08, 439, 0, 8, "id-sha3-256" }, /* 438 */ + { 0x09, 440, 0, 8, "id-sha3-384" }, /* 439 */ + { 0x0A, 441, 0, 8, "id-sha3-512" }, /* 440 */ + { 0x0B, 442, 0, 8, "id-shake128" }, /* 441 */ + { 0x0C, 0, 0, 8, "id-shake256" }, /* 442 */ + { 0x86, 0, 1, 4, "" }, /* 443 */ + { 0xf8, 0, 1, 5, "" }, /* 444 */ + { 0x42, 457, 1, 6, "netscape" }, /* 445 */ + { 0x01, 452, 1, 7, "" }, /* 446 */ + { 0x01, 448, 0, 8, "nsCertType" }, /* 447 */ + { 0x03, 449, 0, 8, "nsRevocationUrl" }, /* 448 */ + { 0x04, 450, 0, 8, "nsCaRevocationUrl" }, /* 449 */ + { 0x08, 451, 0, 8, "nsCaPolicyUrl" }, /* 450 */ + { 0x0d, 0, 0, 8, "nsComment" }, /* 451 */ + { 0x03, 455, 1, 7, "directory" }, /* 452 */ + { 0x01, 0, 1, 8, "" }, /* 453 */ + { 0x03, 0, 0, 9, "employeeNumber" }, /* 454 */ + { 0x04, 0, 1, 7, "policy" }, /* 455 */ + { 0x01, 0, 0, 8, "nsSGC" }, /* 456 */ + { 0x45, 0, 1, 6, "verisign" }, /* 457 */ + { 0x01, 0, 1, 7, "pki" }, /* 458 */ + { 0x09, 0, 1, 8, "attributes" }, /* 459 */ + { 0x02, 461, 0, 9, "messageType" }, /* 460 */ + { 0x03, 462, 0, 9, "pkiStatus" }, /* 461 */ + { 0x04, 463, 0, 9, "failInfo" }, /* 462 */ + { 0x05, 464, 0, 9, "senderNonce" }, /* 463 */ + { 0x06, 465, 0, 9, "recipientNonce" }, /* 464 */ + { 0x07, 466, 0, 9, "transID" }, /* 465 */ + { 0x08, 0, 0, 9, "extensionReq" }, /* 466 */ + {0x67, 0, 1, 0, "" }, /* 467 */ + { 0x81, 0, 1, 1, "" }, /* 468 */ + { 0x05, 0, 1, 2, "" }, /* 469 */ + { 0x02, 0, 1, 3, "tcg-attribute" }, /* 470 */ + { 0x01, 472, 0, 4, "tcg-at-tpmManufacturer" }, /* 471 */ + { 0x02, 473, 0, 4, "tcg-at-tpmModel" }, /* 472 */ + { 0x03, 474, 0, 4, "tcg-at-tpmVersion" }, /* 473 */ + { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 474 */ }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index 0933f236a..0f7c5d644 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -141,99 +141,112 @@ extern const oid_t oid_names[]; #define OID_MS_SMARTCARD_LOGON 202 #define OID_USER_PRINCIPAL_NAME 203 #define OID_STRONGSWAN 209 -#define OID_TCGID 216 -#define OID_AUTHORITY_INFO_ACCESS 260 -#define OID_IP_ADDR_BLOCKS 262 -#define OID_POLICY_QUALIFIER_CPS 264 -#define OID_POLICY_QUALIFIER_UNOTICE 265 -#define OID_SERVER_AUTH 267 -#define OID_CLIENT_AUTH 268 -#define OID_OCSP_SIGNING 275 -#define OID_XMPP_ADDR 281 -#define OID_AUTHENTICATION_INFO 285 -#define OID_ACCESS_IDENTITY 286 -#define OID_CHARGING_IDENTITY 287 -#define OID_GROUP 288 -#define OID_OCSP 291 -#define OID_BASIC 292 -#define OID_NONCE 293 -#define OID_CRL 294 -#define OID_RESPONSE 295 -#define OID_NO_CHECK 296 -#define OID_ARCHIVE_CUTOFF 297 -#define OID_SERVICE_LOCATOR 298 -#define OID_CA_ISSUERS 299 -#define OID_IKE_INTERMEDIATE 304 -#define OID_DES_CBC 308 -#define OID_SHA1 309 -#define OID_SHA1_WITH_RSA_OIW 310 -#define OID_ECGDSA_PUBKEY 329 -#define OID_ECGDSA_SIG_WITH_RIPEMD160 332 -#define OID_ECGDSA_SIG_WITH_SHA1 333 -#define OID_ECGDSA_SIG_WITH_SHA224 334 -#define OID_ECGDSA_SIG_WITH_SHA256 335 -#define OID_ECGDSA_SIG_WITH_SHA384 336 -#define OID_ECGDSA_SIG_WITH_SHA512 337 -#define OID_SECT163K1 360 -#define OID_SECT163R1 361 -#define OID_SECT239K1 362 -#define OID_SECT113R1 363 -#define OID_SECT113R2 364 -#define OID_SECT112R1 365 -#define OID_SECT112R2 366 -#define OID_SECT160R1 367 -#define OID_SECT160K1 368 -#define OID_SECT256K1 369 -#define OID_SECT163R2 370 -#define OID_SECT283K1 371 -#define OID_SECT283R1 372 -#define OID_SECT131R1 373 -#define OID_SECT131R2 374 -#define OID_SECT193R1 375 -#define OID_SECT193R2 376 -#define OID_SECT233K1 377 -#define OID_SECT233R1 378 -#define OID_SECT128R1 379 -#define OID_SECT128R2 380 -#define OID_SECT160R2 381 -#define OID_SECT192K1 382 -#define OID_SECT224K1 383 -#define OID_SECT224R1 384 -#define OID_SECT384R1 385 -#define OID_SECT521R1 386 -#define OID_SECT409K1 387 -#define OID_SECT409R1 388 -#define OID_SECT571K1 389 -#define OID_SECT571R1 390 -#define OID_AES128_CBC 399 -#define OID_AES128_GCM 400 -#define OID_AES128_CCM 401 -#define OID_AES192_CBC 402 -#define OID_AES192_GCM 403 -#define OID_AES192_CCM 404 -#define OID_AES256_CBC 405 -#define OID_AES256_GCM 406 -#define OID_AES256_CCM 407 -#define OID_SHA256 409 -#define OID_SHA384 410 -#define OID_SHA512 411 -#define OID_SHA224 412 -#define OID_NS_REVOCATION_URL 426 -#define OID_NS_CA_REVOCATION_URL 427 -#define OID_NS_CA_POLICY_URL 428 -#define OID_NS_COMMENT 429 -#define OID_EMPLOYEE_NUMBER 432 -#define OID_PKI_MESSAGE_TYPE 438 -#define OID_PKI_STATUS 439 -#define OID_PKI_FAIL_INFO 440 -#define OID_PKI_SENDER_NONCE 441 -#define OID_PKI_RECIPIENT_NONCE 442 -#define OID_PKI_TRANS_ID 443 -#define OID_TPM_MANUFACTURER 449 -#define OID_TPM_MODEL 450 -#define OID_TPM_VERSION 451 -#define OID_TPM_ID_LABEL 452 +#define OID_BLISS_PUBLICKEY 214 +#define OID_BLISS_I 216 +#define OID_BLISS_II 217 +#define OID_BLISS_III 218 +#define OID_BLISS_IV 219 +#define OID_BLISS_B_I 220 +#define OID_BLISS_B_II 221 +#define OID_BLISS_B_III 222 +#define OID_BLISS_B_IV 223 +#define OID_BLISS_WITH_SHA512 225 +#define OID_BLISS_WITH_SHA384 226 +#define OID_BLISS_WITH_SHA256 227 +#define OID_TCGID 234 +#define OID_BLOWFISH_CBC 238 +#define OID_AUTHORITY_INFO_ACCESS 282 +#define OID_IP_ADDR_BLOCKS 284 +#define OID_POLICY_QUALIFIER_CPS 286 +#define OID_POLICY_QUALIFIER_UNOTICE 287 +#define OID_SERVER_AUTH 289 +#define OID_CLIENT_AUTH 290 +#define OID_OCSP_SIGNING 297 +#define OID_XMPP_ADDR 303 +#define OID_AUTHENTICATION_INFO 307 +#define OID_ACCESS_IDENTITY 308 +#define OID_CHARGING_IDENTITY 309 +#define OID_GROUP 310 +#define OID_OCSP 313 +#define OID_BASIC 314 +#define OID_NONCE 315 +#define OID_CRL 316 +#define OID_RESPONSE 317 +#define OID_NO_CHECK 318 +#define OID_ARCHIVE_CUTOFF 319 +#define OID_SERVICE_LOCATOR 320 +#define OID_CA_ISSUERS 321 +#define OID_IKE_INTERMEDIATE 326 +#define OID_DES_CBC 330 +#define OID_SHA1 331 +#define OID_SHA1_WITH_RSA_OIW 332 +#define OID_ECGDSA_PUBKEY 351 +#define OID_ECGDSA_SIG_WITH_RIPEMD160 354 +#define OID_ECGDSA_SIG_WITH_SHA1 355 +#define OID_ECGDSA_SIG_WITH_SHA224 356 +#define OID_ECGDSA_SIG_WITH_SHA256 357 +#define OID_ECGDSA_SIG_WITH_SHA384 358 +#define OID_ECGDSA_SIG_WITH_SHA512 359 +#define OID_SECT163K1 382 +#define OID_SECT163R1 383 +#define OID_SECT239K1 384 +#define OID_SECT113R1 385 +#define OID_SECT113R2 386 +#define OID_SECT112R1 387 +#define OID_SECT112R2 388 +#define OID_SECT160R1 389 +#define OID_SECT160K1 390 +#define OID_SECT256K1 391 +#define OID_SECT163R2 392 +#define OID_SECT283K1 393 +#define OID_SECT283R1 394 +#define OID_SECT131R1 395 +#define OID_SECT131R2 396 +#define OID_SECT193R1 397 +#define OID_SECT193R2 398 +#define OID_SECT233K1 399 +#define OID_SECT233R1 400 +#define OID_SECT128R1 401 +#define OID_SECT128R2 402 +#define OID_SECT160R2 403 +#define OID_SECT192K1 404 +#define OID_SECT224K1 405 +#define OID_SECT224R1 406 +#define OID_SECT384R1 407 +#define OID_SECT521R1 408 +#define OID_SECT409K1 409 +#define OID_SECT409R1 410 +#define OID_SECT571K1 411 +#define OID_SECT571R1 412 +#define OID_AES128_CBC 421 +#define OID_AES128_GCM 422 +#define OID_AES128_CCM 423 +#define OID_AES192_CBC 424 +#define OID_AES192_GCM 425 +#define OID_AES192_CCM 426 +#define OID_AES256_CBC 427 +#define OID_AES256_GCM 428 +#define OID_AES256_CCM 429 +#define OID_SHA256 431 +#define OID_SHA384 432 +#define OID_SHA512 433 +#define OID_SHA224 434 +#define OID_NS_REVOCATION_URL 448 +#define OID_NS_CA_REVOCATION_URL 449 +#define OID_NS_CA_POLICY_URL 450 +#define OID_NS_COMMENT 451 +#define OID_EMPLOYEE_NUMBER 454 +#define OID_PKI_MESSAGE_TYPE 460 +#define OID_PKI_STATUS 461 +#define OID_PKI_FAIL_INFO 462 +#define OID_PKI_SENDER_NONCE 463 +#define OID_PKI_RECIPIENT_NONCE 464 +#define OID_PKI_TRANS_ID 465 +#define OID_TPM_MANUFACTURER 471 +#define OID_TPM_MODEL 472 +#define OID_TPM_VERSION 473 +#define OID_TPM_ID_LABEL 474 -#define OID_MAX 453 +#define OID_MAX 475 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index e545188d4..919d24c43 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -208,6 +208,24 @@ 0xA0 "" 0x2A "ITA" 0x01 "strongSwan" OID_STRONGSWAN + 0x02 "cps" + 0x03 "e-voting" + 0x05 "BLISS" + 0x01 "keyType" + 0x01 "blissPublicKey" OID_BLISS_PUBLICKEY + 0x02 "parameters" + 0x01 "BLISS-I" OID_BLISS_I + 0x02 "BLISS-II" OID_BLISS_II + 0x03 "BLISS-III" OID_BLISS_III + 0x04 "BLISS-IV" OID_BLISS_IV + 0x05 "BLISS-B-I" OID_BLISS_B_I + 0x06 "BLISS-B-II" OID_BLISS_B_II + 0x07 "BLISS-B-III" OID_BLISS_B_III + 0x08 "BLISS-B-IV" OID_BLISS_B_IV + 0x03 "blissSigType" + 0x01 "BLISS-with-SHA512" OID_BLISS_WITH_SHA512 + 0x02 "BLISS-with-SHA384" OID_BLISS_WITH_SHA384 + 0x03 "BLISS-with-SHA256" OID_BLISS_WITH_SHA256 0x89 "" 0x31 "" 0x01 "" @@ -215,6 +233,10 @@ 0x02 "" 0x02 "" 0x4B "TCGID" OID_TCGID + 0x97 "" + 0x55 "" + 0x01 "" + 0x02 "blowfish-cbc" OID_BLOWFISH_CBC 0xC1 "" 0x16 "ntruCryptosystems" 0x01 "eess" diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index db08c6b96..0ca45a15b 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2012 Tobias Brunner + * Copyright (C) 2008-2015 Tobias Brunner * Copyright (C) 2007-2009 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -49,6 +49,7 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_AC_CERT, "RULE_GROUP", "RULE_RSA_STRENGTH", "RULE_ECDSA_STRENGTH", + "RULE_BLISS_STRENGTH", "RULE_SIGNATURE_SCHEME", "RULE_CERT_POLICY", "HELPER_IM_CERT", @@ -71,6 +72,7 @@ static inline bool is_multi_value_rule(auth_rule_t type) case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: + case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_IDENTITY: case AUTH_RULE_IDENTITY_LOOSE: case AUTH_RULE_EAP_IDENTITY: @@ -207,6 +209,7 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args) case AUTH_RULE_OCSP_VALIDATION: case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: + case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: /* integer type */ this->value = (void*)(uintptr_t)va_arg(args, u_int); @@ -255,6 +258,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2) case AUTH_RULE_OCSP_VALIDATION: case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: + case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: { return e1->value == e2->value; @@ -345,6 +349,7 @@ static void destroy_entry_value(entry_t *entry) case AUTH_RULE_OCSP_VALIDATION: case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: + case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: case AUTH_RULE_MAX: break; @@ -376,6 +381,7 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_RULE_OCSP_VALIDATION: case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: + case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: /* integer type */ entry->value = (void*)(uintptr_t)va_arg(args, u_int); @@ -450,6 +456,7 @@ METHOD(auth_cfg_t, get, void*, case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: + case AUTH_RULE_BLISS_STRENGTH: return (void*)0; case AUTH_RULE_SIGNATURE_SCHEME: return (void*)HASH_UNKNOWN; @@ -513,6 +520,7 @@ METHOD(auth_cfg_t, complies, bool, signature_scheme_t scheme = SIGN_UNKNOWN; u_int strength = 0; auth_rule_t t1, t2; + char *key_type; void *value; e1 = constraints->create_enumerator(constraints); @@ -703,6 +711,7 @@ METHOD(auth_cfg_t, complies, bool, } case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: + case AUTH_RULE_BLISS_STRENGTH: { strength = (uintptr_t)value; break; @@ -797,30 +806,39 @@ METHOD(auth_cfg_t, complies, bool, e2 = create_enumerator(this); while (e2->enumerate(e2, &t2, &strength)) { - if (t2 == AUTH_RULE_RSA_STRENGTH || - t2 == AUTH_RULE_ECDSA_STRENGTH) + switch (t2) { - success = FALSE; - e1 = constraints->create_enumerator(constraints); - while (e1->enumerate(e1, &t1, &value)) + default: + continue; + case AUTH_RULE_RSA_STRENGTH: + key_type = "RSA"; + break; + case AUTH_RULE_ECDSA_STRENGTH: + key_type = "ECDSA"; + break; + case AUTH_RULE_BLISS_STRENGTH: + key_type = "BLISS"; + break; + } + success = FALSE; + e1 = constraints->create_enumerator(constraints); + while (e1->enumerate(e1, &t1, &value)) + { + if (t1 == t2 && (uintptr_t)value <= strength) { - if (t1 == t2 && (uintptr_t)value <= strength) - { - success = TRUE; - break; - } + success = TRUE; + break; } - e1->destroy(e1); - if (!success) + } + e1->destroy(e1); + if (!success) + { + if (log_error) { - if (log_error) - { - DBG1(DBG_CFG, "%s-%d signatures not acceptable", - t2 == AUTH_RULE_RSA_STRENGTH ? "RSA" : "ECDSA", - strength); - } - break; + DBG1(DBG_CFG, "%s-%d signatures not acceptable", + key_type, strength); } + break; } } e2->destroy(e2); @@ -891,6 +909,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: + case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: { add(this, type, (uintptr_t)value); @@ -1060,6 +1079,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*, case AUTH_RULE_OCSP_VALIDATION: case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: + case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: clone->add(clone, type, (uintptr_t)value); break; diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h index 95b36d706..53f1b3805 100644 --- a/src/libstrongswan/credentials/auth_cfg.h +++ b/src/libstrongswan/credentials/auth_cfg.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2012 Tobias Brunner + * Copyright (C) 2008-2015 Tobias Brunner * Copyright (C) 2007-2009 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -102,6 +102,8 @@ enum auth_rule_t { AUTH_RULE_RSA_STRENGTH, /** required ECDSA public key strength, u_int in bits */ AUTH_RULE_ECDSA_STRENGTH, + /** required BLISS public key strength, u_int in bits */ + AUTH_RULE_BLISS_STRENGTH, /** required signature scheme, signature_scheme_t */ AUTH_RULE_SIGNATURE_SCHEME, /** certificatePolicy constraint, numerical OID as char* */ diff --git a/src/libstrongswan/credentials/cred_encoding.h b/src/libstrongswan/credentials/cred_encoding.h index a6c9c30af..b4d1f4c3c 100644 --- a/src/libstrongswan/credentials/cred_encoding.h +++ b/src/libstrongswan/credentials/cred_encoding.h @@ -144,6 +144,10 @@ enum cred_encoding_part_t { CRED_PART_PKCS10_ASN1_DER, /** a PGP encoded certificate */ CRED_PART_PGP_CERT, + /** a DER encoded BLISS public key */ + CRED_PART_BLISS_PUB_ASN1_DER, + /** a DER encoded BLISS private key */ + CRED_PART_BLISS_PRIV_ASN1_DER, CRED_PART_END, }; diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index b0c8e48ba..371e6404d 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -698,6 +698,9 @@ static void get_key_strength(certificate_t *cert, auth_cfg_t *auth) case KEY_ECDSA: auth->add(auth, AUTH_RULE_ECDSA_STRENGTH, strength); break; + case KEY_BLISS: + auth->add(auth, AUTH_RULE_BLISS_STRENGTH, strength); + break; default: break; } diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c index 37bba77d1..bd5915e60 100644 --- a/src/libstrongswan/credentials/keys/public_key.c +++ b/src/libstrongswan/credentials/keys/public_key.c @@ -1,6 +1,8 @@ /* + * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -17,14 +19,15 @@ #include "public_key.h" -ENUM(key_type_names, KEY_ANY, KEY_DSA, +ENUM(key_type_names, KEY_ANY, KEY_BLISS, "ANY", "RSA", "ECDSA", - "DSA" + "DSA", + "BLISS" ); -ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521, +ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA512, "UNKNOWN", "RSA_EMSA_PKCS1_NULL", "RSA_EMSA_PKCS1_MD5", @@ -41,6 +44,9 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521, "ECDSA-256", "ECDSA-384", "ECDSA-521", + "BLISS_WITH_SHA256", + "BLISS_WITH_SHA384", + "BLISS_WITH_SHA512", ); ENUM(encryption_scheme_names, ENCRYPT_UNKNOWN, ENCRYPT_RSA_OAEP_SHA512, @@ -130,8 +136,158 @@ signature_scheme_t signature_scheme_from_oid(int oid) return SIGN_ECDSA_WITH_SHA384_DER; case OID_ECDSA_WITH_SHA512: return SIGN_ECDSA_WITH_SHA512_DER; - default: - return SIGN_UNKNOWN; + case OID_BLISS_PUBLICKEY: + case OID_BLISS_WITH_SHA512: + return SIGN_BLISS_WITH_SHA512; + case OID_BLISS_WITH_SHA256: + return SIGN_BLISS_WITH_SHA256; + case OID_BLISS_WITH_SHA384: + return SIGN_BLISS_WITH_SHA384; } + return SIGN_UNKNOWN; } +/* + * Defined in header. + */ +int signature_scheme_to_oid(signature_scheme_t scheme) +{ + switch (scheme) + { + case SIGN_UNKNOWN: + case SIGN_RSA_EMSA_PKCS1_NULL: + case SIGN_ECDSA_WITH_NULL: + case SIGN_ECDSA_256: + case SIGN_ECDSA_384: + case SIGN_ECDSA_521: + break; + case SIGN_RSA_EMSA_PKCS1_MD5: + return OID_MD5_WITH_RSA; + case SIGN_RSA_EMSA_PKCS1_SHA1: + return OID_SHA1_WITH_RSA; + case SIGN_RSA_EMSA_PKCS1_SHA224: + return OID_SHA224_WITH_RSA; + case SIGN_RSA_EMSA_PKCS1_SHA256: + return OID_SHA256_WITH_RSA; + case SIGN_RSA_EMSA_PKCS1_SHA384: + return OID_SHA384_WITH_RSA; + case SIGN_RSA_EMSA_PKCS1_SHA512: + return OID_SHA512_WITH_RSA; + case SIGN_ECDSA_WITH_SHA1_DER: + return OID_ECDSA_WITH_SHA1; + case SIGN_ECDSA_WITH_SHA256_DER: + return OID_ECDSA_WITH_SHA256; + case SIGN_ECDSA_WITH_SHA384_DER: + return OID_ECDSA_WITH_SHA384; + case SIGN_ECDSA_WITH_SHA512_DER: + return OID_ECDSA_WITH_SHA512; + case SIGN_BLISS_WITH_SHA256: + return OID_BLISS_WITH_SHA256; + case SIGN_BLISS_WITH_SHA384: + return OID_BLISS_WITH_SHA384; + case SIGN_BLISS_WITH_SHA512: + return OID_BLISS_WITH_SHA512; + } + return OID_UNKNOWN; +} + +/** + * Map for signature schemes to the key type and maximum key size allowed. + * We only cover schemes with hash algorithms supported by IKEv2 signature + * authentication. + */ +static struct { + signature_scheme_t scheme; + key_type_t type; + int max_keysize; +} scheme_map[] = { + { SIGN_RSA_EMSA_PKCS1_SHA256, KEY_RSA, 3072 }, + { SIGN_RSA_EMSA_PKCS1_SHA384, KEY_RSA, 7680 }, + { SIGN_RSA_EMSA_PKCS1_SHA512, KEY_RSA, 0 }, + { SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, 256 }, + { SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, 384 }, + { SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, 0 }, + { SIGN_BLISS_WITH_SHA256, KEY_BLISS, 128 }, + { SIGN_BLISS_WITH_SHA384, KEY_BLISS, 192 }, + { SIGN_BLISS_WITH_SHA512, KEY_BLISS, 0 }, +}; + +/** + * Private data for signature scheme enumerator + */ +typedef struct { + enumerator_t public; + int index; + key_type_t type; + int size; +} private_enumerator_t; + +METHOD(enumerator_t, signature_schemes_enumerate, bool, + private_enumerator_t *this, signature_scheme_t *scheme) +{ + while (++this->index < countof(scheme_map)) + { + if (this->type == scheme_map[this->index].type && + (this->size <= scheme_map[this->index].max_keysize || + !scheme_map[this->index].max_keysize)) + { + *scheme = scheme_map[this->index].scheme; + return TRUE; + } + } + return FALSE; +} + +/* + * Defined in header. + */ +enumerator_t *signature_schemes_for_key(key_type_t type, int size) +{ + private_enumerator_t *this; + + INIT(this, + .public = { + .enumerate = (void*)_signature_schemes_enumerate, + .destroy = (void*)free, + }, + .index = -1, + .type = type, + .size = size, + ); + + return &this->public; +} + +/* + * Defined in header. + */ +key_type_t key_type_from_signature_scheme(signature_scheme_t scheme) +{ + switch (scheme) + { + case SIGN_UNKNOWN: + break; + case SIGN_RSA_EMSA_PKCS1_NULL: + case SIGN_RSA_EMSA_PKCS1_MD5: + case SIGN_RSA_EMSA_PKCS1_SHA1: + case SIGN_RSA_EMSA_PKCS1_SHA224: + case SIGN_RSA_EMSA_PKCS1_SHA256: + case SIGN_RSA_EMSA_PKCS1_SHA384: + case SIGN_RSA_EMSA_PKCS1_SHA512: + return KEY_RSA; + case SIGN_ECDSA_WITH_SHA1_DER: + case SIGN_ECDSA_WITH_SHA256_DER: + case SIGN_ECDSA_WITH_SHA384_DER: + case SIGN_ECDSA_WITH_SHA512_DER: + case SIGN_ECDSA_WITH_NULL: + case SIGN_ECDSA_256: + case SIGN_ECDSA_384: + case SIGN_ECDSA_521: + return KEY_ECDSA; + case SIGN_BLISS_WITH_SHA256: + case SIGN_BLISS_WITH_SHA384: + case SIGN_BLISS_WITH_SHA512: + return KEY_BLISS; + } + return KEY_ANY; +} diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h index 2afcf8325..66e98b294 100644 --- a/src/libstrongswan/credentials/keys/public_key.h +++ b/src/libstrongswan/credentials/keys/public_key.h @@ -1,6 +1,8 @@ /* + * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -42,6 +44,8 @@ enum key_type_t { KEY_ECDSA = 2, /** DSA */ KEY_DSA = 3, + /** BLISS */ + KEY_BLISS = 4, /** ElGamal, ... */ }; @@ -90,6 +94,12 @@ enum signature_scheme_t { SIGN_ECDSA_384, /** ECDSA on the P-521 curve with SHA-512 as in RFC 4754 */ SIGN_ECDSA_521, + /** BLISS with SHA-256 */ + SIGN_BLISS_WITH_SHA256, + /** BLISS with SHA-384 */ + SIGN_BLISS_WITH_SHA384, + /** BLISS with SHA-512 */ + SIGN_BLISS_WITH_SHA512, }; /** @@ -234,8 +244,35 @@ bool public_key_has_fingerprint(public_key_t *public, chunk_t fingerprint); * Conversion of ASN.1 signature or hash OID to signature scheme. * * @param oid ASN.1 OID - * @return signature_scheme, SIGN_UNKNOWN if OID is unsupported + * @return signature scheme, SIGN_UNKNOWN if OID is unsupported */ signature_scheme_t signature_scheme_from_oid(int oid); +/** + * Conversion of signature scheme to ASN.1 signature OID. + * + * @param scheme signature scheme + * @return ASN.1 OID, OID_UNKNOWN if not supported + */ +int signature_scheme_to_oid(signature_scheme_t scheme); + +/** + * Enumerate signature schemes that are appropriate for a key of the given type + * and size|strength. + * + * @param type type of the key + * @param size size or strength of the key + * @return enumerator over signature_scheme_t (increasing strength) + */ +enumerator_t *signature_schemes_for_key(key_type_t type, int size); + +/** + * Determine the type of key associated with a given signature scheme. + * + * @param scheme signature scheme + * @return key type (could be KEY_ANY) + */ +key_type_t key_type_from_signature_scheme(signature_scheme_t scheme); + + #endif /** PUBLIC_KEY_H_ @}*/ diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c index 563f4bdd5..60720dc57 100644 --- a/src/libstrongswan/credentials/sets/cert_cache.c +++ b/src/libstrongswan/credentials/sets/cert_cache.c @@ -143,6 +143,7 @@ METHOD(cert_cache_t, issued_by, bool, private_cert_cache_t *this, certificate_t *subject, certificate_t *issuer, signature_scheme_t *schemep) { + certificate_t *cached_issuer = NULL; relation_t *found = NULL, *current; signature_scheme_t scheme; int i; @@ -154,39 +155,41 @@ METHOD(cert_cache_t, issued_by, bool, current->lock->read_lock(current->lock); if (current->subject) { - /* check for equal issuer */ if (issuer->equals(issuer, current->issuer)) { - /* reuse issuer instance in cache() */ - issuer = current->issuer; if (subject->equals(subject, current->subject)) { - /* write hit counter is not locked, but not critical */ current->hits++; - found = current;; + found = current; if (schemep) { *schemep = current->scheme; } } + else if (!cached_issuer) + { + cached_issuer = current->issuer->get_ref(current->issuer); + } } } current->lock->unlock(current->lock); if (found) { + DESTROY_IF(cached_issuer); return TRUE; } } - /* no cache hit, check and cache signature */ if (subject->issued_by(subject, issuer, &scheme)) { - cache(this, subject, issuer, scheme); + cache(this, subject, cached_issuer ?: issuer, scheme); if (schemep) { *schemep = scheme; } + DESTROY_IF(cached_issuer); return TRUE; } + DESTROY_IF(cached_issuer); return FALSE; } diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c index d8f568d36..7ad011b5e 100644 --- a/src/libstrongswan/credentials/sets/mem_cred.c +++ b/src/libstrongswan/credentials/sets/mem_cred.c @@ -192,6 +192,24 @@ METHOD(mem_cred_t, add_cert_ref, certificate_t*, return add_cert_internal(this, trusted, cert); } +METHOD(mem_cred_t, get_cert_ref, certificate_t*, + private_mem_cred_t *this, certificate_t *cert) +{ + certificate_t *cached; + + this->lock->write_lock(this->lock); + if (this->untrusted->find_first(this->untrusted, + (linked_list_match_t)certificate_equals, + (void**)&cached, cert) == SUCCESS) + { + cert->destroy(cert); + cert = cached->get_ref(cached); + } + this->lock->unlock(this->lock); + + return cert; +} + METHOD(mem_cred_t, add_crl, bool, private_mem_cred_t *this, crl_t *crl) { @@ -736,6 +754,7 @@ mem_cred_t *mem_cred_create() }, .add_cert = _add_cert, .add_cert_ref = _add_cert_ref, + .get_cert_ref = _get_cert_ref, .add_crl = _add_crl, .add_key = _add_key, .add_shared = _add_shared, diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h index d0dd51da1..3ce815abc 100644 --- a/src/libstrongswan/credentials/sets/mem_cred.h +++ b/src/libstrongswan/credentials/sets/mem_cred.h @@ -58,6 +58,18 @@ struct mem_cred_t { certificate_t *(*add_cert_ref)(mem_cred_t *this, bool trusted, certificate_t *cert); + /** + * Get an existing reference to the same certificate. + * + * Searches for the same certficate in the set, and returns a reference + * to it, destroying the passed certificate. If the passed certificate + * is not found, it is just returned. + * + * @param cert certificate to look up + * @return the same certificate, potentially different instance + */ + certificate_t* (*get_cert_ref)(mem_cred_t *this, certificate_t *cert); + /** * Add an X.509 CRL to the credential set. * diff --git a/src/libstrongswan/crypto/crypters/crypter.c b/src/libstrongswan/crypto/crypters/crypter.c index 8123adde5..1e73baa4e 100644 --- a/src/libstrongswan/crypto/crypters/crypter.c +++ b/src/libstrongswan/crypto/crypters/crypter.c @@ -96,6 +96,10 @@ encryption_algorithm_t encryption_algorithm_from_oid(int oid, size_t *key_size) alg = ENCR_CAMELLIA_CBC; alg_key_size = 256; break; + case OID_BLOWFISH_CBC: + alg = ENCR_BLOWFISH; + alg_key_size = 0; + break; default: alg = ENCR_UNDEFINED; alg_key_size = 0; @@ -154,6 +158,9 @@ int encryption_algorithm_to_oid(encryption_algorithm_t alg, size_t key_size) oid = OID_UNKNOWN; } break; + case ENCR_BLOWFISH: + oid = OID_BLOWFISH_CBC; + break; default: oid = OID_UNKNOWN; } diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c index d09844bfa..15ed17381 100644 --- a/src/libstrongswan/crypto/crypto_tester.c +++ b/src/libstrongswan/crypto/crypto_tester.c @@ -580,13 +580,22 @@ METHOD(crypto_tester_t, test_signer, bool, break; } + data = chunk_create(vector->data, vector->len); key = chunk_create(vector->key, signer->get_key_size(signer)); if (!signer->set_key(signer, key)) { goto failure; } + /* do partial append mode and check if key gets set correctly */ + if (!signer->get_signature(signer, data, NULL)) + { + goto failure; + } + if (!signer->set_key(signer, key)) + { + goto failure; + } /* allocated signature */ - data = chunk_create(vector->data, vector->len); if (!signer->allocate_signature(signer, data, &mac)) { goto failure; @@ -905,13 +914,25 @@ METHOD(crypto_tester_t, test_prf, bool, break; } + seed = chunk_create(vector->seed, vector->len); key = chunk_create(vector->key, vector->key_size); if (!prf->set_key(prf, key)) { goto failure; } + if (alg != PRF_FIPS_SHA1_160) + { + /* do partial append mode and check if key gets set correctly */ + if (!prf->get_bytes(prf, seed, NULL)) + { + goto failure; + } + if (!prf->set_key(prf, key)) + { + goto failure; + } + } /* allocated bytes */ - seed = chunk_create(vector->seed, vector->len); if (!prf->allocate_bytes(prf, seed, &out)) { goto failure; @@ -942,7 +963,7 @@ METHOD(crypto_tester_t, test_prf, bool, goto failure; } /* bytes to existing buffer, using append mode */ - if (seed.len > 2) + if (alg != PRF_FIPS_SHA1_160 && seed.len > 2) { memset(out.ptr, 0, out.len); if (vector->stateful) diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c index 87c9b21f8..0d4cd9109 100644 --- a/src/libstrongswan/crypto/diffie_hellman.c +++ b/src/libstrongswan/crypto/diffie_hellman.c @@ -42,15 +42,16 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_512_BP, ECP_521_BIT, "ECP_256_BP", "ECP_384_BP", "ECP_512_BP"); -ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_512_BP, - "MODP_NULL", - "MODP_CUSTOM"); -ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_CUSTOM, +ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_512_BP, + "MODP_NULL"); +ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_NULL, "NTRU_112", "NTRU_128", "NTRU_192", "NTRU_256"); -ENUM_END(diffie_hellman_group_names, NTRU_256_BIT); +ENUM_NEXT(diffie_hellman_group_names, MODP_CUSTOM, MODP_CUSTOM, NTRU_256_BIT, + "MODP_CUSTOM"); +ENUM_END(diffie_hellman_group_names, MODP_CUSTOM); /** @@ -439,7 +440,7 @@ void diffie_hellman_init() { int i; - if (lib->settings->get_int(lib->settings, + if (lib->settings->get_bool(lib->settings, "%s.dh_exponent_ansi_x9_42", TRUE, lib->ns)) { for (i = 0; i < countof(dh_params); i++) @@ -463,7 +464,7 @@ diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group) if (!dh_params[i].public.exp_len) { if (!dh_params[i].public.subgroup.len && - lib->settings->get_int(lib->settings, + lib->settings->get_bool(lib->settings, "%s.dh_exponent_ansi_x9_42", TRUE, lib->ns)) { dh_params[i].public.exp_len = dh_params[i].public.prime.len; @@ -500,3 +501,75 @@ bool diffie_hellman_group_is_ec(diffie_hellman_group_t group) return FALSE; } } + +/** + * See header. + */ +bool diffie_hellman_verify_value(diffie_hellman_group_t group, chunk_t value) +{ + diffie_hellman_params_t *params; + bool valid = FALSE; + + switch (group) + { + case MODP_768_BIT: + case MODP_1024_BIT: + case MODP_1536_BIT: + case MODP_2048_BIT: + case MODP_3072_BIT: + case MODP_4096_BIT: + case MODP_6144_BIT: + case MODP_8192_BIT: + case MODP_1024_160: + case MODP_2048_224: + case MODP_2048_256: + params = diffie_hellman_get_params(group); + if (params) + { + valid = value.len == params->prime.len; + } + break; + case ECP_192_BIT: + valid = value.len == 48; + break; + case ECP_224_BIT: + case ECP_224_BP: + valid = value.len == 56; + break; + case ECP_256_BIT: + case ECP_256_BP: + valid = value.len == 64; + break; + case ECP_384_BIT: + case ECP_384_BP: + valid = value.len == 96; + break; + case ECP_512_BP: + valid = value.len == 128; + break; + case ECP_521_BIT: + valid = value.len == 132; + break; + case NTRU_112_BIT: + case NTRU_128_BIT: + case NTRU_192_BIT: + case NTRU_256_BIT: + /* verification currently not supported, do in plugin */ + valid = FALSE; + break; + case MODP_NULL: + case MODP_CUSTOM: + valid = TRUE; + break; + case MODP_NONE: + /* fail */ + break; + /* compile-warn unhandled groups, fail verification */ + } + if (!valid) + { + DBG1(DBG_ENC, "invalid DH public value size (%zu bytes) for %N", + value.len, diffie_hellman_group_names, group); + } + return valid; +} diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h index 105db22f1..4704cd0da 100644 --- a/src/libstrongswan/crypto/diffie_hellman.h +++ b/src/libstrongswan/crypto/diffie_hellman.h @@ -63,12 +63,14 @@ enum diffie_hellman_group_t { /** insecure NULL diffie hellman group for testing, in PRIVATE USE */ MODP_NULL = 1024, /** MODP group with custom generator/prime */ - MODP_CUSTOM = 1025, /** Parameters defined by IEEE 1363.1, in PRIVATE USE */ NTRU_112_BIT = 1030, NTRU_128_BIT = 1031, NTRU_192_BIT = 1032, - NTRU_256_BIT = 1033 + NTRU_256_BIT = 1033, + /** internally used DH group with additional parameters g and p, outside + * of PRIVATE USE (i.e. IKEv2 DH group range) so it can't be negotiated */ + MODP_CUSTOM = 65536, }; /** @@ -87,9 +89,10 @@ struct diffie_hellman_t { * Space for returned secret is allocated and must be freed by the caller. * * @param secret shared secret will be written into this chunk - * @return SUCCESS, FAILED if not both DH values are set + * @return TRUE if shared secret computed successfully */ - status_t (*get_shared_secret) (diffie_hellman_t *this, chunk_t *secret); + bool (*get_shared_secret)(diffie_hellman_t *this, chunk_t *secret) + __attribute__((warn_unused_result)); /** * Sets the public value of partner. @@ -97,8 +100,10 @@ struct diffie_hellman_t { * Chunk gets cloned and can be destroyed afterwards. * * @param value public value of partner + * @return TRUE if other public value verified and set */ - void (*set_other_public_value) (diffie_hellman_t *this, chunk_t value); + bool (*set_other_public_value)(diffie_hellman_t *this, chunk_t value) + __attribute__((warn_unused_result)); /** * Gets the own public value to transmit. @@ -106,8 +111,10 @@ struct diffie_hellman_t { * Space for returned chunk is allocated and must be freed by the caller. * * @param value public value of caller is stored at this location + * @return TRUE if public value retrieved */ - void (*get_my_public_value) (diffie_hellman_t *this, chunk_t *value); + bool (*get_my_public_value) (diffie_hellman_t *this, chunk_t *value) + __attribute__((warn_unused_result)); /** * Get the DH group used. @@ -168,8 +175,17 @@ diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group) * Check if a given DH group is an ECDH group * * @param group group to check - * @return TUE if group is an ECP group + * @return TRUE if group is an ECP group */ bool diffie_hellman_group_is_ec(diffie_hellman_group_t group); +/** + * Check if a diffie hellman public value is valid for given group. + * + * @param group group the value is used in + * @param value public DH value to check + * @return TRUE if value looks valid for group + */ +bool diffie_hellman_verify_value(diffie_hellman_group_t group, chunk_t value); + #endif /** DIFFIE_HELLMAN_H_ @}*/ diff --git a/src/libstrongswan/crypto/hashers/hash_algorithm_set.c b/src/libstrongswan/crypto/hashers/hash_algorithm_set.c new file mode 100644 index 000000000..93b67cb13 --- /dev/null +++ b/src/libstrongswan/crypto/hashers/hash_algorithm_set.c @@ -0,0 +1,113 @@ +/* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hash_algorithm_set.h" + +#include + +typedef struct private_hash_algorithm_set_t private_hash_algorithm_set_t; + +struct private_hash_algorithm_set_t { + + /** + * Public interface + */ + hash_algorithm_set_t public; + + /** + * Algorithms contained in the set + */ + array_t *algorithms; +}; + +/** + * Sort hash algorithms + */ +static int hash_sort(const void *a, const void *b, void *user) +{ + const hash_algorithm_t *ha = a, *hb = b; + return *ha - *hb; +} + +/** + * Find a hash algorithm + */ +static int hash_find(const void *a, const void *b) +{ + return hash_sort(a, b, NULL); +} + +METHOD(hash_algorithm_set_t, contains, bool, + private_hash_algorithm_set_t *this, hash_algorithm_t hash) +{ + return array_bsearch(this->algorithms, &hash, hash_find, NULL) != -1; +} + +METHOD(hash_algorithm_set_t, add, void, + private_hash_algorithm_set_t *this, hash_algorithm_t hash) +{ + if (!contains(this, hash)) + { + array_insert(this->algorithms, ARRAY_TAIL, &hash); + array_sort(this->algorithms, hash_sort, NULL); + } +} + +METHOD(hash_algorithm_set_t, count, int, + private_hash_algorithm_set_t *this) +{ + return array_count(this->algorithms); +} + +static bool hash_filter(void *data, void **in, hash_algorithm_t *out) +{ + *out = **(hash_algorithm_t**)in; + return TRUE; +} + +METHOD(hash_algorithm_set_t, create_enumerator, enumerator_t*, + private_hash_algorithm_set_t *this) +{ + return enumerator_create_filter(array_create_enumerator(this->algorithms), + (void*)hash_filter, NULL, NULL); +} + +METHOD(hash_algorithm_set_t, destroy, void, + private_hash_algorithm_set_t *this) +{ + array_destroy(this->algorithms); + free(this); +} + +/** + * Described in header + */ +hash_algorithm_set_t *hash_algorithm_set_create() +{ + private_hash_algorithm_set_t *this; + + INIT(this, + .public = { + .add = _add, + .contains = _contains, + .count = _count, + .create_enumerator = _create_enumerator, + .destroy = _destroy, + }, + .algorithms = array_create(sizeof(hash_algorithm_t), 0), + ); + + return &this->public; +} \ No newline at end of file diff --git a/src/libstrongswan/crypto/hashers/hash_algorithm_set.h b/src/libstrongswan/crypto/hashers/hash_algorithm_set.h new file mode 100644 index 000000000..00e90cc2e --- /dev/null +++ b/src/libstrongswan/crypto/hashers/hash_algorithm_set.h @@ -0,0 +1,76 @@ +/* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup hash_algorithm_set hash_algorithm_set + * @{ @ingroup crypto + */ + +#ifndef HASH_ALGORITHM_SET_H_ +#define HASH_ALGORITHM_SET_H_ + +typedef struct hash_algorithm_set_t hash_algorithm_set_t; + +#include +#include + +/** + * A set of hash algorithms + */ +struct hash_algorithm_set_t { + + /** + * Add the given algorithm to the set. + * + * @param alg hash algorithm + */ + void (*add)(hash_algorithm_set_t *this, hash_algorithm_t alg); + + /** + * Check if the given algorithm is contained in the set. + * + * @param alg hash algorithm + * @return TRUE if contained in set + */ + bool (*contains)(hash_algorithm_set_t *this, hash_algorithm_t alg); + + /** + * Number of hash algorithms contained in the set. + * + * @return number of algorithms + */ + int (*count)(hash_algorithm_set_t *this); + + /** + * Enumerate the algorithms contained in the set. + * + * @return enumerator over hash_algorithm_t (sorted by identifier) + */ + enumerator_t *(*create_enumerator)(hash_algorithm_set_t *this); + + /** + * Destroy a hash_algorithm_set_t instance + */ + void (*destroy)(hash_algorithm_set_t *this); +}; + +/** + * Create a set of hash algorithms. + * + * @return hash_algorithm_set_t instance + */ +hash_algorithm_set_t *hash_algorithm_set_create(); + +#endif /** HASH_ALGORITHM_SET_H_ @}*/ diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c index 13cbb5a59..38eebea9c 100644 --- a/src/libstrongswan/crypto/hashers/hasher.c +++ b/src/libstrongswan/crypto/hashers/hasher.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2015 Tobias Brunner * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -19,29 +19,31 @@ #include -ENUM(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA512, +ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_SHA512, + "HASH_SHA1", + "HASH_SHA256", + "HASH_SHA384", + "HASH_SHA512"); +ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA224, HASH_SHA512, "HASH_UNKNOWN", "HASH_MD2", "HASH_MD4", "HASH_MD5", - "HASH_SHA1", - "HASH_SHA224", - "HASH_SHA256", - "HASH_SHA384", - "HASH_SHA512" -); + "HASH_SHA224"); +ENUM_END(hash_algorithm_names, HASH_SHA224); -ENUM(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA512, +ENUM_BEGIN(hash_algorithm_short_names, HASH_SHA1, HASH_SHA512, + "sha1", + "sha256", + "sha384", + "sha512"); +ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA224, HASH_SHA512, "unknown", "md2", "md4", "md5", - "sha1", - "sha224", - "sha256", - "sha384", - "sha512" -); + "sha224"); +ENUM_END(hash_algorithm_short_names, HASH_SHA224); /* * Described in header. @@ -246,6 +248,28 @@ integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg, return AUTH_UNDEFINED; } +/* + * Described in header. + */ +bool hasher_algorithm_for_ikev2(hash_algorithm_t alg) +{ + switch (alg) + { + case HASH_SHA1: + case HASH_SHA256: + case HASH_SHA384: + case HASH_SHA512: + return TRUE; + case HASH_UNKNOWN: + case HASH_MD2: + case HASH_MD4: + case HASH_MD5: + case HASH_SHA224: + break; + } + return FALSE; +} + /* * Described in header. */ @@ -323,8 +347,56 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key) default: return OID_UNKNOWN; } + case KEY_BLISS: + switch (alg) + { + case HASH_SHA256: + return OID_BLISS_WITH_SHA256; + case HASH_SHA384: + return OID_BLISS_WITH_SHA384; + case HASH_SHA512: + return OID_BLISS_WITH_SHA512; + default: + return OID_UNKNOWN; + } default: return OID_UNKNOWN; } } +/* + * Defined in header. + */ +hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme) +{ + switch (scheme) + { + case SIGN_UNKNOWN: + case SIGN_RSA_EMSA_PKCS1_NULL: + case SIGN_ECDSA_WITH_NULL: + break; + case SIGN_RSA_EMSA_PKCS1_MD5: + return HASH_MD5; + case SIGN_RSA_EMSA_PKCS1_SHA1: + case SIGN_ECDSA_WITH_SHA1_DER: + return HASH_SHA1; + case SIGN_RSA_EMSA_PKCS1_SHA224: + return HASH_SHA224; + case SIGN_RSA_EMSA_PKCS1_SHA256: + case SIGN_ECDSA_WITH_SHA256_DER: + case SIGN_ECDSA_256: + case SIGN_BLISS_WITH_SHA256: + return HASH_SHA256; + case SIGN_RSA_EMSA_PKCS1_SHA384: + case SIGN_ECDSA_WITH_SHA384_DER: + case SIGN_ECDSA_384: + case SIGN_BLISS_WITH_SHA384: + return HASH_SHA384; + case SIGN_RSA_EMSA_PKCS1_SHA512: + case SIGN_ECDSA_WITH_SHA512_DER: + case SIGN_ECDSA_521: + case SIGN_BLISS_WITH_SHA512: + return HASH_SHA512; + } + return HASH_UNKNOWN; +} diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h index 37ef0b6ab..772586308 100644 --- a/src/libstrongswan/crypto/hashers/hasher.h +++ b/src/libstrongswan/crypto/hashers/hasher.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2015 Tobias Brunner * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -32,19 +32,19 @@ typedef struct hasher_t hasher_t; #include /** - * Algorithms to use for hashing. + * Hash algorithms as defined for IKEv2 by RFC 7427 */ enum hash_algorithm_t { - /** not specified hash function */ - HASH_UNKNOWN = 0, - HASH_MD2 = 1, - HASH_MD4 = 2, - HASH_MD5 = 3, - HASH_SHA1 = 4, - HASH_SHA224 = 5, - HASH_SHA256 = 6, - HASH_SHA384 = 7, - HASH_SHA512 = 8 + HASH_SHA1 = 1, + HASH_SHA256 = 2, + HASH_SHA384 = 3, + HASH_SHA512 = 4, + /* use private use range for algorithms not defined/permitted by RFC 7427 */ + HASH_UNKNOWN = 1024, + HASH_MD2 = 1025, + HASH_MD4 = 1026, + HASH_MD5 = 1027, + HASH_SHA224 = 1028, }; #define HASH_SIZE_MD2 16 @@ -162,6 +162,14 @@ hash_algorithm_t hasher_algorithm_from_integrity(integrity_algorithm_t alg, integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg, size_t length); +/** + * Check if the given algorithm may be used for IKEv2 signature authentication. + * + * @param alg hash algorithm + * @return TRUE if algorithm may be used, FALSE otherwise + */ +bool hasher_algorithm_for_ikev2(hash_algorithm_t alg); + /** * Conversion of hash algorithm into ASN.1 OID. * @@ -179,4 +187,12 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg); */ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key); +/** + * Determine the hash algorithm associated with a given signature scheme. + * + * @param scheme signature scheme + * @return hash algorithm (could be HASH_UNKNOWN) + */ +hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme); + #endif /** HASHER_H_ @}*/ diff --git a/src/libstrongswan/crypto/mgf1/mgf1.c b/src/libstrongswan/crypto/mgf1/mgf1.c new file mode 100644 index 000000000..4bbcd6e99 --- /dev/null +++ b/src/libstrongswan/crypto/mgf1/mgf1.c @@ -0,0 +1,180 @@ +/* + * Copyright (C) 2013-2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "mgf1.h" + +#include "crypto/hashers/hasher.h" +#include "utils/debug.h" +#include "utils/test.h" + +typedef struct private_mgf1_t private_mgf1_t; + +/** + * Private data of an mgf1_t object. + */ +struct private_mgf1_t { + + /** + * Public mgf1_t interface. + */ + mgf1_t public; + + /** + * Hasher the MGF1 Mask Generation Function is based on + */ + hasher_t *hasher; + + /** + * Counter + */ + u_int32_t counter; + + /** + * Set if counter has reached 2^32 + */ + bool overflow; + + /** + * Current state to be hashed + */ + chunk_t state; + + /** + * Position of the 4 octet counter string + */ + u_char *ctr_str; + +}; + +METHOD(mgf1_t, get_hash_size, size_t, + private_mgf1_t *this) +{ + return this->hasher->get_hash_size(this->hasher); +} + +METHOD(mgf1_t, get_mask, bool, + private_mgf1_t *this, size_t mask_len, u_char *mask) +{ + u_char buf[HASH_SIZE_SHA512]; + size_t hash_len; + + hash_len = this->hasher->get_hash_size(this->hasher); + + while (mask_len > 0) + { + /* detect overflow, set counter string and increment counter */ + if (this->overflow) + { + return FALSE; + } + htoun32(this->ctr_str, this->counter++); + if (this->counter == 0) + { + this->overflow = TRUE; + } + + /* get the next or final mask block from the hash function */ + if (!this->hasher->get_hash(this->hasher, this->state, + (mask_len < hash_len) ? buf : mask)) + { + return FALSE; + } + if (mask_len < hash_len) + { + memcpy(mask, buf, mask_len); + return TRUE; + } + mask_len -= hash_len; + mask += hash_len; + } + return TRUE; +} + +METHOD(mgf1_t, allocate_mask, bool, + private_mgf1_t *this, size_t mask_len, chunk_t *mask) +{ + if (mask_len == 0) + { + *mask = chunk_empty; + return TRUE; + } + *mask = chunk_alloc(mask_len); + + return get_mask(this, mask_len, mask->ptr); +} + +METHOD(mgf1_t, destroy, void, + private_mgf1_t *this) +{ + this->hasher->destroy(this->hasher); + chunk_clear(&this->state); + free(this); +} + +/* + * Described in header. + */ +mgf1_t *mgf1_create(hash_algorithm_t alg, chunk_t seed, + bool hash_seed) +{ + private_mgf1_t *this; + hasher_t *hasher; + size_t state_len; + + if (seed.len == 0) + { + DBG1(DBG_LIB, "empty seed for MGF1"); + return NULL; + } + + hasher = lib->crypto->create_hasher(lib->crypto, alg); + if (!hasher) + { + DBG1(DBG_LIB, "failed to create %N hasher for MGF1", + hash_algorithm_names, alg); + return NULL; + } + state_len = (hash_seed ? hasher->get_hash_size(hasher) : seed.len) + 4; + + INIT(this, + .public = { + .get_hash_size = _get_hash_size, + .allocate_mask = _allocate_mask, + .get_mask = _get_mask, + .destroy = _destroy, + }, + .hasher = hasher, + .state = chunk_alloc(state_len), + ); + + /* determine position of the 4 octet counter string */ + this->ctr_str = this->state.ptr + state_len - 4; + + if (hash_seed) + { + if (!hasher->get_hash(hasher, seed, this->state.ptr)) + { + DBG1(DBG_LIB, "failed to hash seed for MGF1"); + destroy(this); + return NULL; + } + } + else + { + memcpy(this->state.ptr, seed.ptr, seed.len); + } + + return &this->public; +} diff --git a/src/libstrongswan/crypto/mgf1/mgf1.h b/src/libstrongswan/crypto/mgf1/mgf1.h new file mode 100644 index 000000000..592d31596 --- /dev/null +++ b/src/libstrongswan/crypto/mgf1/mgf1.h @@ -0,0 +1,77 @@ +/* + * Copyright (C) 2013-2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup mgf1 mgf1 + * @{ @ingroup crypto + */ + +#ifndef MGF1_H_ +#define MGF1_H_ + +typedef struct mgf1_t mgf1_t; + +#include + +/** + * Implements the PKCS#1 MGF1 Mask Generation Function based on a hash function + * defined in section 10.2.1 of RFC 2437 + */ +struct mgf1_t { + + /** + * Get the hash size of the underlying hash function + * + * @return hash size in bytes + */ + size_t (*get_hash_size)(mgf1_t *this); + + /** + * Generate a mask pattern and copy it to an output buffer + * If the maximum number of requests has been reached, reseeding occurs + * + * @param mask_len number of mask bytes to generate + * @param mask output buffer of minimum size mask_len + * @return TRUE if successful + */ + bool (*get_mask)(mgf1_t *this, size_t mask_len, u_char *mask); + + /** + * Generate a mask pattern and return it in an allocated chunk + * + * @param mask_len number of mask bytes to generate + * @param mask chunk containing generated mask + * @return TRUE if successful + */ + bool (*allocate_mask)(mgf1_t *this, size_t mask_len, chunk_t *mask); + + /** + * Destroy the MGF1 object + */ + void (*destroy)(mgf1_t *this); +}; + +/** + * Create an MGF1 object + * + * @param alg hash algorithm to be used by MGF1 + * @param seed seed used by MGF1 to generate mask from + * @param hash_seed hash seed before using it as a seed for MGF1 + */ +mgf1_t *mgf1_create(hash_algorithm_t alg, chunk_t seed, + bool hash_seed); + +#endif /** MGF1_H_ @}*/ + diff --git a/src/libstrongswan/crypto/mgf1/mgf1_bitspender.c b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.c new file mode 100644 index 000000000..ef0a2bd01 --- /dev/null +++ b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.c @@ -0,0 +1,208 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "mgf1_bitspender.h" + +#include + +typedef struct private_mgf1_bitspender_t private_mgf1_bitspender_t; + +/** + * Private data structure for mgf1_bitspender_t object + */ +struct private_mgf1_bitspender_t { + /** + * Public interface. + */ + mgf1_bitspender_t public; + + /** + * MGF1 bit mask generator + */ + mgf1_t *mgf1; + + /** + * Octet storage (accommodates up to 64 octets) + */ + uint8_t octets[HASH_SIZE_SHA512]; + + /** + * Length of the returned hash value in octets + */ + int hash_len; + + /** + * Number of generated octets + */ + int octets_count; + + /** + * Number of available octets + */ + int octets_left; + + /** + * Bit storage (accommodates up to 32 bits) + */ + uint32_t bits; + + /** + * Number of available bits + */ + int bits_left; + + /** + * Byte storage (accommodates up to 4 bytes) + */ + uint8_t bytes[4]; + + /** + * Number of available bytes + */ + int bytes_left; + +}; + +METHOD(mgf1_bitspender_t, get_bits, bool, + private_mgf1_bitspender_t *this, int bits_needed, uint32_t *bits) +{ + int bits_now; + + *bits = 0x00000000; + + if (bits_needed == 0) + { + /* trivial */ + return TRUE; + } + if (bits_needed > 32) + { + /* too many bits requested */ + return FALSE; + } + + while (bits_needed) + { + if (this->bits_left == 0) + { + if (this->octets_left == 0) + { + /* get another block from MGF1 */ + if (!this->mgf1->get_mask(this->mgf1, this->hash_len, + this->octets)) + { + /* no block available */ + return FALSE; + } + this->octets_left = this->hash_len; + this->octets_count += this->hash_len; + } + this->bits = untoh32(this->octets + this->hash_len - + this->octets_left); + this->bits_left = 32; + this->octets_left -= 4; + } + if (bits_needed > this->bits_left) + { + bits_now = this->bits_left; + this->bits_left = 0; + bits_needed -= bits_now; + } + else + { + bits_now = bits_needed; + this->bits_left -= bits_needed; + bits_needed = 0; + } + if (bits_now == 32) + { + *bits = this->bits; + } + else + { + *bits <<= bits_now; + *bits |= this->bits >> this->bits_left; + if (this->bits_left) + { + this->bits &= 0xffffffff >> (32 - this->bits_left); + } + } + } + return TRUE; +} + +METHOD(mgf1_bitspender_t, get_byte, bool, + private_mgf1_bitspender_t *this, uint8_t *byte) +{ + if (this->bytes_left == 0) + { + if (this->octets_left == 0) + { + /* get another block from MGF1 */ + if (!this->mgf1->get_mask(this->mgf1, this->hash_len, this->octets)) + { + /* no block available */ + return FALSE; + } + this->octets_left = this->hash_len; + this->octets_count += this->hash_len; + } + memcpy(this->bytes, this->octets + this->hash_len - this->octets_left, 4); + this->bytes_left = 4; + this->octets_left -= 4; + } + *byte = this->bytes[4 - this->bytes_left--]; + + return TRUE; +} + +METHOD(mgf1_bitspender_t, destroy, void, + private_mgf1_bitspender_t *this) +{ + DBG2(DBG_LIB, "mgf1 generated %u octets", this->octets_count); + memwipe(this->octets, sizeof(this->octets)); + this->mgf1->destroy(this->mgf1); + free(this); +} + +/** + * See header. + */ +mgf1_bitspender_t *mgf1_bitspender_create(hash_algorithm_t alg, chunk_t seed, + bool hash_seed) +{ + private_mgf1_bitspender_t *this; + mgf1_t *mgf1; + + mgf1 = mgf1_create(alg, seed, hash_seed); + if (!mgf1) + { + return NULL; + } + DBG2(DBG_LIB, "mgf1 based on %N is seeded with %u octets", + hash_algorithm_short_names, alg, seed.len); + + INIT(this, + .public = { + .get_bits = _get_bits, + .get_byte = _get_byte, + .destroy = _destroy, + }, + .mgf1 = mgf1, + .hash_len = mgf1->get_hash_size(mgf1), + ); + + return &this->public; +} diff --git a/src/libstrongswan/crypto/mgf1/mgf1_bitspender.h b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.h new file mode 100644 index 000000000..f7df8e834 --- /dev/null +++ b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.h @@ -0,0 +1,67 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup mgf1_bitspender mgf1_bitspender + * @{ @ingroup mgf1 + */ + +#ifndef MGF1_BITSPENDER_H_ +#define MGF1_BITSPENDER_H_ + +#include +#include + +typedef struct mgf1_bitspender_t mgf1_bitspender_t; + +/** + * Generates a given number of pseudo-random bits at a time using MGF1 + */ +struct mgf1_bitspender_t { + + /** + * Get pseudo-random bits + * + * @param bits_needed Number of needed bits (1..32) + * @param bits Pseudo-random bits + * @result FALSE if internal MGF1 error occurred + */ + bool (*get_bits)(mgf1_bitspender_t *this, int bits_needed, uint32_t *bits); + + /** + * Get a pseudo-random byte + * + * @param byte Pseudo-random byte + * @result FALSE if internal MGF1 error occurred + */ + bool (*get_byte)(mgf1_bitspender_t *this, uint8_t *byte); + + /** + * Destroy mgf1_bitspender_t object + */ + void (*destroy)(mgf1_bitspender_t *this); +}; + +/** + * Create a mgf1_bitspender_t object + * + * @param alg Hash algorithm to be used with MGF1 + * @param seed Seed used to initialize MGF1 + * @param hash_seed Hash seed before using it as a seed for MFG1 + */ +mgf1_bitspender_t *mgf1_bitspender_create(hash_algorithm_t alg, chunk_t seed, + bool hash_seed); + +#endif /** MGF1_BITSPENDER_H_ @}*/ diff --git a/src/libstrongswan/crypto/pkcs5.c b/src/libstrongswan/crypto/pkcs5.c index 3b4df0e8a..478926f2f 100644 --- a/src/libstrongswan/crypto/pkcs5.c +++ b/src/libstrongswan/crypto/pkcs5.c @@ -108,13 +108,13 @@ struct private_pkcs5_t { * Verify padding of decrypted blob. * Length of blob is adjusted accordingly. */ -static bool verify_padding(chunk_t *blob) +static bool verify_padding(crypter_t *crypter, chunk_t *blob) { u_int8_t padding, count; padding = count = blob->ptr[blob->len - 1]; - if (padding > 8) + if (padding > crypter->get_block_size(crypter)) { return FALSE; } @@ -153,7 +153,7 @@ static bool decrypt_generic(private_pkcs5_t *this, chunk_t password, return FALSE; } memwipe(keymat.ptr, keymat.len); - if (verify_padding(decrypted)) + if (verify_padding(this->crypter, decrypted)) { return TRUE; } @@ -504,6 +504,7 @@ static bool parse_pbes2_params(private_pkcs5_t *this, chunk_t blob, int level0) { asn1_parser_t *parser; chunk_t object, params; + size_t keylen; int objectID; bool success = FALSE; @@ -533,20 +534,35 @@ static bool parse_pbes2_params(private_pkcs5_t *this, chunk_t blob, int level0) { int oid = asn1_parse_algorithmIdentifier(object, parser->get_level(parser) + 1, ¶ms); - if (oid != OID_3DES_EDE_CBC) + this->encr = encryption_algorithm_from_oid(oid, &keylen); + if (this->encr == ENCR_UNDEFINED) { /* unsupported encryption scheme */ goto end; } - if (this->keylen <= 0) - { /* default key length for DES-EDE3-CBC-Pad */ - this->keylen = 24; + /* prefer encoded key length */ + this->keylen = this->keylen ?: keylen / 8; + if (!this->keylen) + { /* set default key length for known algorithms */ + switch (this->encr) + { + case ENCR_DES: + this->keylen = 8; + break; + case ENCR_3DES: + this->keylen = 24; + break; + case ENCR_BLOWFISH: + this->keylen = 16; + break; + default: + goto end; + } } if (!asn1_parse_simple_object(¶ms, ASN1_OCTET_STRING, parser->get_level(parser) + 1, "IV")) { goto end; } - this->encr = ENCR_3DES; this->data.pbes2.iv = chunk_clone(params); break; } diff --git a/src/libstrongswan/ipsec/ipsec_types.c b/src/libstrongswan/ipsec/ipsec_types.c index 4bbd918a0..f2ee11ee8 100644 --- a/src/libstrongswan/ipsec/ipsec_types.c +++ b/src/libstrongswan/ipsec/ipsec_types.c @@ -48,7 +48,15 @@ bool mark_from_string(const char *value, mark_t *mark) { return FALSE; } - mark->value = strtoul(value, &endptr, 0); + if (strcasepfx(value, "%unique")) + { + mark->value = MARK_UNIQUE; + endptr = (char*)value + strlen("%unique"); + } + else + { + mark->value = strtoul(value, &endptr, 0); + } if (*endptr) { if (*endptr != '/') diff --git a/src/libstrongswan/ipsec/ipsec_types.h b/src/libstrongswan/ipsec/ipsec_types.h index c1465e097..fa122af30 100644 --- a/src/libstrongswan/ipsec/ipsec_types.h +++ b/src/libstrongswan/ipsec/ipsec_types.h @@ -169,9 +169,9 @@ struct mark_t { }; /** - * Special mark value that uses the reqid of the CHILD_SA as mark + * Special mark value that uses a unique mark for each CHILD_SA */ -#define MARK_REQID (0xFFFFFFFF) +#define MARK_UNIQUE (0xFFFFFFFF) /** * Try to parse a mark_t from the given string of the form mark[/mask]. diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h index 2bd5e3523..3a6dd1ba4 100644 --- a/src/libstrongswan/library.h +++ b/src/libstrongswan/library.h @@ -79,6 +79,9 @@ * * @defgroup utils utils * @ingroup libstrongswan + * + * @defgroup compat compat + * @ingroup utils */ /** diff --git a/src/libstrongswan/networking/host.c b/src/libstrongswan/networking/host.c index 8d04a4ec9..07da3ef3b 100644 --- a/src/libstrongswan/networking/host.c +++ b/src/libstrongswan/networking/host.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2012 Tobias Brunner + * Copyright (C) 2006-2014 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -525,6 +525,42 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port) return &this->public; } +/* + * Described in header. + */ +bool host_create_from_range(char *string, host_t **from, host_t **to) +{ + char *sep, *pos; + + sep = strchr(string, '-'); + if (!sep) + { + return FALSE; + } + for (pos = sep+1; *pos && *pos == ' '; pos++) + { + /* trim spaces before to address*/ + } + *to = host_create_from_string(pos, 0); + if (!*to) + { + return FALSE; + } + for (pos = sep-1; pos > string && *pos == ' '; pos--) + { + /* trim spaces behind from address */ + } + pos = strndup(string, pos - string + 1); + *from = host_create_from_string_and_family(pos, (*to)->get_family(*to), 0); + free(pos); + if (!*from) + { + (*to)->destroy(*to); + return FALSE; + } + return TRUE; +} + /* * Described in header. */ diff --git a/src/libstrongswan/networking/host.h b/src/libstrongswan/networking/host.h index 9c9b5035f..db6f4dd49 100644 --- a/src/libstrongswan/networking/host.h +++ b/src/libstrongswan/networking/host.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2009 Tobias Brunner + * Copyright (C) 2006-2014 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -24,6 +24,9 @@ #ifndef HOST_H_ #define HOST_H_ +#include +#include + typedef enum host_diff_t host_diff_t; typedef struct host_t host_t; @@ -31,9 +34,6 @@ typedef struct host_t host_t; #include #include -#include -#include - /** * Representates a Host * @@ -180,6 +180,19 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port); */ host_t *host_create_from_sockaddr(sockaddr_t *sockaddr); +/** + * Parse a range definition (1.2.3.0-1.2.3.5), return the two hosts. + * + * The two hosts are not ordered, from is simply the first, to is the second, + * from is not necessarily smaller. + * + * @param string string to parse + * @param from returns the first address (out) + * @param to returns the second address (out) + * @return TRUE if parsed successfully, FALSE otherwise + */ +bool host_create_from_range(char *string, host_t **from, host_t **to); + /** * Create a host from a CIDR subnet definition (1.2.3.0/24), return bits. * diff --git a/src/libstrongswan/networking/host_resolver.c b/src/libstrongswan/networking/host_resolver.c index a7524ac23..bad87e434 100644 --- a/src/libstrongswan/networking/host_resolver.c +++ b/src/libstrongswan/networking/host_resolver.c @@ -163,20 +163,25 @@ static void *resolve_hosts(private_host_resolver_t *this) int error; bool old, timed_out; + /* default resolver threads to non-cancellable */ + thread_cancelability(FALSE); + while (TRUE) { this->mutex->lock(this->mutex); - thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex); while (this->queue->remove_first(this->queue, (void**)&query) != SUCCESS) { - old = thread_cancelability(TRUE); + if (this->disabled) + { + this->mutex->unlock(this->mutex); + return NULL; + } timed_out = this->new_query->timed_wait(this->new_query, this->mutex, NEW_QUERY_WAIT_TIMEOUT * 1000); - thread_cancelability(old); if (this->disabled) { - thread_cleanup_pop(TRUE); + this->mutex->unlock(this->mutex); return NULL; } else if (timed_out && (this->threads > this->min_threads)) @@ -185,13 +190,13 @@ static void *resolve_hosts(private_host_resolver_t *this) this->threads--; this->pool->remove(this->pool, thread, NULL); - thread_cleanup_pop(TRUE); + this->mutex->unlock(this->mutex); thread->detach(thread); return NULL; } } this->busy_threads++; - thread_cleanup_pop(TRUE); + this->mutex->unlock(this->mutex); memset(&hints, 0, sizeof(hints)); hints.ai_family = query->family; diff --git a/src/libstrongswan/networking/tun_device.c b/src/libstrongswan/networking/tun_device.c index ff2c4a337..81d215677 100644 --- a/src/libstrongswan/networking/tun_device.c +++ b/src/libstrongswan/networking/tun_device.c @@ -346,40 +346,27 @@ METHOD(tun_device_t, write_packet, bool, METHOD(tun_device_t, read_packet, bool, private_tun_device_t *this, chunk_t *packet) { + chunk_t data; ssize_t len; - fd_set set; bool old; - FD_ZERO(&set); - FD_SET(this->tunfd, &set); + data = chunk_alloca(get_mtu(this)); old = thread_cancelability(TRUE); - len = select(this->tunfd + 1, &set, NULL, NULL, NULL); + len = read(this->tunfd, data.ptr, data.len); thread_cancelability(old); - - if (len < 0) - { - DBG1(DBG_LIB, "select on TUN device %s failed: %s", this->if_name, - strerror(errno)); - return FALSE; - } - /* FIXME: this is quite expensive for lots of small packets, copy from - * local buffer instead? */ - *packet = chunk_alloc(get_mtu(this)); - len = read(this->tunfd, packet->ptr, packet->len); if (len < 0) { DBG1(DBG_LIB, "reading from TUN device %s failed: %s", this->if_name, strerror(errno)); - chunk_free(packet); return FALSE; } - packet->len = len; + data.len = len; #ifdef __APPLE__ /* UTUN's prepend packets with a 32-bit protocol number */ - packet->len -= sizeof(u_int32_t); - memmove(packet->ptr, packet->ptr + sizeof(u_int32_t), packet->len); + data = chunk_skip(data, sizeof(u_int32_t)); #endif + *packet = chunk_clone(data); return TRUE; } diff --git a/src/libstrongswan/networking/tun_device.h b/src/libstrongswan/networking/tun_device.h index 543125beb..880369ba7 100644 --- a/src/libstrongswan/networking/tun_device.h +++ b/src/libstrongswan/networking/tun_device.h @@ -31,8 +31,6 @@ typedef struct tun_device_t tun_device_t; * Class to create TUN devices * * Creating such a device requires the CAP_NET_ADMIN capability. - * - * @note The implementation is currently very Linux specific */ struct tun_device_t { @@ -42,7 +40,7 @@ struct tun_device_t { * @note This call blocks until a packet is available. It is a thread * cancellation point. * - * @param packet the packet read from the device + * @param packet the packet read from the device, allocated * @return TRUE if successful */ bool (*read_packet)(tun_device_t *this, chunk_t *packet); diff --git a/src/libstrongswan/plugins/acert/Makefile.in b/src/libstrongswan/plugins/acert/Makefile.in index 425e8f1a9..65542ea5d 100644 --- a/src/libstrongswan/plugins/acert/Makefile.in +++ b/src/libstrongswan/plugins/acert/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in index 11dcf2907..9d79c81ee 100644 --- a/src/libstrongswan/plugins/aes/Makefile.in +++ b/src/libstrongswan/plugins/aes/Makefile.in @@ -226,6 +226,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in index 279000d88..4a86f9640 100644 --- a/src/libstrongswan/plugins/af_alg/Makefile.in +++ b/src/libstrongswan/plugins/af_alg/Makefile.in @@ -230,6 +230,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/af_alg/af_alg_prf.c b/src/libstrongswan/plugins/af_alg/af_alg_prf.c index 720738a84..2b7d51376 100644 --- a/src/libstrongswan/plugins/af_alg/af_alg_prf.c +++ b/src/libstrongswan/plugins/af_alg/af_alg_prf.c @@ -139,6 +139,7 @@ METHOD(prf_t, set_key, bool, { char buf[this->block_size]; + this->ops->reset(this->ops); if (this->xcbc) { /* The kernel currently does not support variable length XCBC keys, diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.c b/src/libstrongswan/plugins/af_alg/af_alg_signer.c index 6ee380633..9ad01103a 100644 --- a/src/libstrongswan/plugins/af_alg/af_alg_signer.c +++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.c @@ -156,6 +156,7 @@ METHOD(signer_t, get_block_size, size_t, METHOD(signer_t, set_key, bool, private_af_alg_signer_t *this, chunk_t key) { + this->ops->reset(this->ops); return this->ops->set_key(this->ops, key); } diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in index c8e8112c5..292c2fd90 100644 --- a/src/libstrongswan/plugins/agent/Makefile.in +++ b/src/libstrongswan/plugins/agent/Makefile.in @@ -228,6 +228,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/bliss/Makefile.am b/src/libstrongswan/plugins/bliss/Makefile.am new file mode 100644 index 000000000..e2aaaf55c --- /dev/null +++ b/src/libstrongswan/plugins/bliss/Makefile.am @@ -0,0 +1,54 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) \ + @COVERAGE_CFLAGS@ + +# these file are also used by bliss_huffman +noinst_LTLIBRARIES = libbliss-params.la +libbliss_params_la_SOURCES = \ + bliss_param_set.h bliss_param_set.c \ + bliss_fft_params.h bliss_fft_params.c + +# these files are also used by the tests, we can't directly refer to them +# because of the subdirectory, which would cause distclean to fail +noinst_LTLIBRARIES += libbliss.la +libbliss_la_SOURCES = \ + bliss_private_key.h bliss_private_key.c \ + bliss_public_key.h bliss_public_key.c \ + bliss_signature.h bliss_signature.c \ + bliss_utils.h bliss_utils.c \ + bliss_bitpacker.h bliss_bitpacker.c \ + bliss_fft.h bliss_fft.c \ + bliss_huffman_code.h bliss_huffman_code.c \ + bliss_huffman_code_1.c bliss_huffman_code_3.c bliss_huffman_code_4.c \ + bliss_huffman_coder.h bliss_huffman_coder.c \ + bliss_sampler.h bliss_sampler.c +libbliss_la_LIBADD = libbliss-params.la + +if MONOLITHIC +noinst_LTLIBRARIES += libstrongswan-bliss.la +else +plugin_LTLIBRARIES = libstrongswan-bliss.la +endif + +libstrongswan_bliss_la_SOURCES = \ + bliss_plugin.h bliss_plugin.c + +libstrongswan_bliss_la_LDFLAGS = -module -avoid-version + +libstrongswan_bliss_la_LIBADD = libbliss.la + +noinst_PROGRAMS = bliss_huffman + +bliss_huffman_SOURCES = bliss_huffman.c +bliss_huffman_LDADD = -lm libbliss-params.la + +recreate-bliss-huffman : bliss_huffman bliss_huffman_code.h + $(AM_V_GEN) \ + ./bliss_huffman 1 8 > $(srcdir)/bliss_huffman_code_1.c 2>/dev/null + $(AM_V_GEN) \ + ./bliss_huffman 3 16 > $(srcdir)/bliss_huffman_code_3.c 2>/dev/null + $(AM_V_GEN) \ + ./bliss_huffman 4 32 > $(srcdir)/bliss_huffman_code_4.c 2>/dev/null diff --git a/src/libstrongswan/plugins/bliss/Makefile.in b/src/libstrongswan/plugins/bliss/Makefile.in new file mode 100644 index 000000000..1361dd340 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/Makefile.in @@ -0,0 +1,862 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + + +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@MONOLITHIC_TRUE@am__append_1 = libstrongswan-bliss.la +noinst_PROGRAMS = bliss_huffman$(EXEEXT) +subdir = src/libstrongswan/plugins/bliss +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libbliss_params_la_LIBADD = +am_libbliss_params_la_OBJECTS = bliss_param_set.lo bliss_fft_params.lo +libbliss_params_la_OBJECTS = $(am_libbliss_params_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libbliss_la_DEPENDENCIES = libbliss-params.la +am_libbliss_la_OBJECTS = bliss_private_key.lo bliss_public_key.lo \ + bliss_signature.lo bliss_utils.lo bliss_bitpacker.lo \ + bliss_fft.lo bliss_huffman_code.lo bliss_huffman_code_1.lo \ + bliss_huffman_code_3.lo bliss_huffman_code_4.lo \ + bliss_huffman_coder.lo bliss_sampler.lo +libbliss_la_OBJECTS = $(am_libbliss_la_OBJECTS) +libstrongswan_bliss_la_DEPENDENCIES = libbliss.la +am_libstrongswan_bliss_la_OBJECTS = bliss_plugin.lo +libstrongswan_bliss_la_OBJECTS = $(am_libstrongswan_bliss_la_OBJECTS) +libstrongswan_bliss_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_bliss_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_bliss_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_bliss_la_rpath = +PROGRAMS = $(noinst_PROGRAMS) +am_bliss_huffman_OBJECTS = bliss_huffman.$(OBJEXT) +bliss_huffman_OBJECTS = $(am_bliss_huffman_OBJECTS) +bliss_huffman_DEPENDENCIES = libbliss-params.la +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libbliss_params_la_SOURCES) $(libbliss_la_SOURCES) \ + $(libstrongswan_bliss_la_SOURCES) $(bliss_huffman_SOURCES) +DIST_SOURCES = $(libbliss_params_la_SOURCES) $(libbliss_la_SOURCES) \ + $(libstrongswan_bliss_la_SOURCES) $(bliss_huffman_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) \ + @COVERAGE_CFLAGS@ + + +# these file are also used by bliss_huffman + +# these files are also used by the tests, we can't directly refer to them +# because of the subdirectory, which would cause distclean to fail +noinst_LTLIBRARIES = libbliss-params.la libbliss.la $(am__append_1) +libbliss_params_la_SOURCES = \ + bliss_param_set.h bliss_param_set.c \ + bliss_fft_params.h bliss_fft_params.c + +libbliss_la_SOURCES = \ + bliss_private_key.h bliss_private_key.c \ + bliss_public_key.h bliss_public_key.c \ + bliss_signature.h bliss_signature.c \ + bliss_utils.h bliss_utils.c \ + bliss_bitpacker.h bliss_bitpacker.c \ + bliss_fft.h bliss_fft.c \ + bliss_huffman_code.h bliss_huffman_code.c \ + bliss_huffman_code_1.c bliss_huffman_code_3.c bliss_huffman_code_4.c \ + bliss_huffman_coder.h bliss_huffman_coder.c \ + bliss_sampler.h bliss_sampler.c + +libbliss_la_LIBADD = libbliss-params.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-bliss.la +libstrongswan_bliss_la_SOURCES = \ + bliss_plugin.h bliss_plugin.c + +libstrongswan_bliss_la_LDFLAGS = -module -avoid-version +libstrongswan_bliss_la_LIBADD = libbliss.la +bliss_huffman_SOURCES = bliss_huffman.c +bliss_huffman_LDADD = -lm libbliss-params.la +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/bliss/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/bliss/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libbliss-params.la: $(libbliss_params_la_OBJECTS) $(libbliss_params_la_DEPENDENCIES) $(EXTRA_libbliss_params_la_DEPENDENCIES) + $(AM_V_CCLD)$(LINK) $(libbliss_params_la_OBJECTS) $(libbliss_params_la_LIBADD) $(LIBS) + +libbliss.la: $(libbliss_la_OBJECTS) $(libbliss_la_DEPENDENCIES) $(EXTRA_libbliss_la_DEPENDENCIES) + $(AM_V_CCLD)$(LINK) $(libbliss_la_OBJECTS) $(libbliss_la_LIBADD) $(LIBS) + +libstrongswan-bliss.la: $(libstrongswan_bliss_la_OBJECTS) $(libstrongswan_bliss_la_DEPENDENCIES) $(EXTRA_libstrongswan_bliss_la_DEPENDENCIES) + $(AM_V_CCLD)$(libstrongswan_bliss_la_LINK) $(am_libstrongswan_bliss_la_rpath) $(libstrongswan_bliss_la_OBJECTS) $(libstrongswan_bliss_la_LIBADD) $(LIBS) + +clean-noinstPROGRAMS: + @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + +bliss_huffman$(EXEEXT): $(bliss_huffman_OBJECTS) $(bliss_huffman_DEPENDENCIES) $(EXTRA_bliss_huffman_DEPENDENCIES) + @rm -f bliss_huffman$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(bliss_huffman_OBJECTS) $(bliss_huffman_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_bitpacker.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_fft.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_fft_params.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_huffman.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_huffman_code.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_huffman_code_1.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_huffman_code_3.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_huffman_code_4.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_huffman_coder.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_param_set.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_private_key.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_public_key.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_sampler.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_signature.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_utils.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-noinstPROGRAMS clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-noinstPROGRAMS \ + clean-pluginLTLIBRARIES cscopelist-am ctags ctags-am distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-pluginLTLIBRARIES \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +recreate-bliss-huffman : bliss_huffman bliss_huffman_code.h + $(AM_V_GEN) \ + ./bliss_huffman 1 8 > $(srcdir)/bliss_huffman_code_1.c 2>/dev/null + $(AM_V_GEN) \ + ./bliss_huffman 3 16 > $(srcdir)/bliss_huffman_code_3.c 2>/dev/null + $(AM_V_GEN) \ + ./bliss_huffman 4 32 > $(srcdir)/bliss_huffman_code_4.c 2>/dev/null + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/bliss/bliss_bitpacker.c b/src/libstrongswan/plugins/bliss/bliss_bitpacker.c new file mode 100644 index 000000000..4d8446119 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_bitpacker.c @@ -0,0 +1,207 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY;https://www.hsr.ch/HSR-intern-Anmeldung.4409.0.html?&no_cache=1 without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "bliss_bitpacker.h" + +typedef struct private_bliss_bitpacker_t private_bliss_bitpacker_t; + +/** + * Private data structure for bliss_bitpacker_t object + */ +struct private_bliss_bitpacker_t { + /** + * Public interface. + */ + bliss_bitpacker_t public; + + /** + * Current number of bits written to buffer + */ + size_t bits; + + /** + * Bit buffer for up to 32 bits + */ + uint32_t bits_buf; + + /** + * Bits left in the bit buffer + */ + size_t bits_left; + + /** + * Buffer + */ + chunk_t buf; + + /** + * Read/Write pointer into buffer + */ + chunk_t pos; + +}; + +METHOD(bliss_bitpacker_t, get_bits, size_t, + private_bliss_bitpacker_t *this) +{ + return this->bits; +} + +METHOD(bliss_bitpacker_t, write_bits, bool, + private_bliss_bitpacker_t *this, uint32_t value, size_t bits) +{ + if (bits == 0) + { + return TRUE; + } + if (bits > 32) + { + return FALSE; + } + if (bits < 32) + { + value &= (1 << bits) - 1; + } + this->bits += bits; + + while (TRUE) + { + if (bits <= this->bits_left) + { + this->bits_buf |= value << (this->bits_left - bits); + this->bits_left -= bits; + return TRUE; + } + + this->bits_buf |= value >> (bits - this->bits_left); + value &= (1 << (bits - this->bits_left)) - 1; + bits -= this->bits_left; + + if (this->pos.len < 8) + { + return FALSE; + } + htoun32(this->pos.ptr, this->bits_buf); + this->pos = chunk_skip(this->pos, 4); + this->bits_buf = 0; + this->bits_left = 32; + } +} + +METHOD(bliss_bitpacker_t, read_bits, bool, + private_bliss_bitpacker_t *this, uint32_t *value, size_t bits) +{ + if (bits > 32) + { + return FALSE; + } + *value = 0; + + while (TRUE) + { + if (this->bits_left == 0) + { + if (this->pos.len < 4) + { + return FALSE; + } + this->bits_buf = untoh32(this->pos.ptr); + this->pos = chunk_skip(this->pos, 4); + this->bits_left = 32; + } + if (bits <= this->bits_left) + { + *value |= this->bits_buf >> (this->bits_left - bits); + this->bits_buf &= (1 << (this->bits_left - bits)) - 1; + this->bits_left -= bits; + + return TRUE; + } + *value |= this->bits_buf << (bits - this->bits_left); + bits -= this->bits_left; + this->bits_left = 0; + } +} + +METHOD(bliss_bitpacker_t, extract_buf, chunk_t, + private_bliss_bitpacker_t *this) +{ + chunk_t buf; + + htoun32(this->pos.ptr, this->bits_buf); + this->pos.len -= 4; + buf = this->buf; + buf.len = this->buf.len - this->pos.len - this->bits_left/8; + this->buf = this->pos = chunk_empty; + + return buf; +} + +METHOD(bliss_bitpacker_t, destroy, void, + private_bliss_bitpacker_t *this) +{ + free(this->buf.ptr); + free(this); +} + +/** + * See header. + */ +bliss_bitpacker_t *bliss_bitpacker_create(uint16_t max_bits) +{ + private_bliss_bitpacker_t *this; + + INIT(this, + .public = { + .get_bits = _get_bits, + .write_bits = _write_bits, + .read_bits = _read_bits, + .extract_buf = _extract_buf, + .destroy = _destroy, + }, + .bits_left = 32, + .buf = chunk_alloc(round_up(max_bits, 32)/8), + ); + + this->pos = this->buf; + + return &this->public; +} + +/** + * See header. + */ +bliss_bitpacker_t *bliss_bitpacker_create_from_data(chunk_t data) +{ + private_bliss_bitpacker_t *this; + + INIT(this, + .public = { + .get_bits = _get_bits, + .write_bits = _write_bits, + .read_bits = _read_bits, + .extract_buf = _extract_buf, + .destroy = _destroy, + }, + .bits = 8 * data.len, + .buf = chunk_alloc(round_up(data.len, 4)), + ); + + memset(this->buf.ptr + this->buf.len - 4, 0x00, 4); + memcpy(this->buf.ptr, data.ptr, data.len); + this->pos = this->buf; + + return &this->public; +} diff --git a/src/libstrongswan/plugins/bliss/bliss_bitpacker.h b/src/libstrongswan/plugins/bliss/bliss_bitpacker.h new file mode 100644 index 000000000..2fe6cba1c --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_bitpacker.h @@ -0,0 +1,85 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup bliss_bitpacker bliss_bitpacker + * @{ @ingroup bliss_p + */ + +#ifndef BLISS_BITPACKER_H_ +#define BLISS_BITPACKER_H_ + +#include + +typedef struct bliss_bitpacker_t bliss_bitpacker_t; + +/** + * Reads and writes a variable number of bits in packed format + * from and to an octet buffer + */ +struct bliss_bitpacker_t { + + /** + * Get the number of bits written into buffer + * + * @result Number of bits written + */ + size_t (*get_bits)(bliss_bitpacker_t *this); + + /** + * Get the prime modulus of the Number Theoretic Transform + * + * @param value Value to be written + * @param bits Number of bits to be written + * @result TRUE if value could be written into buffer + */ + bool (*write_bits)(bliss_bitpacker_t *this, uint32_t value, size_t bits); + + + /** + * Get the prime modulus of the Number Theoretic Transform + * + * @param value Value returned + * @param bits Number of bits to be read + * @result TRUE if value could be read from buffer + */ + bool (*read_bits)(bliss_bitpacker_t *this, uint32_t *value, size_t bits); + + /** + * Detach the internal octet buffer and return it + */ + chunk_t (*extract_buf)(bliss_bitpacker_t *this); + + /** + * Destroy bliss_bitpacker_t object + */ + void (*destroy)(bliss_bitpacker_t *this); +}; + +/** + * Create a bliss_bitpacker_t object for writing + * + * @param max_bits Total number of bits to be stored + */ +bliss_bitpacker_t* bliss_bitpacker_create(uint16_t max_bits); + +/** + * Create a bliss_bitpacker_t object for reading + * + * @param data Packed array of bits + */ +bliss_bitpacker_t* bliss_bitpacker_create_from_data(chunk_t data); + +#endif /** BLISS_BITPACKER_H_ @}*/ diff --git a/src/libstrongswan/plugins/bliss/bliss_fft.c b/src/libstrongswan/plugins/bliss/bliss_fft.c new file mode 100644 index 000000000..033c2144e --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_fft.c @@ -0,0 +1,199 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "bliss_fft.h" + +typedef struct private_bliss_fft_t private_bliss_fft_t; + +/** + * Private data structure for bliss_fft_t object + */ +struct private_bliss_fft_t { + /** + * Public interface. + */ + bliss_fft_t public; + + /** + * FFT parameter set used as constants + */ + bliss_fft_params_t *p; + +}; + +METHOD(bliss_fft_t, get_size, uint16_t, + private_bliss_fft_t *this) +{ + return this->p->n; +} + +METHOD(bliss_fft_t, get_modulus, uint16_t, + private_bliss_fft_t *this) +{ + return this->p->q; +} + +/** + * Do an FFT butterfly operation + * + * x[i1] ---|+|------- x[i1] + * \/ + * /\ w[iw] + * x[i2] ---|-|--|*|-- x[i2] + * + */ +static void butterfly(private_bliss_fft_t *this, uint32_t *x, int i1,int i2, + int iw) +{ + uint32_t xp, xm; + + xp = x[i1] + x[i2]; + xm = x[i1] + (this->p->q - x[i2]); + if (xp >= this->p->q) + { + xp -= this->p->q; + } + x[i1] = xp; + x[i2] = (xm * this->p->w[iw]) % this->p->q; +} + +/** + * Trivial butterfly operation of last FFT stage + */ +static void butterfly_last(private_bliss_fft_t *this, uint32_t *x, int i1) +{ + uint32_t xp, xm; + int i2 = i1 + 1; + + xp = x[i1] + x[i2]; + xm = x[i1] + (this->p->q - x[i2]); + if (xp >= this->p->q) + { + xp -= this->p->q; + } + if (xm >= this->p->q) + { + xm -= this->p->q; + } + x[i1] = xp; + x[i2] = xm; +} + +METHOD(bliss_fft_t, transform, void, + private_bliss_fft_t *this, uint32_t *a, uint32_t *b, bool inverse) +{ + int stage, i, j, k, m, n, t, iw, i_rev; + uint16_t q; + uint32_t tmp; + + /* we are going to use the transform size n and the modulus q a lot */ + n = this->p->n; + q = this->p->q; + + if (!inverse) + { + /* apply linear phase needed for negative wrapped convolution */ + for (i = 0; i < n; i++) + { + b[i] = (a[i] * this->p->w[i]) % q; + } + } + else if (a != b) + { + /* copy if input and output array are not the same */ + for (i = 0; i < n; i++) + { + b[i] = a[i]; + } + } + + m = n; + k = 1; + + for (stage = this->p->stages; stage > 0; stage--) + { + m >>= 1; + t = 0; + + for (j = 0; j < k; j++) + { + if (stage == 1) + { + butterfly_last(this, b, t); + } + else + { + for (i = 0; i < m; i++) + { + iw = 2 * (inverse ? (n - i * k) : (i * k)); + butterfly(this, b, t + i, t + i + m, iw); + } + } + t += 2*m; + } + k <<= 1; + } + + /* Sort output in bit-reverse order */ + for (i = 0; i < n; i++) + { + i_rev = this->p->rev[i]; + + if (i_rev > i) + { + tmp = b[i]; + b[i] = b[i_rev]; + b[i_rev] = tmp; + } + } + + /** + * Compensate the linear phase needed for negative wrapped convolution + * and normalize the output array with 1/n mod q after the inverse FFT. + */ + if (inverse) + { + for (i = 0; i < n; i++) + { + b[i] = (((b[i] * this->p->w[2*n - i]) % q) * this->p->n_inv) % q; + } + } +} + +METHOD(bliss_fft_t, destroy, void, + private_bliss_fft_t *this) +{ + free(this); +} + +/** + * See header. + */ +bliss_fft_t *bliss_fft_create(bliss_fft_params_t *params) +{ + private_bliss_fft_t *this; + + INIT(this, + .public = { + .get_size = _get_size, + .get_modulus = _get_modulus, + .transform = _transform, + .destroy = _destroy, + }, + .p = params, + ); + + return &this->public; +} diff --git a/src/libstrongswan/plugins/bliss/bliss_fft.h b/src/libstrongswan/plugins/bliss/bliss_fft.h new file mode 100644 index 000000000..a79edd2be --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_fft.h @@ -0,0 +1,71 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup bliss_fft bliss_fft + * @{ @ingroup bliss_p + */ + +#ifndef BLISS_FFT_H_ +#define BLISS_FFT_H_ + +#include "bliss_fft_params.h" + +#include + +typedef struct bliss_fft_t bliss_fft_t; + +/** + * Implements a Number Theoretic Transform (NTT) via the FFT algorithm + */ +struct bliss_fft_t { + + /** + * Get the size of the Number Theoretic Transform + * + * @result Transform size + */ + uint16_t (*get_size)(bliss_fft_t *this); + + /** + * Get the prime modulus of the Number Theoretic Transform + * + * @result Prime modulus + */ + uint16_t (*get_modulus)(bliss_fft_t *this); + + /** + * Compute the [inverse] NTT of a polynomial + * + * @param a Coefficient of input polynomial + * @param b Coefficient of output polynomial + * @param inverse TRUE if the inverse NTT has to be computed + */ + void (*transform)(bliss_fft_t *this, uint32_t *a, uint32_t *b, bool inverse); + + /** + * Destroy bliss_fft_t object + */ + void (*destroy)(bliss_fft_t *this); +}; + +/** + * Create a bliss_fft_t object for a given FFT parameter set + * + * @param params FFT parameters + */ +bliss_fft_t *bliss_fft_create(bliss_fft_params_t *params); + +#endif /** BLISS_FFT_H_ @}*/ diff --git a/src/libstrongswan/plugins/bliss/bliss_fft_params.c b/src/libstrongswan/plugins/bliss/bliss_fft_params.c new file mode 100644 index 000000000..c892c06e6 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_fft_params.c @@ -0,0 +1,215 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "bliss_fft_params.h" + +/** + * FFT parameters for q = 12289 and 2n = 1024 + */ +static uint16_t w_12289_1024[] = { + 1, 49, 2401, 7048, 1260, 295, 2166, 7822, 2319, 3030, + 1002, 12231, 9447, 8210, 9042, 654, 7468, 9551, 1017, 677, + 8595, 3329, 3364, 5079, 3091, 3991, 11224, 9260, 11336, 2459, + 9890, 5339, 3542, 1512, 354, 5057, 2013, 325, 3636, 6118, + 4846, 3963, 9852, 3477, 10616, 4046, 1630, 6136, 5728, 10314, + 1537, 1579, 3637, 6167, 7247, 11011, 11112, 3772, 493, 11868, + 3949, 9166, 6730, 10256, 10984, 9789, 390, 6821, 2426, 8273, + 12129, 4449, 9088, 2908, 7313, 1956, 9821, 1958, 9919, 6760, + 11726, 9280, 27, 1323, 3382, 5961, 9442, 7965, 9326, 2281, + 1168, 8076, 2476, 10723, 9289, 468, 10643, 5369, 5012, 12097, + + 2881, 5990, 10863, 3860, 4805, 1954, 9723, 9445, 8112, 4240, + 11136, 4948, 8961, 8974, 9611, 3957, 9558, 1360, 5195, 8775, + 12149, 5429, 7952, 8689, 7935, 7856, 3985, 10930, 7143, 5915, + 7188, 8120, 4632, 5766, 12176, 6752, 11334, 2361, 5088, 3532, + 1022, 922, 8311, 1702, 9664, 6554, 1632, 6234, 10530, 12121, + 4057, 2169, 7969, 9522, 11885, 4782, 827, 3656, 7098, 3710, + 9744, 10474, 9377, 4780, 729, 11143, 5291, 1190, 9154, 6142, + 6022, 142, 6958, 9139, 5407, 6874, 5023, 347, 4714, 9784, + 145, 7105, 4053, 1973, 10654, 5908, 6845, 3602, 4452, 9235, + 10111, 3879, 5736, 10706, 8456, 8807, 1428, 8527, 12286, 12142, + + 5086, 3434, 8509, 11404, 5791, 1112, 5332, 3199, 9283, 174, + 8526, 12237, 9741, 10327, 2174, 8214, 9238, 10258, 11082, 2302, + 2197, 9341, 3016, 316, 3195, 9087, 2859, 4912, 7197, 8561, + 1663, 7753, 11227, 9407, 6250, 11314, 1381, 6224, 10040, 400, + 7311, 1858, 5019, 151, 7399, 6170, 7394, 5925, 7678, 7552, + 1378, 6077, 2837, 3834, 3531, 973, 10810, 1263, 442, 9369, + 4388, 6099, 3915, 7500, 11119, 4115, 5011, 12048, 480, 11231, + 9603, 3565, 2639, 6421, 7404, 6415, 7110, 4298, 1689, 9027, + 12208, 8320, 2143, 6695, 8541, 683, 8889, 5446, 8785, 350, + 4861, 4698, 9000, 10885, 4938, 8471, 9542, 576, 3646, 6608, + + 4278, 709, 10163, 6427, 7698, 8532, 242, 11858, 3459, 9734, + 9984, 9945, 8034, 418, 8193, 8209, 8993, 10542, 420, 8291, + 722, 10800, 773, 1010, 334, 4077, 3149, 6833, 3014, 218, + 10682, 7280, 339, 4322, 2865, 5206, 9314, 1693, 9223, 9523, + 11934, 7183, 7875, 4916, 7393, 5876, 5277, 504, 118, 5782, + 671, 8301, 1212, 10232, 9808, 1321, 3284, 1159, 7635, 5445, + 8736, 10238, 10102, 3438, 8705, 8719, 9405, 6152, 6512, 11863, + 3704, 9450, 8357, 3956, 9509, 11248, 10436, 7515, 11854, 3263, + 130, 6370, 4905, 6854, 4043, 1483, 11222, 9162, 6534, 652, + 7370, 4749, 11499, 10446, 8005, 11286, 9, 441, 9320, 1987, + + 11340, 2655, 7205, 8953, 8582, 2692, 9018, 11767, 11289, 156, + 7644, 5886, 5767, 12225, 9153, 6093, 3621, 5383, 5698, 8844, + 3241, 11341, 2704, 9606, 3712, 9842, 2987, 11184, 7300, 1319, + 3186, 8646, 5828, 2925, 8146, 5906, 6747, 11089, 2645, 6715, + 9521, 11836, 2381, 6068, 2396, 6803, 1544, 1922, 8155, 6347, + 3778, 787, 1696, 9370, 4437, 8500, 10963, 8760, 11414, 6281, + 544, 2078, 3510, 12233, 9545, 723, 10849, 3174, 8058, 1594, + 4372, 5315, 2366, 5333, 3248, 11684, 7222, 9786, 243, 11907, + 5860, 4493, 11244, 10240, 10200, 8240, 10512, 11239, 9995, 10484, + 9867, 4212, 9764, 11454, 8241, 10561, 1351, 4754, 11744, 10162, + + 6378, 5297, 1484, 11271, 11563, 1293, 1912, 7665, 6915, 7032, + 476, 11035, 12288, 12240, 9888, 5241, 11029, 11994, 10123, 4467, + 9970, 9259, 11287, 58, 2842, 4079, 3247, 11635, 4821, 2738, + 11272, 11612, 3694, 8960, 8925, 7210, 9198, 8298, 1065, 3029, + 953, 9830, 2399, 6950, 8747, 10777, 11935, 7232, 10276, 11964, + 8653, 6171, 7443, 8326, 2437, 8812, 1673, 8243, 10659, 6153, + 6561, 1975, 10752, 10710, 8652, 6122, 5042, 1278, 1177, 8517, + 11796, 421, 8340, 3123, 5559, 2033, 1305, 2500, 11899, 5468, + 9863, 4016, 160, 7840, 3201, 9381, 4976, 10333, 2468, 10331, + 2370, 5529, 563, 3009, 12262, 10966, 8907, 6328, 2847, 4324, + + 2963, 10008, 11121, 4213, 9813, 1566, 3000, 11821, 1646, 6920, + 7277, 192, 9408, 6299, 1426, 8429, 7484, 10335, 2566, 2844, + 4177, 8049, 1153, 7341, 3328, 3315, 2678, 8332, 2731, 10929, + 7094, 3514, 140, 6860, 4337, 3600, 4354, 4433, 8304, 1359, + 5146, 6374, 5101, 4169, 7657, 6523, 113, 5537, 955, 9928, + 7201, 8757, 11267, 11367, 3978, 10587, 2625, 5735, 10657, 6055, + 1759, 168, 8232, 10120, 4320, 2767, 404, 7507, 11462, 8633, + 5191, 8579, 2545, 1815, 2912, 7509, 11560, 1146, 6998, 11099, + 3135, 6147, 6267, 12147, 5331, 3150, 6882, 5415, 7266, 11942, + 7575, 2505, 12144, 5184, 8236, 10316, 1635, 6381, 5444, 8687, + + 7837, 3054, 2178, 8410, 6553, 1583, 3833, 3482, 10861, 3762, + 3, 147, 7203, 8855, 3780, 885, 6498, 11177, 6957, 9090, + 3006, 12115, 3763, 52, 2548, 1962, 10115, 4075, 3051, 2031, + 1207, 9987, 10092, 2948, 9273, 11973, 9094, 3202, 9430, 7377, + 5092, 3728, 10626, 4536, 1062, 2882, 6039, 975, 10908, 6065, + 2249, 11889, 4978, 10431, 7270, 12138, 4890, 6119, 4895, 6364, + 4611, 4737, 10911, 6212, 9452, 8455, 8758, 11316, 1479, 11026, + 11847, 2920, 7901, 6190, 8374, 4789, 1170, 8174, 7278, 241, + 11809, 1058, 2686, 8724, 9650, 5868, 4885, 5874, 5179, 7991, + 10600, 3262, 81, 3969, 10146, 5594, 3748, 11606, 3400, 6843, + + 3504, 11939, 7428, 7591, 3289, 1404, 7351, 3818, 2747, 11713, + 8643, 5681, 8011, 11580, 2126, 5862, 4591, 3757, 12047, 431, + 8830, 2555, 2305, 2344, 4255, 11871, 4096, 4080, 3296, 1747, + 11869, 3998, 11567, 1489, 11516, 11279, 11955, 8212, 9140, 5456, + 9275, 12071, 1607, 5009, 11950, 7967, 9424, 7083, 2975, 10596, + 3066, 2766, 355, 5106, 4414, 7373, 4896, 6413, 7012, 11785, + 12171, 6507, 11618, 3988, 11077, 2057, 2481, 10968, 9005, 11130, + 4654, 6844, 3553, 2051, 2187, 8851, 3584, 3570, 2884, 6137, + 5777, 426, 8585, 2839, 3932, 8333, 2780, 1041, 1853, 4774, + 435, 9026, 12159, 5919, 7384, 5435, 8246, 10806, 1067, 3127, + + 5755, 11637, 4919, 7540, 790, 1843, 4284, 1003, 12280, 11848, + 2969, 10302, 949, 9634, 5084, 3336, 3707, 9597, 3271, 522, + 1000, 12133, 4645, 6403, 6522, 64, 3136, 6196, 8668, 6906, + 6591, 3445, 9048, 948, 9585, 2683, 8577, 2447, 9302, 1105, + 4989, 10970, 9103, 3643, 6461, 9364, 4143, 6383, 5542, 1200, + 9644, 5574, 2768, 453, 9908, 6221, 9893, 5486, 10745, 10367, + 4134, 5942, 8511, 11502, 10593, 2919, 7852, 3789, 1326, 3529, + 875, 6008, 11745, 10211, 8779, 56, 2744, 11566, 1440, 9115, + 4231, 10695, 7917, 6974, 9923, 6956, 9041, 605, 5067, 2503, + 12046, 382, 6429, 7796, 1045, 2049, 2089, 4049, 1777, 1050, + + 2294, 1805, 2422, 8077, 2525, 835, 4048, 1728, 10938, 7535, + 545, 2127, 5911, 6992, 10805, 1018, 726, 10996, 10377, 4624, + 5374, 5257, 11813, 1254, 1 +}; + +/** + * Bit-reversed indices for n = 512 + */ +static uint16_t rev_512[] = { + 0, 256, 128, 384, 64, 320, 192, 448, 32, 288, + 160, 416, 96, 352, 224, 480, 16, 272, 144, 400, + 80, 336, 208, 464, 48, 304, 176, 432, 112, 368, + 240, 496, 8, 264, 136, 392, 72, 328, 200, 456, + 40, 296, 168, 424, 104, 360, 232, 488, 24, 280, + 152, 408, 88, 344, 216, 472, 56, 312, 184, 440, + 120, 376, 248, 504, 4, 260, 132, 388, 68, 324, + 196, 452, 36, 292, 164, 420, 100, 356, 228, 484, + 20, 276, 148, 404, 84, 340, 212, 468, 52, 308, + 180, 436, 116, 372, 244, 500, 12, 268, 140, 396, + + 76, 332, 204, 460, 44, 300, 172, 428, 108, 364, + 236, 492, 28, 284, 156, 412, 92, 348, 220, 476, + 60, 316, 188, 444, 124, 380, 252, 508, 2, 258, + 130, 386, 66, 322, 194, 450, 34, 290, 162, 418, + 98, 354, 226, 482, 18, 274, 146, 402, 82, 338, + 210, 466, 50, 306, 178, 434, 114, 370, 242, 498, + 10, 266, 138, 394, 74, 330, 202, 458, 42, 298, + 170, 426, 106, 362, 234, 490, 26, 282, 154, 410, + 90, 346, 218, 474, 58, 314, 186, 442, 122, 378, + 250, 506, 6, 262, 134, 390, 70, 326, 198, 454, + + 38, 294, 166, 422, 102, 358, 230, 486, 22, 278, + 150, 406, 86, 342, 214, 470, 54, 310, 182, 438, + 118, 374, 246, 502, 14, 270, 142, 398, 78, 334, + 206, 462, 46, 302, 174, 430, 110, 366, 238, 494, + 30, 286, 158, 414, 94, 350, 222, 478, 62, 318, + 190, 446, 126, 382, 254, 510, 1, 257, 129, 385, + 65, 321, 193, 449, 33, 289, 161, 417, 97, 353, + 225, 481, 17, 273, 145, 401, 81, 337, 209, 465, + 49, 305, 177, 433, 113, 369, 241, 497, 9, 265, + 137, 393, 73, 329, 201, 457, 41, 297, 169, 425, + + 105, 361, 233, 489, 25, 281, 153, 409, 89, 345, + 217, 473, 57, 313, 185, 441, 121, 377, 249, 505, + 5, 261, 133, 389, 69, 325, 197, 453, 37, 293, + 165, 421, 101, 357, 229, 485, 21, 277, 149, 405, + 85, 341, 213, 469, 53, 309, 181, 437, 117, 373, + 245, 501, 13, 269, 141, 397, 77, 333, 205, 461, + 45, 301, 173, 429, 109, 365, 237, 493, 29, 285, + 157, 413, 93, 349, 221, 477, 61, 317, 189, 445, + 125, 381, 253, 509, 3, 259, 131, 387, 67, 323, + 195, 451, 35, 291, 163, 419, 99, 355, 227, 483, + + 19, 275, 147, 403, 83, 339, 211, 467, 51, 307, + 179, 435, 115, 371, 243, 499, 11, 267, 139, 395, + 75, 331, 203, 459, 43, 299, 171, 427, 107, 363, + 235, 491, 27, 283, 155, 411, 91, 347, 219, 475, + 59, 315, 187, 443, 123, 379, 251, 507, 7, 263, + 135, 391, 71, 327, 199, 455, 39, 295, 167, 423, + 103, 359, 231, 487, 23, 279, 151, 407, 87, 343, + 215, 471, 55, 311, 183, 439, 119, 375, 247, 503, + 15, 271, 143, 399, 79, 335, 207, 463, 47, 303, + 175, 431, 111, 367, 239, 495, 31, 287, 159, 415, + + 95, 351, 223, 479, 63, 319, 191, 447, 127, 383, + 255, 511 +}; + +bliss_fft_params_t bliss_fft_12289_512 = { + 12289, 512, 12265, 9, w_12289_1024, rev_512 +}; + +/** + * FFT parameters for q = 17 and n = 16 + */ +static uint16_t w_17_16[] = { + 1, 3, 9, 10, 13, 5, 15, 11, 16, 14, 8, 7, 4, 12, 2, 6, 1 }; + +/** + * Bit-reversed indices for n = 8 + */ +static uint16_t rev_8[] = { 0, 4, 2, 6, 1, 5, 3, 7 }; + +bliss_fft_params_t bliss_fft_17_8 = { 17, 8, 15, 3, w_17_16, rev_8 }; diff --git a/src/libstrongswan/plugins/bliss/bliss_fft_params.h b/src/libstrongswan/plugins/bliss/bliss_fft_params.h new file mode 100644 index 000000000..31b151b67 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_fft_params.h @@ -0,0 +1,75 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup bliss_fft_params bliss_fft_params + * @{ @ingroup bliss_p + */ + +#ifndef BLISS_FFT_PARAMS_H_ +#define BLISS_FFT_PARAMS_H_ + +#include + +typedef struct bliss_fft_params_t bliss_fft_params_t; + +/** + * Defines the parameters for an NTT computed via the FFT algorithm + */ +struct bliss_fft_params_t { + + /** + * Prime modulus + */ + uint16_t q; + + /** + * Size of the FFT with the condition k * n = q-1 + */ + uint16_t n; + + /** + * Inverse of n mod q used for normalization of the FFT + */ + uint16_t n_inv; + + /** + * Number of FFT stages stages = log2(n) + */ + uint16_t stages; + + /** + * FFT twiddle factors (n-th roots of unity) + */ + uint16_t *w; + + /** + * FFT bit reversal + */ + uint16_t *rev; + +}; + +/** + * FFT parameters for q = 12289 and n = 512 + */ +extern bliss_fft_params_t bliss_fft_12289_512; + +/** + * FFT parameters for q = 17 and n = 8 + */ +extern bliss_fft_params_t bliss_fft_17_8; + +#endif /** BLISS_FFT_PARAMS_H_ @}*/ diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman.c b/src/libstrongswan/plugins/bliss/bliss_huffman.c new file mode 100644 index 000000000..647234fd8 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_huffman.c @@ -0,0 +1,433 @@ +/* + * Copyright (C) 2014 Tobias Brunner + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "bliss_param_set.h" + +#include + +#include +#include + +typedef struct tuple_t tuple_t; + +struct tuple_t { + int8_t z1; + int8_t z2; + uint16_t index; + uint16_t bits; + uint32_t code; +}; + +typedef struct node_t node_t; + +struct node_t { + node_t *next; + node_t *l; + node_t *r; + tuple_t *tuple; + double p; + uint16_t depth; + uint16_t index; +}; + +static void print_node(node_t *node) +{ + if (node->tuple) + { + fprintf(stderr, "(%1d,%2d)", node->tuple->z1, node->tuple->z2); + } + else + { + fprintf(stderr, " "); + } + fprintf(stderr, " %18.16f\n", node->p); +} + +static double code_node(node_t *node, int *index, uint8_t bits, uint32_t code) +{ + double code_length = 0; + + node->index = (*index)++; + + if (node->tuple) + { + node->tuple->code = code; + node->tuple->bits = bits; + code_length += node->p * bits; + } + if (node->l) + { + code_length += code_node(node->l, index, bits + 1, (code << 1)); + } + if (node->r) + { + code_length += code_node(node->r, index, bits + 1, (code << 1) + 1); + } + + return code_length; + +} + +static void write_node(node_t *node) +{ + int16_t node_0, node_1, tuple; + + node_0 = node->l ? node->l->index : BLISS_HUFFMAN_CODE_NO_NODE; + node_1 = node->r ? node->r->index : BLISS_HUFFMAN_CODE_NO_NODE; + tuple = node->tuple ? node->tuple->index : BLISS_HUFFMAN_CODE_NO_TUPLE; + + printf("\t{ %3d, %3d, %3d }, /* %3d: ", node_0, node_1, tuple, node->index); + + if (node->tuple) + { + printf("(%d,%2d) %2u bit%s ", node->tuple->z1, node->tuple->z2, + node->tuple->bits, (node->tuple->bits == 1) ? " " : "s"); + } + printf("*/\n"); + + if (node->l) + { + write_node(node->l); + } + if (node->r) + { + write_node(node->r); + } +} + +static void write_header(void) +{ + printf("/*\n"); + printf(" * Copyright (C) 2014 Andreas Steffen\n"); + printf(" * HSR Hochschule fuer Technik Rapperswil\n"); + printf(" *\n"); + printf(" * Optimum Huffman code for BLISS-X signatures\n"); + printf(" *\n"); + printf(" * This file has been automatically generated by the" + " bliss_huffman utility\n"); + printf(" * Do not edit manually!\n"); + printf(" */\n\n"); +}; + +static void write_code_tables(int bliss_type, int n_z1, int n_z2, node_t *nodes, + tuple_t **tuples) +{ + int index, i, k; + uint32_t bit; + double code_length; + + printf("#include \"bliss_huffman_code.h\"\n\n"); + + printf("static bliss_huffman_code_node_t nodes[] = {\n"); + index = 0; + code_length = code_node(nodes, &index, 0, 0); + write_node(nodes); + printf("};\n\n"); + + printf("static bliss_huffman_code_tuple_t tuples[] = {\n"); + index = 0; + for (i = 0; i < n_z1; i++) + { + if (i > 0) + { + printf("\n"); + } + for (k = 1 - n_z2; k < n_z2; k++) + { + printf("\t{ %5u, %2u }, /* %3d: (%1d,%2d) ", + tuples[index]->code, tuples[index]->bits, index, i, k); + bit = 1 << (tuples[index]->bits - 1); + while (bit) + { + printf("%s", (tuples[index]->code & bit) ? "1" : "0"); + bit >>= 1; + } + printf(" */\n"); + index++; + } + } + printf("};\n\n"); + printf("/* code_length = %6.4f bits/tuple (%d bits) */\n\n", + code_length, (int)(512 * code_length + 1)); + + printf("bliss_huffman_code_t bliss_huffman_code_%d = {\n", bliss_type); + printf("\t.n_z1 = %d,\n", n_z1); + printf("\t.n_z2 = %d,\n", n_z2); + printf("\t.tuples = tuples,\n"); + printf("\t.nodes = nodes\n"); + printf("};\n"); +} + +static void destroy_node(node_t *node) +{ + if (node->l) + { + destroy_node(node->l); + } + if (node->r) + { + destroy_node(node->r); + } + free(node->tuple); + free(node); +} + +static void remove_node(node_t *list, node_t **last, node_t *node) +{ + node_t *current, *prev; + + for (current = list->next, prev = list; current; + prev = current, current = current->next) + { + if (current == node) + { + prev->next = current->next; + if (*last == current) + { + *last = prev->next ?: prev; + } + break; + } + } +} + +/** + * Generate a Huffman code for the optimum encoding of BLISS signatures + */ +int main(int argc, char *argv[]) +{ + bliss_param_set_t *set; + int dx, bliss_type, depth = 1, groups, groups_left, pairs = 1; + int i_max = 9, k_max = 8, index_max = (2*k_max - 1) * i_max; + int i, i_top, k, k_top; + uint16_t index; + double p, p_z1[i_max], p_z2[k_max], x_z1[i_max], x_z2[k_max]; + double t, x, x0, p_sum, entropy = 0, erf_i, erf_k, erf_0 = 0; + tuple_t *tuple, *tuples[index_max]; + node_t *node, *node_l, *node_r, *nodes = NULL; + node_t *node_list, *node_last; + + if (argc < 2) + { + fprintf(stderr, "usage: bliss_huffman []\n"); + exit(1); + } + if (argc > 2) + { + pairs = atoi(argv[2]); + } + fprintf(stderr, "%d code pairs with constant length\n\n", pairs); + groups_left = groups = pairs >> 1; + + bliss_type = atoi(argv[1]); + set = bliss_param_set_get_by_id(bliss_type); + if (!set) + { + fprintf(stderr, "bliss type %d unsupported\n", bliss_type); + exit(1); + } + write_header(); + printf("/*\n"); + printf(" * Design: sigma = %u\n", set->sigma); + printf(" *\n"); + + t = 1/(sqrt(2) * set->sigma); + + /* Probability distribution for z1 */ + i_top = (set->B_inf + 255) / 256; + p_sum = 0; + x = 0; + + for (i = 0; i < i_top; i++) + { + x = min(x + 256, set->B_inf); + erf_i = erf(t*x); + p_z1[i] = erf_i - erf_0; + p_sum += p_z1[i]; + erf_0 = erf_i; + x_z1[i] = x; + } + + /* Normalize and print the probability distribution for z1 */ + printf(" * i p_z1[i]\n"); + x0 = 0; + + for (i = 0; i < i_top; i++) + { + p_z1[i] /= p_sum; + printf(" * %2d %18.16f %4.0f .. %4.0f\n", i, p_z1[i], x0, x_z1[i]); + x0 = x_z1[i]; + } + printf(" *\n"); + + /* Probability distribution for z2 */ + dx = 1 << set->d; + k_top = 1 + set->B_inf / dx; + x = (dx >> 1) - 0.5; + p_sum = 0; + + for (k = 0; k < k_top; k++) + { + + erf_k = erf(t*x) / 2; + p_z2[k] = (k == 0) ? 2*erf_k : erf_k - erf_0; + p_sum += (k == 0) ? p_z2[k] : 2*p_z2[k]; + erf_0 = erf_k; + x_z2[k] = x; + x += dx; + } + + /* Normalize the probability distribution for z2 */ + for (k = 0; k < k_top; k++) + { + p_z2[k] /= p_sum; + } + + /* Print the probability distribution for z2 */ + printf(" * k p_z2[k] dx = %d\n", dx); + + for (k = 1 - k_top; k < k_top; k++) + { + + printf(" * %2d %18.16f ",k, p_z2[abs(k)]); + if (k < 0) + { + printf(" %7.1f ..%7.1f\n", -x_z2[-k], -x_z2[-k-1]); + } + else if (k == 0) + { + printf(" %7.1f ..%7.1f\n", -x_z2[k], x_z2[k]); + } + else + { + printf(" %7.1f ..%7.1f\n", x_z2[k-1], x_z2[k]); + } + } + printf(" *\n"); + + /* Compute probabilities of tuples (z1, z2) */ + INIT(node_list); + node_last = node_list; + printf(" * (i, k) p\n"); + p_sum =0; + index = 0; + + for (i = 0; i < i_top; i++) + { + for (k = 1 - k_top; k < k_top; k++) + { + p = p_z1[i] * p_z2[abs(k)]; + printf(" * (%1d,%2d) %18.16f\n", i, k, p); + p_sum += p; + entropy += -log(p) * p; + + INIT(tuple, + .z1 = i, + .z2 = k, + .index = index, + ); + tuples[index++] = tuple; + + INIT(node, + .p = p, + .tuple = tuple, + ); + node_last->next = node; + node_last = node; + } + printf(" *\n"); + } + entropy /= log(2); + printf(" * p_sum %18.16f\n", p_sum); + printf(" *\n"); + printf(" * entropy = %6.4f bits/tuple (%d bits)\n", + entropy, (int)(512 * entropy)); + printf(" */\n\n"); + + /* Build Huffman tree */ + while (node_list->next != node_last) + { + node_r = node_l = NULL; + + for (node = node_list->next; node; node = node->next) + { + if (pairs > 0) + { + if (!node->tuple) + { + continue; + } + } + else if (groups_left > 0) + { + if (node->tuple || node->depth != depth) + { + continue; + } + } + if (node_r == NULL || node->p < node_r->p) + { + node_l = node_r; + node_r = node; + } + else if (node_l == NULL || node->p < node_l->p) + { + node_l = node; + } + } + + INIT(node, + .l = node_l, + .r = node_r, + .p = node_l->p + node_r->p, + .depth = 1 + max(node_l->depth, node_r->depth), + .tuple = NULL, + ); + print_node(node_r); + print_node(node_l); + fprintf(stderr, " %18.16f", node->p); + + remove_node(node_list, &node_last, node_l); + remove_node(node_list, &node_last, node_r); + node_last->next = node; + node_last = node; + + if (pairs > 0) + { + pairs--; + } + else if (groups > 0) + { + if (--groups_left == 0) + { + groups >>= 1; + groups_left = groups; + depth++; + } + } + fprintf(stderr, "\n\n"); + } + + + nodes = node_list->next; + + write_code_tables(bliss_type, i_top, k_top, nodes, tuples); + + destroy_node(nodes); + destroy_node(node_list); + exit(0); +} + diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_code.c b/src/libstrongswan/plugins/bliss/bliss_huffman_code.c new file mode 100644 index 000000000..e31cd9d3c --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_huffman_code.c @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "bliss_huffman_code.h" + +extern bliss_huffman_code_t bliss_huffman_code_1; +extern bliss_huffman_code_t bliss_huffman_code_3; +extern bliss_huffman_code_t bliss_huffman_code_4; + +/** + * See header. + */ +bliss_huffman_code_t* bliss_huffman_code_get_by_id(bliss_param_set_id_t id) +{ + switch (id) + { + case BLISS_I: + case BLISS_B_I: + return &bliss_huffman_code_1; + case BLISS_III: + case BLISS_B_III: + return &bliss_huffman_code_3; + case BLISS_IV: + case BLISS_B_IV: + return &bliss_huffman_code_4; + default: + return NULL; + } +} + diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_code.h b/src/libstrongswan/plugins/bliss/bliss_huffman_code.h new file mode 100644 index 000000000..df8511b2e --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_huffman_code.h @@ -0,0 +1,80 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup bliss_huffman_code bliss_huffman_code + * @{ @ingroup bliss_p + */ + +#ifndef BLISS_HUFFMAN_CODE_H_ +#define BLISS_HUFFMAN_CODE_H_ + +#include "bliss_param_set.h" + +#include + +typedef struct bliss_huffman_code_t bliss_huffman_code_t; +typedef struct bliss_huffman_code_tuple_t bliss_huffman_code_tuple_t; +typedef struct bliss_huffman_code_node_t bliss_huffman_code_node_t; + +struct bliss_huffman_code_tuple_t { + uint32_t code; + uint16_t bits; +}; + +#define BLISS_HUFFMAN_CODE_NO_TUPLE -1 +#define BLISS_HUFFMAN_CODE_NO_NODE -1 + +struct bliss_huffman_code_node_t { + int16_t node_0; + int16_t node_1; + int16_t tuple; +}; + +/** + * Defines the Huffman code for the optimum encoding of a BLISS signature + */ +struct bliss_huffman_code_t { + + /** + * Range of z1: 0..n_z1-1 + */ + uint16_t n_z1; + + /** + * Range of z2: -n_z2..n_z2 + */ + uint16_t n_z2; + + /** + * Table of tuple codewords + */ + bliss_huffman_code_tuple_t *tuples; + + /** + * Table of binary decision nodes + */ + bliss_huffman_code_node_t *nodes; +}; + +/** + * Get Optimum Huffman code for BLISS signature given by BLISS parameter set ID + * + * @param id BLISS parameter set ID + * @return Optimum Huffman code for BLISS signature +*/ +bliss_huffman_code_t* bliss_huffman_code_get_by_id(bliss_param_set_id_t id); + +#endif /** BLISS_HUFFMAN_CODE_H_ @}*/ diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_code_1.c b/src/libstrongswan/plugins/bliss/bliss_huffman_code_1.c new file mode 100644 index 000000000..1bf433fd1 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_huffman_code_1.c @@ -0,0 +1,160 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Optimum Huffman code for BLISS-X signatures + * + * This file has been automatically generated by the bliss_huffman utility + * Do not edit manually! + */ + +/* + * Design: sigma = 215 + * + * i p_z1[i] + * 0 0.7662277087816564 0 .. 256 + * 1 0.2165251006508514 256 .. 512 + * 2 0.0168930510015114 512 .. 768 + * 3 0.0003522302274478 768 .. 1024 + * 4 0.0000019067136680 1024 .. 1280 + * 5 0.0000000026239598 1280 .. 1536 + * 6 0.0000000000009052 1536 .. 1792 + * 7 0.0000000000000001 1792 .. 2047 + * + * k p_z2[k] dx = 1024 + * -1 0.0086781953089156 -1535.5 .. -511.5 + * 0 0.9826436093821688 -511.5 .. 511.5 + * 1 0.0086781953089156 511.5 .. 1535.5 + * + * (i, k) p + * (0,-1) 0.0066494737079101 + * (0, 0) 0.7529287613658361 + * (0, 1) 0.0066494737079101 + * + * (1,-1) 0.0018790471127307 + * (1, 0) 0.2127670064253900 + * (1, 1) 0.0018790471127307 + * + * (2,-1) 0.0001466011959546 + * (2, 0) 0.0165998486096022 + * (2, 1) 0.0001466011959546 + * + * (3,-1) 0.0000030567227075 + * (3, 0) 0.0003461167820328 + * (3, 1) 0.0000030567227075 + * + * (4,-1) 0.0000000165468336 + * (4, 0) 0.0000018736200007 + * (4, 1) 0.0000000165468336 + * + * (5,-1) 0.0000000000227712 + * (5, 0) 0.0000000025784174 + * (5, 1) 0.0000000000227712 + * + * (6,-1) 0.0000000000000079 + * (6, 0) 0.0000000000008895 + * (6, 1) 0.0000000000000079 + * + * (7,-1) 0.0000000000000000 + * (7, 0) 0.0000000000000001 + * (7, 1) 0.0000000000000000 + * + * p_sum 0.9999999999999998 + * + * entropy = 1.0195 bits/tuple (521 bits) + */ + +#include "bliss_huffman_code.h" + +static bliss_huffman_code_node_t nodes[] = { + { 1, 2, -1 }, /* 0: */ + { -1, -1, 1 }, /* 1: (0, 0) 1 bit */ + { 3, 4, -1 }, /* 2: */ + { -1, -1, 4 }, /* 3: (1, 0) 2 bits */ + { 5, 46, -1 }, /* 4: */ + { 6, 45, -1 }, /* 5: */ + { 7, 8, -1 }, /* 6: */ + { -1, -1, 0 }, /* 7: (0,-1) 5 bits */ + { 9, 44, -1 }, /* 8: */ + { 10, 11, -1 }, /* 9: */ + { -1, -1, 3 }, /* 10: (1,-1) 7 bits */ + { 12, 13, -1 }, /* 11: */ + { -1, -1, 10 }, /* 12: (3, 0) 8 bits */ + { 14, 29, -1 }, /* 13: */ + { 15, 22, -1 }, /* 14: */ + { 16, 19, -1 }, /* 15: */ + { 17, 18, -1 }, /* 16: */ + { -1, -1, 8 }, /* 17: (2, 1) 12 bits */ + { -1, -1, 6 }, /* 18: (2,-1) 12 bits */ + { 20, 21, -1 }, /* 19: */ + { -1, -1, 11 }, /* 20: (3, 1) 12 bits */ + { -1, -1, 9 }, /* 21: (3,-1) 12 bits */ + { 23, 26, -1 }, /* 22: */ + { 24, 25, -1 }, /* 23: */ + { -1, -1, 13 }, /* 24: (4, 0) 12 bits */ + { -1, -1, 14 }, /* 25: (4, 1) 12 bits */ + { 27, 28, -1 }, /* 26: */ + { -1, -1, 12 }, /* 27: (4,-1) 12 bits */ + { -1, -1, 16 }, /* 28: (5, 0) 12 bits */ + { 30, 37, -1 }, /* 29: */ + { 31, 34, -1 }, /* 30: */ + { 32, 33, -1 }, /* 31: */ + { -1, -1, 17 }, /* 32: (5, 1) 12 bits */ + { -1, -1, 15 }, /* 33: (5,-1) 12 bits */ + { 35, 36, -1 }, /* 34: */ + { -1, -1, 19 }, /* 35: (6, 0) 12 bits */ + { -1, -1, 20 }, /* 36: (6, 1) 12 bits */ + { 38, 41, -1 }, /* 37: */ + { 39, 40, -1 }, /* 38: */ + { -1, -1, 18 }, /* 39: (6,-1) 12 bits */ + { -1, -1, 22 }, /* 40: (7, 0) 12 bits */ + { 42, 43, -1 }, /* 41: */ + { -1, -1, 23 }, /* 42: (7, 1) 12 bits */ + { -1, -1, 21 }, /* 43: (7,-1) 12 bits */ + { -1, -1, 5 }, /* 44: (1, 1) 6 bits */ + { -1, -1, 2 }, /* 45: (0, 1) 4 bits */ + { -1, -1, 7 }, /* 46: (2, 0) 3 bits */ +}; + +static bliss_huffman_code_tuple_t tuples[] = { + { 24, 5 }, /* 0: (0,-1) 11000 */ + { 0, 1 }, /* 1: (0, 0) 0 */ + { 13, 4 }, /* 2: (0, 1) 1101 */ + + { 100, 7 }, /* 3: (1,-1) 1100100 */ + { 2, 2 }, /* 4: (1, 0) 10 */ + { 51, 6 }, /* 5: (1, 1) 110011 */ + + { 3249, 12 }, /* 6: (2,-1) 110010110001 */ + { 7, 3 }, /* 7: (2, 0) 111 */ + { 3248, 12 }, /* 8: (2, 1) 110010110000 */ + + { 3251, 12 }, /* 9: (3,-1) 110010110011 */ + { 202, 8 }, /* 10: (3, 0) 11001010 */ + { 3250, 12 }, /* 11: (3, 1) 110010110010 */ + + { 3254, 12 }, /* 12: (4,-1) 110010110110 */ + { 3252, 12 }, /* 13: (4, 0) 110010110100 */ + { 3253, 12 }, /* 14: (4, 1) 110010110101 */ + + { 3257, 12 }, /* 15: (5,-1) 110010111001 */ + { 3255, 12 }, /* 16: (5, 0) 110010110111 */ + { 3256, 12 }, /* 17: (5, 1) 110010111000 */ + + { 3260, 12 }, /* 18: (6,-1) 110010111100 */ + { 3258, 12 }, /* 19: (6, 0) 110010111010 */ + { 3259, 12 }, /* 20: (6, 1) 110010111011 */ + + { 3263, 12 }, /* 21: (7,-1) 110010111111 */ + { 3261, 12 }, /* 22: (7, 0) 110010111101 */ + { 3262, 12 }, /* 23: (7, 1) 110010111110 */ +}; + +/* code_length = 1.3189 bits/tuple (676 bits) */ + +bliss_huffman_code_t bliss_huffman_code_1 = { + .n_z1 = 8, + .n_z2 = 2, + .tuples = tuples, + .nodes = nodes +}; diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_code_3.c b/src/libstrongswan/plugins/bliss/bliss_huffman_code_3.c new file mode 100644 index 000000000..37a8084d4 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_huffman_code_3.c @@ -0,0 +1,261 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Optimum Huffman code for BLISS-X signatures + * + * This file has been automatically generated by the bliss_huffman utility + * Do not edit manually! + */ + +/* + * Design: sigma = 250 + * + * i p_z1[i] + * 0 0.6941647250930416 0 .. 256 + * 1 0.2652752755116807 256 .. 512 + * 2 0.0384337021454129 512 .. 768 + * 3 0.0020842622589255 768 .. 1024 + * 4 0.0000417294572050 1024 .. 1280 + * 5 0.0000003047309681 1280 .. 1536 + * 6 0.0000000008027661 1536 .. 1760 + * + * k p_z2[k] dx = 512 + * -3 0.0000001543959154 -1791.5 ..-1279.5 + * -2 0.0010701394583782 -1279.5 .. -767.5 + * -1 0.1523201563502276 -767.5 .. -255.5 + * 0 0.6932190995909575 -255.5 .. 255.5 + * 1 0.1523201563502276 255.5 .. 767.5 + * 2 0.0010701394583782 767.5 .. 1279.5 + * 3 0.0000001543959154 1279.5 .. 1791.5 + * + * (i, k) p + * (0,-3) 0.0000001071761982 + * (0,-2) 0.0007428530629363 + * (0,-1) 0.1057352794589848 + * (0, 0) 0.4812082456968029 + * (0, 1) 0.1057352794589848 + * (0, 2) 0.0007428530629363 + * (0, 3) 0.0000001071761982 + * + * (1,-3) 0.0000000409574190 + * (1,-2) 0.0002838815396572 + * (1,-1) 0.0404067714417889 + * (1, 0) 0.1838938876339505 + * (1, 1) 0.0404067714417889 + * (1, 2) 0.0002838815396572 + * (1, 3) 0.0000000409574190 + * + * (2,-3) 0.0000000059340066 + * (2,-2) 0.0000411294211974 + * (2,-1) 0.0058542275199074 + * (2, 0) 0.0266429763951902 + * (2, 1) 0.0058542275199074 + * (2, 2) 0.0000411294211974 + * (2, 3) 0.0000000059340066 + * + * (3,-3) 0.0000000003218016 + * (3,-2) 0.0000022304512849 + * (3,-1) 0.0003174751531544 + * (3, 0) 0.0014448504064437 + * (3, 1) 0.0003174751531544 + * (3, 2) 0.0000022304512849 + * (3, 3) 0.0000000003218016 + * + * (4,-3) 0.0000000000064429 + * (4,-2) 0.0000000446563387 + * (4,-1) 0.0000063562374459 + * (4, 0) 0.0000289276567501 + * (4, 1) 0.0000063562374459 + * (4, 2) 0.0000000446563387 + * (4, 3) 0.0000000000064429 + * + * (5,-3) 0.0000000000000470 + * (5,-2) 0.0000000003261046 + * (5,-1) 0.0000000464166687 + * (5, 0) 0.0000002112453273 + * (5, 1) 0.0000000464166687 + * (5, 2) 0.0000000003261046 + * (5, 3) 0.0000000000000470 + * + * (6,-3) 0.0000000000000001 + * (6,-2) 0.0000000000008591 + * (6,-1) 0.0000000001222775 + * (6, 0) 0.0000000005564928 + * (6, 1) 0.0000000001222775 + * (6, 2) 0.0000000000008591 + * (6, 3) 0.0000000000000001 + * + * p_sum 0.9999999999999999 + * + * entropy = 2.2879 bits/tuple (1171 bits) + */ + +#include "bliss_huffman_code.h" + +static bliss_huffman_code_node_t nodes[] = { + { 1, 96, -1 }, /* 0: */ + { 2, 93, -1 }, /* 1: */ + { 3, 4, -1 }, /* 2: */ + { -1, -1, 10 }, /* 3: (1, 0) 3 bits */ + { 5, 8, -1 }, /* 4: */ + { 6, 7, -1 }, /* 5: */ + { -1, -1, 11 }, /* 6: (1, 1) 5 bits */ + { -1, -1, 9 }, /* 7: (1,-1) 5 bits */ + { 9, 10, -1 }, /* 8: */ + { -1, -1, 17 }, /* 9: (2, 0) 5 bits */ + { 11, 92, -1 }, /* 10: */ + { 12, 13, -1 }, /* 11: */ + { -1, -1, 16 }, /* 12: (2,-1) 7 bits */ + { 14, 89, -1 }, /* 13: */ + { 15, 16, -1 }, /* 14: */ + { -1, -1, 24 }, /* 15: (3, 0) 9 bits */ + { 17, 86, -1 }, /* 16: */ + { 18, 85, -1 }, /* 17: */ + { 19, 20, -1 }, /* 18: */ + { -1, -1, 8 }, /* 19: (1,-2) 12 bits */ + { 21, 84, -1 }, /* 20: */ + { 22, 53, -1 }, /* 21: */ + { 23, 38, -1 }, /* 22: */ + { 24, 31, -1 }, /* 23: */ + { 25, 28, -1 }, /* 24: */ + { 26, 27, -1 }, /* 25: */ + { -1, -1, 15 }, /* 26: (2,-2) 18 bits */ + { -1, -1, 31 }, /* 27: (4, 0) 18 bits */ + { 29, 30, -1 }, /* 28: */ + { -1, -1, 32 }, /* 29: (4, 1) 18 bits */ + { -1, -1, 30 }, /* 30: (4,-1) 18 bits */ + { 32, 35, -1 }, /* 31: */ + { 33, 34, -1 }, /* 32: */ + { -1, -1, 26 }, /* 33: (3, 2) 18 bits */ + { -1, -1, 22 }, /* 34: (3,-2) 18 bits */ + { 36, 37, -1 }, /* 35: */ + { -1, -1, 38 }, /* 36: (5, 0) 18 bits */ + { -1, -1, 6 }, /* 37: (0, 3) 18 bits */ + { 39, 46, -1 }, /* 38: */ + { 40, 43, -1 }, /* 39: */ + { 41, 42, -1 }, /* 40: */ + { -1, -1, 0 }, /* 41: (0,-3) 18 bits */ + { -1, -1, 39 }, /* 42: (5, 1) 18 bits */ + { 44, 45, -1 }, /* 43: */ + { -1, -1, 37 }, /* 44: (5,-1) 18 bits */ + { -1, -1, 33 }, /* 45: (4, 2) 18 bits */ + { 47, 50, -1 }, /* 46: */ + { 48, 49, -1 }, /* 47: */ + { -1, -1, 29 }, /* 48: (4,-2) 18 bits */ + { -1, -1, 13 }, /* 49: (1, 3) 18 bits */ + { 51, 52, -1 }, /* 50: */ + { -1, -1, 7 }, /* 51: (1,-3) 18 bits */ + { -1, -1, 20 }, /* 52: (2, 3) 18 bits */ + { 54, 69, -1 }, /* 53: */ + { 55, 62, -1 }, /* 54: */ + { 56, 59, -1 }, /* 55: */ + { 57, 58, -1 }, /* 56: */ + { -1, -1, 14 }, /* 57: (2,-3) 18 bits */ + { -1, -1, 45 }, /* 58: (6, 0) 18 bits */ + { 60, 61, -1 }, /* 59: */ + { -1, -1, 40 }, /* 60: (5, 2) 18 bits */ + { -1, -1, 36 }, /* 61: (5,-2) 18 bits */ + { 63, 66, -1 }, /* 62: */ + { 64, 65, -1 }, /* 63: */ + { -1, -1, 27 }, /* 64: (3, 3) 18 bits */ + { -1, -1, 21 }, /* 65: (3,-3) 18 bits */ + { 67, 68, -1 }, /* 66: */ + { -1, -1, 46 }, /* 67: (6, 1) 18 bits */ + { -1, -1, 44 }, /* 68: (6,-1) 18 bits */ + { 70, 77, -1 }, /* 69: */ + { 71, 74, -1 }, /* 70: */ + { 72, 73, -1 }, /* 71: */ + { -1, -1, 34 }, /* 72: (4, 3) 18 bits */ + { -1, -1, 28 }, /* 73: (4,-3) 18 bits */ + { 75, 76, -1 }, /* 74: */ + { -1, -1, 47 }, /* 75: (6, 2) 18 bits */ + { -1, -1, 43 }, /* 76: (6,-2) 18 bits */ + { 78, 81, -1 }, /* 77: */ + { 79, 80, -1 }, /* 78: */ + { -1, -1, 41 }, /* 79: (5, 3) 18 bits */ + { -1, -1, 35 }, /* 80: (5,-3) 18 bits */ + { 82, 83, -1 }, /* 81: */ + { -1, -1, 48 }, /* 82: (6, 3) 18 bits */ + { -1, -1, 42 }, /* 83: (6,-3) 18 bits */ + { -1, -1, 19 }, /* 84: (2, 2) 13 bits */ + { -1, -1, 25 }, /* 85: (3, 1) 11 bits */ + { 87, 88, -1 }, /* 86: */ + { -1, -1, 23 }, /* 87: (3,-1) 11 bits */ + { -1, -1, 12 }, /* 88: (1, 2) 11 bits */ + { 90, 91, -1 }, /* 89: */ + { -1, -1, 5 }, /* 90: (0, 2) 9 bits */ + { -1, -1, 1 }, /* 91: (0,-2) 9 bits */ + { -1, -1, 18 }, /* 92: (2, 1) 6 bits */ + { 94, 95, -1 }, /* 93: */ + { -1, -1, 4 }, /* 94: (0, 1) 3 bits */ + { -1, -1, 2 }, /* 95: (0,-1) 3 bits */ + { -1, -1, 3 }, /* 96: (0, 0) 1 bit */ +}; + +static bliss_huffman_code_tuple_t tuples[] = { + { 59976, 18 }, /* 0: (0,-3) 001110101001001000 */ + { 119, 9 }, /* 1: (0,-2) 001110111 */ + { 3, 3 }, /* 2: (0,-1) 011 */ + { 1, 1 }, /* 3: (0, 0) 1 */ + { 2, 3 }, /* 4: (0, 1) 010 */ + { 118, 9 }, /* 5: (0, 2) 001110110 */ + { 59975, 18 }, /* 6: (0, 3) 001110101001000111 */ + + { 59982, 18 }, /* 7: (1,-3) 001110101001001110 */ + { 936, 12 }, /* 8: (1,-2) 001110101000 */ + { 5, 5 }, /* 9: (1,-1) 00101 */ + { 0, 3 }, /* 10: (1, 0) 000 */ + { 4, 5 }, /* 11: (1, 1) 00100 */ + { 471, 11 }, /* 12: (1, 2) 00111010111 */ + { 59981, 18 }, /* 13: (1, 3) 001110101001001101 */ + + { 59984, 18 }, /* 14: (2,-3) 001110101001010000 */ + { 59968, 18 }, /* 15: (2,-2) 001110101001000000 */ + { 28, 7 }, /* 16: (2,-1) 0011100 */ + { 6, 5 }, /* 17: (2, 0) 00110 */ + { 15, 6 }, /* 18: (2, 1) 001111 */ + { 1875, 13 }, /* 19: (2, 2) 0011101010011 */ + { 59983, 18 }, /* 20: (2, 3) 001110101001001111 */ + + { 59989, 18 }, /* 21: (3,-3) 001110101001010101 */ + { 59973, 18 }, /* 22: (3,-2) 001110101001000101 */ + { 470, 11 }, /* 23: (3,-1) 00111010110 */ + { 116, 9 }, /* 24: (3, 0) 001110100 */ + { 469, 11 }, /* 25: (3, 1) 00111010101 */ + { 59972, 18 }, /* 26: (3, 2) 001110101001000100 */ + { 59988, 18 }, /* 27: (3, 3) 001110101001010100 */ + + { 59993, 18 }, /* 28: (4,-3) 001110101001011001 */ + { 59980, 18 }, /* 29: (4,-2) 001110101001001100 */ + { 59971, 18 }, /* 30: (4,-1) 001110101001000011 */ + { 59969, 18 }, /* 31: (4, 0) 001110101001000001 */ + { 59970, 18 }, /* 32: (4, 1) 001110101001000010 */ + { 59979, 18 }, /* 33: (4, 2) 001110101001001011 */ + { 59992, 18 }, /* 34: (4, 3) 001110101001011000 */ + + { 59997, 18 }, /* 35: (5,-3) 001110101001011101 */ + { 59987, 18 }, /* 36: (5,-2) 001110101001010011 */ + { 59978, 18 }, /* 37: (5,-1) 001110101001001010 */ + { 59974, 18 }, /* 38: (5, 0) 001110101001000110 */ + { 59977, 18 }, /* 39: (5, 1) 001110101001001001 */ + { 59986, 18 }, /* 40: (5, 2) 001110101001010010 */ + { 59996, 18 }, /* 41: (5, 3) 001110101001011100 */ + + { 59999, 18 }, /* 42: (6,-3) 001110101001011111 */ + { 59995, 18 }, /* 43: (6,-2) 001110101001011011 */ + { 59991, 18 }, /* 44: (6,-1) 001110101001010111 */ + { 59985, 18 }, /* 45: (6, 0) 001110101001010001 */ + { 59990, 18 }, /* 46: (6, 1) 001110101001010110 */ + { 59994, 18 }, /* 47: (6, 2) 001110101001011010 */ + { 59998, 18 }, /* 48: (6, 3) 001110101001011110 */ +}; + +/* code_length = 2.3227 bits/tuple (1190 bits) */ + +bliss_huffman_code_t bliss_huffman_code_3 = { + .n_z1 = 7, + .n_z2 = 4, + .tuples = tuples, + .nodes = nodes +}; diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_code_4.c b/src/libstrongswan/plugins/bliss/bliss_huffman_code_4.c new file mode 100644 index 000000000..c4f709c93 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_huffman_code_4.c @@ -0,0 +1,435 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Optimum Huffman code for BLISS-X signatures + * + * This file has been automatically generated by the bliss_huffman utility + * Do not edit manually! + */ + +/* + * Design: sigma = 271 + * + * i p_z1[i] + * 0 0.6551621276225426 0 .. 256 + * 1 0.2859860850630749 256 .. 512 + * 2 0.0542541135599810 512 .. 768 + * 3 0.0044399624814222 768 .. 1024 + * 4 0.0001553928373912 1024 .. 1280 + * 5 0.0000023066278552 1280 .. 1536 + * 6 0.0000000118077330 1536 .. 1613 + * + * k p_z2[k] dx = 256 + * -6 0.0000001026458579 -1663.5 ..-1407.5 + * -5 0.0000106295703648 -1407.5 ..-1151.5 + * -4 0.0004651193817805 -1151.5 .. -895.5 + * -3 0.0086670703658387 -895.5 .. -639.5 + * -2 0.0693723939195647 -639.5 .. -383.5 + * -1 0.2404908493690626 -383.5 .. -127.5 + * 0 0.3619876694950614 -127.5 .. 127.5 + * 1 0.2404908493690626 127.5 .. 383.5 + * 2 0.0693723939195647 383.5 .. 639.5 + * 3 0.0086670703658387 639.5 .. 895.5 + * 4 0.0004651193817805 895.5 .. 1151.5 + * 5 0.0000106295703648 1151.5 .. 1407.5 + * 6 0.0000001026458579 1407.5 .. 1663.5 + * + * (i, k) p + * (0,-6) 0.0000000672496787 + * (0,-5) 0.0000069640919359 + * (0,-4) 0.0003047286037658 + * (0,-3) 0.0056783362611372 + * (0,-2) 0.0454501651986111 + * (0,-1) 0.1575604965463875 + * (0, 0) 0.2371606117195102 + * (0, 1) 0.1575604965463875 + * (0, 2) 0.0454501651986111 + * (0, 3) 0.0056783362611372 + * (0, 4) 0.0003047286037658 + * (0, 5) 0.0000069640919359 + * (0, 6) 0.0000000672496787 + * + * (1,-6) 0.0000000293552870 + * (1,-5) 0.0000030399092145 + * (1,-4) 0.0001330176710824 + * (1,-3) 0.0024786615228924 + * (1,-2) 0.0198395393485098 + * (1,-1) 0.0687770365045519 + * (1, 0) 0.1035234364399989 + * (1, 1) 0.0687770365045519 + * (1, 2) 0.0198395393485098 + * (1, 3) 0.0024786615228924 + * (1, 4) 0.0001330176710824 + * (1, 5) 0.0000030399092145 + * (1, 6) 0.0000000293552870 + * + * (2,-6) 0.0000000055689600 + * (2,-5) 0.0000005766979177 + * (2,-4) 0.0000252346397581 + * (2,-3) 0.0004702242198606 + * (2,-2) 0.0037637377376398 + * (2,-1) 0.0130476178518054 + * (2, 0) 0.0196393201280979 + * (2, 1) 0.0130476178518054 + * (2, 2) 0.0037637377376398 + * (2, 3) 0.0004702242198606 + * (2, 4) 0.0000252346397581 + * (2, 5) 0.0000005766979177 + * (2, 6) 0.0000000055689600 + * + * (3,-6) 0.0000000004557438 + * (3,-5) 0.0000000471948936 + * (3,-4) 0.0000020651126045 + * (3,-3) 0.0000384814672482 + * (3,-2) 0.0003080108262493 + * (3,-1) 0.0010677703483240 + * (3, 0) 0.0016072116712955 + * (3, 1) 0.0010677703483240 + * (3, 2) 0.0003080108262493 + * (3, 3) 0.0000384814672482 + * (3, 4) 0.0000020651126045 + * (3, 5) 0.0000000471948936 + * (3, 6) 0.0000000004557438 + * + * (4,-6) 0.0000000000159504 + * (4,-5) 0.0000000016517591 + * (4,-4) 0.0000000722762205 + * (4,-3) 0.0000013468006560 + * (4,-2) 0.0000107799731278 + * (4,-1) 0.0000373705554501 + * (4, 0) 0.0000562502910635 + * (4, 1) 0.0000373705554501 + * (4, 2) 0.0000107799731278 + * (4, 3) 0.0000013468006560 + * (4, 4) 0.0000000722762205 + * (4, 5) 0.0000000016517591 + * (4, 6) 0.0000000000159504 + * + * (5,-6) 0.0000000000002368 + * (5,-5) 0.0000000000245185 + * (5,-4) 0.0000000010728573 + * (5,-3) 0.0000000199917059 + * (5,-2) 0.0000001600162962 + * (5,-1) 0.0000005547228921 + * (5, 0) 0.0000008349708417 + * (5, 1) 0.0000005547228921 + * (5, 2) 0.0000001600162962 + * (5, 3) 0.0000000199917059 + * (5, 4) 0.0000000010728573 + * (5, 5) 0.0000000000245185 + * (5, 6) 0.0000000000002368 + * + * (6,-6) 0.0000000000000012 + * (6,-5) 0.0000000000001255 + * (6,-4) 0.0000000000054920 + * (6,-3) 0.0000000001023385 + * (6,-2) 0.0000000008191307 + * (6,-1) 0.0000000028396517 + * (6, 0) 0.0000000042742538 + * (6, 1) 0.0000000028396517 + * (6, 2) 0.0000000008191307 + * (6, 3) 0.0000000001023385 + * (6, 4) 0.0000000000054920 + * (6, 5) 0.0000000000001255 + * (6, 6) 0.0000000000000012 + * + * p_sum 1.0000000000000011 + * + * entropy = 3.3640 bits/tuple (1722 bits) + */ + +#include "bliss_huffman_code.h" + +static bliss_huffman_code_node_t nodes[] = { + { 1, 160, -1 }, /* 0: */ + { 2, 5, -1 }, /* 1: */ + { 3, 4, -1 }, /* 2: */ + { -1, -1, 7 }, /* 3: (0, 1) 3 bits */ + { -1, -1, 5 }, /* 4: (0,-1) 3 bits */ + { 6, 157, -1 }, /* 5: */ + { 7, 156, -1 }, /* 6: */ + { 8, 11, -1 }, /* 7: */ + { 9, 10, -1 }, /* 8: */ + { -1, -1, 17 }, /* 9: (1,-2) 6 bits */ + { -1, -1, 32 }, /* 10: (2, 0) 6 bits */ + { 12, 155, -1 }, /* 11: */ + { 13, 18, -1 }, /* 12: */ + { 14, 15, -1 }, /* 13: */ + { -1, -1, 3 }, /* 14: (0,-3) 8 bits */ + { 16, 17, -1 }, /* 15: */ + { -1, -1, 22 }, /* 16: (1, 3) 9 bits */ + { -1, -1, 16 }, /* 17: (1,-3) 9 bits */ + { 19, 154, -1 }, /* 18: */ + { 20, 23, -1 }, /* 19: */ + { 21, 22, -1 }, /* 20: */ + { -1, -1, 46 }, /* 21: (3, 1) 10 bits */ + { -1, -1, 44 }, /* 22: (3,-1) 10 bits */ + { 24, 151, -1 }, /* 23: */ + { 25, 88, -1 }, /* 24: */ + { 26, 57, -1 }, /* 25: */ + { 27, 42, -1 }, /* 26: */ + { 28, 35, -1 }, /* 27: */ + { 29, 32, -1 }, /* 28: */ + { 30, 31, -1 }, /* 29: */ + { -1, -1, 2 }, /* 30: (0,-4) 16 bits */ + { -1, -1, 23 }, /* 31: (1, 4) 16 bits */ + { 33, 34, -1 }, /* 32: */ + { -1, -1, 15 }, /* 33: (1,-4) 16 bits */ + { -1, -1, 58 }, /* 34: (4, 0) 16 bits */ + { 36, 39, -1 }, /* 35: */ + { 37, 38, -1 }, /* 36: */ + { -1, -1, 48 }, /* 37: (3, 3) 16 bits */ + { -1, -1, 42 }, /* 38: (3,-3) 16 bits */ + { 40, 41, -1 }, /* 39: */ + { -1, -1, 59 }, /* 40: (4, 1) 16 bits */ + { -1, -1, 57 }, /* 41: (4,-1) 16 bits */ + { 43, 50, -1 }, /* 42: */ + { 44, 47, -1 }, /* 43: */ + { 45, 46, -1 }, /* 44: */ + { -1, -1, 36 }, /* 45: (2, 4) 16 bits */ + { -1, -1, 28 }, /* 46: (2,-4) 16 bits */ + { 48, 49, -1 }, /* 47: */ + { -1, -1, 60 }, /* 48: (4, 2) 16 bits */ + { -1, -1, 56 }, /* 49: (4,-2) 16 bits */ + { 51, 54, -1 }, /* 50: */ + { 52, 53, -1 }, /* 51: */ + { -1, -1, 11 }, /* 52: (0, 5) 16 bits */ + { -1, -1, 1 }, /* 53: (0,-5) 16 bits */ + { 55, 56, -1 }, /* 54: */ + { -1, -1, 24 }, /* 55: (1, 5) 16 bits */ + { -1, -1, 14 }, /* 56: (1,-5) 16 bits */ + { 58, 73, -1 }, /* 57: */ + { 59, 66, -1 }, /* 58: */ + { 60, 63, -1 }, /* 59: */ + { 61, 62, -1 }, /* 60: */ + { -1, -1, 49 }, /* 61: (3, 4) 16 bits */ + { -1, -1, 41 }, /* 62: (3,-4) 16 bits */ + { 64, 65, -1 }, /* 63: */ + { -1, -1, 61 }, /* 64: (4, 3) 16 bits */ + { -1, -1, 55 }, /* 65: (4,-3) 16 bits */ + { 67, 70, -1 }, /* 66: */ + { 68, 69, -1 }, /* 67: */ + { -1, -1, 71 }, /* 68: (5, 0) 16 bits */ + { -1, -1, 37 }, /* 69: (2, 5) 16 bits */ + { 71, 72, -1 }, /* 70: */ + { -1, -1, 27 }, /* 71: (2,-5) 16 bits */ + { -1, -1, 72 }, /* 72: (5, 1) 16 bits */ + { 74, 81, -1 }, /* 73: */ + { 75, 78, -1 }, /* 74: */ + { 76, 77, -1 }, /* 75: */ + { -1, -1, 70 }, /* 76: (5,-1) 16 bits */ + { -1, -1, 73 }, /* 77: (5, 2) 16 bits */ + { 79, 80, -1 }, /* 78: */ + { -1, -1, 69 }, /* 79: (5,-2) 16 bits */ + { -1, -1, 62 }, /* 80: (4, 4) 16 bits */ + { 82, 85, -1 }, /* 81: */ + { 83, 84, -1 }, /* 82: */ + { -1, -1, 54 }, /* 83: (4,-4) 16 bits */ + { -1, -1, 12 }, /* 84: (0, 6) 16 bits */ + { 86, 87, -1 }, /* 85: */ + { -1, -1, 0 }, /* 86: (0,-6) 16 bits */ + { -1, -1, 50 }, /* 87: (3, 5) 16 bits */ + { 89, 120, -1 }, /* 88: */ + { 90, 105, -1 }, /* 89: */ + { 91, 98, -1 }, /* 90: */ + { 92, 95, -1 }, /* 91: */ + { 93, 94, -1 }, /* 92: */ + { -1, -1, 40 }, /* 93: (3,-5) 16 bits */ + { -1, -1, 25 }, /* 94: (1, 6) 16 bits */ + { 96, 97, -1 }, /* 95: */ + { -1, -1, 13 }, /* 96: (1,-6) 16 bits */ + { -1, -1, 74 }, /* 97: (5, 3) 16 bits */ + { 99, 102, -1 }, /* 98: */ + { 100, 101, -1 }, /* 99: */ + { -1, -1, 68 }, /* 100: (5,-3) 16 bits */ + { -1, -1, 38 }, /* 101: (2, 6) 16 bits */ + { 103, 104, -1 }, /* 102: */ + { -1, -1, 26 }, /* 103: (2,-6) 16 bits */ + { -1, -1, 84 }, /* 104: (6, 0) 16 bits */ + { 106, 113, -1 }, /* 105: */ + { 107, 110, -1 }, /* 106: */ + { 108, 109, -1 }, /* 107: */ + { -1, -1, 85 }, /* 108: (6, 1) 16 bits */ + { -1, -1, 83 }, /* 109: (6,-1) 16 bits */ + { 111, 112, -1 }, /* 110: */ + { -1, -1, 63 }, /* 111: (4, 5) 16 bits */ + { -1, -1, 53 }, /* 112: (4,-5) 16 bits */ + { 114, 117, -1 }, /* 113: */ + { 115, 116, -1 }, /* 114: */ + { -1, -1, 75 }, /* 115: (5, 4) 16 bits */ + { -1, -1, 67 }, /* 116: (5,-4) 16 bits */ + { 118, 119, -1 }, /* 117: */ + { -1, -1, 86 }, /* 118: (6, 2) 16 bits */ + { -1, -1, 82 }, /* 119: (6,-2) 16 bits */ + { 121, 136, -1 }, /* 120: */ + { 122, 129, -1 }, /* 121: */ + { 123, 126, -1 }, /* 122: */ + { 124, 125, -1 }, /* 123: */ + { -1, -1, 51 }, /* 124: (3, 6) 16 bits */ + { -1, -1, 39 }, /* 125: (3,-6) 16 bits */ + { 127, 128, -1 }, /* 126: */ + { -1, -1, 87 }, /* 127: (6, 3) 16 bits */ + { -1, -1, 81 }, /* 128: (6,-3) 16 bits */ + { 130, 133, -1 }, /* 129: */ + { 131, 132, -1 }, /* 130: */ + { -1, -1, 76 }, /* 131: (5, 5) 16 bits */ + { -1, -1, 66 }, /* 132: (5,-5) 16 bits */ + { 134, 135, -1 }, /* 133: */ + { -1, -1, 64 }, /* 134: (4, 6) 16 bits */ + { -1, -1, 52 }, /* 135: (4,-6) 16 bits */ + { 137, 144, -1 }, /* 136: */ + { 138, 141, -1 }, /* 137: */ + { 139, 140, -1 }, /* 138: */ + { -1, -1, 88 }, /* 139: (6, 4) 16 bits */ + { -1, -1, 80 }, /* 140: (6,-4) 16 bits */ + { 142, 143, -1 }, /* 141: */ + { -1, -1, 77 }, /* 142: (5, 6) 16 bits */ + { -1, -1, 65 }, /* 143: (5,-6) 16 bits */ + { 145, 148, -1 }, /* 144: */ + { 146, 147, -1 }, /* 145: */ + { -1, -1, 89 }, /* 146: (6, 5) 16 bits */ + { -1, -1, 79 }, /* 147: (6,-5) 16 bits */ + { 149, 150, -1 }, /* 148: */ + { -1, -1, 90 }, /* 149: (6, 6) 16 bits */ + { -1, -1, 78 }, /* 150: (6,-6) 16 bits */ + { 152, 153, -1 }, /* 151: */ + { -1, -1, 29 }, /* 152: (2,-3) 11 bits */ + { -1, -1, 47 }, /* 153: (3, 2) 11 bits */ + { -1, -1, 34 }, /* 154: (2, 2) 8 bits */ + { -1, -1, 33 }, /* 155: (2, 1) 6 bits */ + { -1, -1, 20 }, /* 156: (1, 1) 4 bits */ + { 158, 159, -1 }, /* 157: */ + { -1, -1, 18 }, /* 158: (1,-1) 4 bits */ + { -1, -1, 8 }, /* 159: (0, 2) 4 bits */ + { 161, 162, -1 }, /* 160: */ + { -1, -1, 6 }, /* 161: (0, 0) 2 bits */ + { 163, 164, -1 }, /* 162: */ + { -1, -1, 19 }, /* 163: (1, 0) 3 bits */ + { 165, 166, -1 }, /* 164: */ + { -1, -1, 4 }, /* 165: (0,-2) 4 bits */ + { 167, 180, -1 }, /* 166: */ + { 168, 169, -1 }, /* 167: */ + { -1, -1, 31 }, /* 168: (2,-1) 6 bits */ + { 170, 179, -1 }, /* 169: */ + { 171, 172, -1 }, /* 170: */ + { -1, -1, 30 }, /* 171: (2,-2) 8 bits */ + { 173, 174, -1 }, /* 172: */ + { -1, -1, 45 }, /* 173: (3, 0) 9 bits */ + { 175, 178, -1 }, /* 174: */ + { 176, 177, -1 }, /* 175: */ + { -1, -1, 43 }, /* 176: (3,-2) 11 bits */ + { -1, -1, 10 }, /* 177: (0, 4) 11 bits */ + { -1, -1, 35 }, /* 178: (2, 3) 10 bits */ + { -1, -1, 9 }, /* 179: (0, 3) 7 bits */ + { -1, -1, 21 }, /* 180: (1, 2) 5 bits */ +}; + +static bliss_huffman_code_tuple_t tuples[] = { + { 19102, 16 }, /* 0: (0,-6) 0100101010011110 */ + { 19085, 16 }, /* 1: (0,-5) 0100101010001101 */ + { 19072, 16 }, /* 2: (0,-4) 0100101010000000 */ + { 72, 8 }, /* 3: (0,-3) 01001000 */ + { 14, 4 }, /* 4: (0,-2) 1110 */ + { 1, 3 }, /* 5: (0,-1) 001 */ + { 2, 2 }, /* 6: (0, 0) 10 */ + { 0, 3 }, /* 7: (0, 1) 000 */ + { 7, 4 }, /* 8: (0, 2) 0111 */ + { 123, 7 }, /* 9: (0, 3) 1111011 */ + { 1965, 11 }, /* 10: (0, 4) 11110101101 */ + { 19084, 16 }, /* 11: (0, 5) 0100101010001100 */ + { 19101, 16 }, /* 12: (0, 6) 0100101010011101 */ + + { 19106, 16 }, /* 13: (1,-6) 0100101010100010 */ + { 19087, 16 }, /* 14: (1,-5) 0100101010001111 */ + { 19074, 16 }, /* 15: (1,-4) 0100101010000010 */ + { 147, 9 }, /* 16: (1,-3) 010010011 */ + { 16, 6 }, /* 17: (1,-2) 010000 */ + { 6, 4 }, /* 18: (1,-1) 0110 */ + { 6, 3 }, /* 19: (1, 0) 110 */ + { 5, 4 }, /* 20: (1, 1) 0101 */ + { 31, 5 }, /* 21: (1, 2) 11111 */ + { 146, 9 }, /* 22: (1, 3) 010010010 */ + { 19073, 16 }, /* 23: (1, 4) 0100101010000001 */ + { 19086, 16 }, /* 24: (1, 5) 0100101010001110 */ + { 19105, 16 }, /* 25: (1, 6) 0100101010100001 */ + + { 19110, 16 }, /* 26: (2,-6) 0100101010100110 */ + { 19094, 16 }, /* 27: (2,-5) 0100101010010110 */ + { 19081, 16 }, /* 28: (2,-4) 0100101010001001 */ + { 598, 11 }, /* 29: (2,-3) 01001010110 */ + { 244, 8 }, /* 30: (2,-2) 11110100 */ + { 60, 6 }, /* 31: (2,-1) 111100 */ + { 17, 6 }, /* 32: (2, 0) 010001 */ + { 19, 6 }, /* 33: (2, 1) 010011 */ + { 75, 8 }, /* 34: (2, 2) 01001011 */ + { 983, 10 }, /* 35: (2, 3) 1111010111 */ + { 19080, 16 }, /* 36: (2, 4) 0100101010001000 */ + { 19093, 16 }, /* 37: (2, 5) 0100101010010101 */ + { 19109, 16 }, /* 38: (2, 6) 0100101010100101 */ + + { 19121, 16 }, /* 39: (3,-6) 0100101010110001 */ + { 19104, 16 }, /* 40: (3,-5) 0100101010100000 */ + { 19089, 16 }, /* 41: (3,-4) 0100101010010001 */ + { 19077, 16 }, /* 42: (3,-3) 0100101010000101 */ + { 1964, 11 }, /* 43: (3,-2) 11110101100 */ + { 297, 10 }, /* 44: (3,-1) 0100101001 */ + { 490, 9 }, /* 45: (3, 0) 111101010 */ + { 296, 10 }, /* 46: (3, 1) 0100101000 */ + { 599, 11 }, /* 47: (3, 2) 01001010111 */ + { 19076, 16 }, /* 48: (3, 3) 0100101010000100 */ + { 19088, 16 }, /* 49: (3, 4) 0100101010010000 */ + { 19103, 16 }, /* 50: (3, 5) 0100101010011111 */ + { 19120, 16 }, /* 51: (3, 6) 0100101010110000 */ + + { 19127, 16 }, /* 52: (4,-6) 0100101010110111 */ + { 19115, 16 }, /* 53: (4,-5) 0100101010101011 */ + { 19100, 16 }, /* 54: (4,-4) 0100101010011100 */ + { 19091, 16 }, /* 55: (4,-3) 0100101010010011 */ + { 19083, 16 }, /* 56: (4,-2) 0100101010001011 */ + { 19079, 16 }, /* 57: (4,-1) 0100101010000111 */ + { 19075, 16 }, /* 58: (4, 0) 0100101010000011 */ + { 19078, 16 }, /* 59: (4, 1) 0100101010000110 */ + { 19082, 16 }, /* 60: (4, 2) 0100101010001010 */ + { 19090, 16 }, /* 61: (4, 3) 0100101010010010 */ + { 19099, 16 }, /* 62: (4, 4) 0100101010011011 */ + { 19114, 16 }, /* 63: (4, 5) 0100101010101010 */ + { 19126, 16 }, /* 64: (4, 6) 0100101010110110 */ + + { 19131, 16 }, /* 65: (5,-6) 0100101010111011 */ + { 19125, 16 }, /* 66: (5,-5) 0100101010110101 */ + { 19117, 16 }, /* 67: (5,-4) 0100101010101101 */ + { 19108, 16 }, /* 68: (5,-3) 0100101010100100 */ + { 19098, 16 }, /* 69: (5,-2) 0100101010011010 */ + { 19096, 16 }, /* 70: (5,-1) 0100101010011000 */ + { 19092, 16 }, /* 71: (5, 0) 0100101010010100 */ + { 19095, 16 }, /* 72: (5, 1) 0100101010010111 */ + { 19097, 16 }, /* 73: (5, 2) 0100101010011001 */ + { 19107, 16 }, /* 74: (5, 3) 0100101010100011 */ + { 19116, 16 }, /* 75: (5, 4) 0100101010101100 */ + { 19124, 16 }, /* 76: (5, 5) 0100101010110100 */ + { 19130, 16 }, /* 77: (5, 6) 0100101010111010 */ + + { 19135, 16 }, /* 78: (6,-6) 0100101010111111 */ + { 19133, 16 }, /* 79: (6,-5) 0100101010111101 */ + { 19129, 16 }, /* 80: (6,-4) 0100101010111001 */ + { 19123, 16 }, /* 81: (6,-3) 0100101010110011 */ + { 19119, 16 }, /* 82: (6,-2) 0100101010101111 */ + { 19113, 16 }, /* 83: (6,-1) 0100101010101001 */ + { 19111, 16 }, /* 84: (6, 0) 0100101010100111 */ + { 19112, 16 }, /* 85: (6, 1) 0100101010101000 */ + { 19118, 16 }, /* 86: (6, 2) 0100101010101110 */ + { 19122, 16 }, /* 87: (6, 3) 0100101010110010 */ + { 19128, 16 }, /* 88: (6, 4) 0100101010111000 */ + { 19132, 16 }, /* 89: (6, 5) 0100101010111100 */ + { 19134, 16 }, /* 90: (6, 6) 0100101010111110 */ +}; + +/* code_length = 3.3967 bits/tuple (1740 bits) */ + +bliss_huffman_code_t bliss_huffman_code_4 = { + .n_z1 = 7, + .n_z2 = 7, + .tuples = tuples, + .nodes = nodes +}; diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_coder.c b/src/libstrongswan/plugins/bliss/bliss_huffman_coder.c new file mode 100644 index 000000000..018ae0efa --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_huffman_coder.c @@ -0,0 +1,138 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY;https://www.hsr.ch/HSR-intern-Anmeldung.4409.0.html?&no_cache=1 without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "bliss_huffman_coder.h" + +typedef struct private_bliss_huffman_coder_t private_bliss_huffman_coder_t; + +/** + * Private data structure for bliss_huffman_coder_t object + */ +struct private_bliss_huffman_coder_t { + /** + * Public interface. + */ + bliss_huffman_coder_t public; + + /** + * Bitpacker to write to or read from + */ + bliss_bitpacker_t *packer; + + /** + * Huffman code table to be used + */ + bliss_huffman_code_t *code; + + /** + * Maximum index into tuples table + */ + int index_max; + + /** + * Number of encoded or decoded bits + */ + size_t bits; + +}; + +METHOD(bliss_huffman_coder_t, get_bits, size_t, + private_bliss_huffman_coder_t *this) +{ + return this->bits; +} + +METHOD(bliss_huffman_coder_t, encode, bool, + private_bliss_huffman_coder_t *this, int32_t z1, int16_t z2) +{ + uint32_t code; + uint16_t bits; + int index; + + index = z1 * (2*this->code->n_z2 - 1) + z2 + this->code->n_z2 - 1; + if (index >= this->index_max) + { + DBG1(DBG_LIB, "index exceeded in Huffman encoding table"); + return FALSE; + } + code = this->code->tuples[index].code; + bits = this->code->tuples[index].bits; + if (!this->packer->write_bits(this->packer, code, bits)) + { + DBG1(DBG_LIB, "bitpacker exceeded its buffer"); + return FALSE; + } + this->bits += bits; + + return TRUE; +} + +METHOD(bliss_huffman_coder_t, decode, bool, + private_bliss_huffman_coder_t *this, int32_t *z1, int16_t *z2) +{ + bliss_huffman_code_node_t *node; + uint32_t bit; + + node = this->code->nodes; + while (node->tuple == BLISS_HUFFMAN_CODE_NO_TUPLE) + { + if (node->node_0 == BLISS_HUFFMAN_CODE_NO_NODE || + node->node_1 == BLISS_HUFFMAN_CODE_NO_NODE) + { + DBG1(DBG_LIB, "error in Huffman decoding table"); + return FALSE; + } + if (!this->packer->read_bits(this->packer, &bit, 1)) + { + DBG1(DBG_LIB, "bitpacker depleted its buffer"); + return FALSE; + } + node = &this->code->nodes[bit ? node->node_1 : node->node_0]; + this->bits++; + } + *z1 = node->tuple / (2*this->code->n_z2 - 1); + *z2 = node->tuple - (2*this->code->n_z2 - 1) * (*z1) - this->code->n_z2 + 1; + + return TRUE; +} + +METHOD(bliss_huffman_coder_t, destroy, void, + private_bliss_huffman_coder_t *this) +{ + free(this); +} + +/** + * See header. + */ +bliss_huffman_coder_t *bliss_huffman_coder_create(bliss_huffman_code_t *code, + bliss_bitpacker_t *packer) +{ + private_bliss_huffman_coder_t *this; + + INIT(this, + .public = { + .get_bits = _get_bits, + .encode = _encode, + .decode = _decode, + .destroy = _destroy, + }, + .packer = packer, + .code = code, + .index_max = (2*code->n_z2 - 1) * code->n_z1, + ); + + return &this->public; +} diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_coder.h b/src/libstrongswan/plugins/bliss/bliss_huffman_coder.h new file mode 100644 index 000000000..59abc49c6 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_huffman_coder.h @@ -0,0 +1,77 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup bliss_huffman_coder bliss_huffman_coder + * @{ @ingroup bliss_p + */ + +#ifndef BLISS_HUFFMAN_CODER_H_ +#define BLISS_HUFFMAN_CODER_H_ + +#include "bliss_huffman_code.h" +#include "bliss_bitpacker.h" + +#include + +typedef struct bliss_huffman_coder_t bliss_huffman_coder_t; + +/** + * Encodes and decodes binary Huffman codes + */ +struct bliss_huffman_coder_t { + + /** + * Get number of encoded or decoded bits + * + * @result Number of bits + */ + size_t (*get_bits)(bliss_huffman_coder_t *this); + + /** + * Encode a (z1, z2) tuple using a Huffman code + * + * @param z1 z1 value to be encoded + * @param z2 z2 value to be encoded + * @result TRUE if value could be encoded + */ + bool (*encode)(bliss_huffman_coder_t *this, int32_t z1, int16_t z2); + + + /** + * Decode a (z1, z2) tuple using a Huffman code + * + * @param z1 Decoded z1 value returned + * @param z2 Decoded z2 value returned + * @result TRUE if value could be decoded from bitpacker + */ + bool (*decode)(bliss_huffman_coder_t *this, int32_t *z1, int16_t *z2); + + /** + * Destroy bliss_huffman_coder_t object + */ + void (*destroy)(bliss_huffman_coder_t *this); +}; + +/** + * Create a bliss_huffman_coder_t object + * + * @param code Huffman code table + * @param packer Bitpacker to write to or read from + */ +bliss_huffman_coder_t* bliss_huffman_coder_create(bliss_huffman_code_t *code, + bliss_bitpacker_t *packer); + +#endif /** BLISS_HUFFMAN_CODER_H_ @}*/ diff --git a/src/libstrongswan/plugins/bliss/bliss_param_set.c b/src/libstrongswan/plugins/bliss/bliss_param_set.c new file mode 100644 index 000000000..3781a588f --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_param_set.c @@ -0,0 +1,339 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "bliss_param_set.h" + +#include + +ENUM(bliss_param_set_id_names, BLISS_I, BLISS_B_IV, + "BLISS-I", + "BLISS-II", + "BLISS-III", + "BLISS-IV", + "BLISS-B-I", + "BLISS-B-II", + "BLISS-B-III", + "BLISS-B-IV" +); + +/** + * sigma = 215, k_sigma = ceiling[ sqrt(2*ln 2) * sigma ] = 254 + * + * c[i] = exp(-2^i/f), i = 0..20, with f = k_sigma^2 / ln 2 = 93'076.9 + */ +static uint8_t c_bliss_i[] = { + 255, 255, 75, 191, 247, 94, 30, 51, 147, 246, 89, 59, 99, 248, 26, 128, + 255, 254, 151, 128, 109, 166, 88, 143, 30, 175, 149, 20, 240, 81, 138, 111, + 255, 253, 47, 2, 214, 243, 188, 76, 236, 235, 40, 62, 54, 35, 33, 205, + 255, 250, 94, 13, 156, 120, 121, 216, 255, 120, 90, 11, 39, 232, 120, 111, + 255, 244, 188, 58, 242, 219, 157, 174, 6, 31, 131, 75, 88, 109, 112, 107, + 255, 233, 120, 244, 202, 151, 25, 10, 197, 109, 113, 255, 157, 89, 182, 141, + 255, 210, 243, 229, 18, 88, 50, 239, 130, 192, 12, 167, 62, 254, 211, 202, + 255, 165, 239, 183, 102, 186, 123, 249, 251, 59, 116, 143, 50, 174, 125, 198, + 255, 75, 255, 30, 65, 137, 228, 148, 14, 17, 113, 251, 81, 177, 151, 168, + 254, 152, 124, 205, 192, 136, 102, 79, 5, 62, 214, 95, 36, 223, 7, 20, + 253, 50, 242, 124, 187, 59, 68, 224, 90, 156, 53, 202, 9, 44, 191, 226, + 250, 109, 189, 110, 40, 124, 88, 12, 83, 78, 176, 86, 12, 102, 13, 41, + 244, 250, 133, 6, 3, 13, 45, 9, 120, 121, 150, 237, 69, 190, 62, 16, + 234, 110, 130, 187, 138, 174, 82, 229, 217, 154, 88, 138, 228, 153, 230, 13, + 214, 174, 54, 179, 117, 116, 223, 152, 97, 84, 31, 99, 68, 150, 122, 244, + 180, 7, 186, 2, 112, 3, 68, 13, 123, 133, 244, 184, 232, 216, 133, 18, + 126, 154, 221, 207, 32, 206, 66, 171, 94, 100, 164, 194, 117, 191, 1, 209, + 62, 156, 208, 7, 129, 173, 200, 3, 23, 248, 140, 60, 69, 217, 195, 235, + 15, 80, 84, 209, 213, 2, 107, 160, 1, 152, 43, 130, 93, 95, 241, 218, + 0, 234, 131, 37, 182, 53, 201, 231, 26, 2, 151, 161, 13, 214, 150, 145, + 0, 0, 214, 212, 4, 32, 184, 94, 84, 90, 244, 139, 48, 69, 33, 38 +}; + +/** + * sigma = 250, k_sigma = ceiling[ sqrt(2*ln 2) * sigma ] = 295 + * + * c[i] = exp(-2^i/f), i = 0..20, with f = k_sigma^2 / ln 2 = 125'550.5 + */ +static uint8_t c_bliss_iii[] = { + 255, 255, 122, 95, 16, 128, 14, 195, 60, 90, 166, 191, 205, 26, 144, 204, + 255, 254, 244, 190, 102, 192, 187, 141, 169, 92, 33, 30, 170, 141, 184, 56, + 255, 253, 233, 125, 228, 131, 93, 148, 121, 92, 52, 122, 149, 96, 29, 66, + 255, 251, 211, 0, 37, 9, 199, 244, 213, 217, 122, 205, 171, 200, 198, 5, + 255, 247, 166, 17, 185, 251, 90, 150, 1, 28, 7, 205, 125, 46, 84, 201, + 255, 239, 76, 105, 50, 114, 159, 235, 215, 165, 204, 182, 125, 143, 228, 222, + 255, 222, 153, 233, 85, 187, 45, 204, 236, 229, 38, 180, 20, 161, 7, 167, + 255, 189, 56, 46, 38, 4, 83, 8, 151, 137, 136, 1, 9, 180, 58, 204, + 255, 122, 129, 199, 240, 52, 248, 193, 76, 26, 160, 32, 195, 250, 217, 25, + 254, 245, 73, 44, 68, 229, 150, 74, 228, 74, 124, 249, 123, 94, 108, 127, + 253, 235, 168, 56, 252, 93, 188, 160, 249, 137, 236, 65, 62, 182, 153, 63, + 251, 219, 163, 110, 233, 251, 114, 216, 230, 35, 59, 210, 107, 100, 184, 16, + 247, 200, 110, 236, 134, 237, 213, 111, 240, 149, 109, 22, 216, 213, 237, 145, + 239, 212, 98, 249, 238, 1, 227, 248, 242, 51, 211, 134, 154, 115, 189, 83, + 224, 174, 65, 2, 190, 158, 9, 6, 184, 13, 130, 104, 247, 102, 38, 160, + 197, 49, 104, 97, 61, 210, 19, 115, 208, 54, 91, 27, 209, 227, 33, 26, + 151, 229, 20, 46, 200, 238, 35, 134, 72, 183, 253, 160, 193, 155, 117, 103, + 90, 32, 10, 204, 78, 83, 191, 230, 0, 221, 219, 6, 43, 252, 185, 95, + 31, 186, 139, 154, 90, 155, 17, 9, 42, 139, 40, 111, 246, 175, 4, 15, + 3, 238, 181, 190, 138, 94, 50, 234, 128, 193, 95, 36, 65, 236, 170, 208, + 0, 15, 118, 216, 230, 142, 121, 211, 13, 168, 207, 126, 145, 176, 24, 201 +}; + +/** + * sigma = 271, k_sigma = ceiling[ sqrt(2*ln 2) * sigma ] = 320 + * + * c[i] = exp(-2^i/f), i = 0..21, with f = k_sigma^2 / ln 2 = 147'732.0 + */ +static uint8_t c_bliss_iv[] = { + 255, 255, 142, 111, 102, 2, 141, 87, 150, 42, 18, 70, 6, 224, 18, 70, + 255, 255, 28, 222, 254, 102, 20, 78, 133, 78, 189, 107, 29, 7, 23, 193, + 255, 254, 57, 190, 198, 79, 181, 181, 108, 75, 142, 145, 45, 238, 193, 29, + 255, 252, 115, 128, 178, 170, 212, 166, 120, 157, 85, 96, 209, 180, 211, 83, + 255, 248, 231, 13, 253, 108, 245, 46, 238, 155, 30, 99, 141, 228, 149, 239, + 255, 241, 206, 78, 90, 132, 83, 172, 228, 179, 119, 115, 240, 51, 216, 6, + 255, 227, 157, 102, 46, 28, 61, 128, 58, 114, 174, 136, 8, 224, 133, 84, + 255, 199, 61, 242, 19, 216, 133, 241, 240, 22, 146, 43, 92, 57, 82, 248, + 255, 142, 136, 121, 160, 225, 119, 214, 241, 44, 159, 34, 133, 118, 96, 60, + 255, 29, 67, 61, 254, 49, 27, 152, 48, 124, 184, 87, 66, 214, 63, 133, + 254, 59, 79, 77, 206, 26, 238, 42, 69, 81, 191, 149, 146, 76, 255, 232, + 252, 121, 191, 28, 11, 107, 141, 223, 234, 42, 226, 50, 138, 102, 16, 97, + 248, 255, 234, 37, 109, 169, 103, 25, 240, 109, 93, 165, 177, 22, 133, 100, + 242, 48, 213, 124, 209, 49, 33, 48, 57, 237, 202, 62, 102, 132, 219, 48, + 229, 32, 92, 240, 188, 88, 70, 34, 179, 94, 244, 70, 25, 123, 76, 140, + 205, 18, 234, 94, 14, 226, 237, 76, 192, 18, 240, 50, 79, 63, 34, 96, + 164, 71, 76, 192, 111, 161, 157, 188, 19, 189, 133, 246, 67, 127, 6, 28, + 105, 107, 110, 50, 56, 199, 208, 174, 16, 95, 153, 106, 217, 198, 194, 179, + 43, 105, 77, 122, 127, 254, 146, 221, 44, 235, 61, 22, 179, 9, 113, 118, + 7, 92, 139, 87, 204, 239, 111, 200, 41, 129, 122, 49, 69, 113, 122, 239, + 0, 54, 49, 19, 64, 40, 218, 222, 60, 82, 186, 246, 64, 155, 184, 47, + 0, 0, 11, 120, 189, 135, 113, 62, 143, 175, 118, 239, 190, 120, 189, 250 +}; + +/** + * BLISS signature parameter set definitions + */ +static bliss_param_set_t bliss_param_sets[] = { + + /* BLISS-I scheme */ + { + .id = BLISS_I, + .oid = OID_BLISS_I, + .strength = 128, + .q = 12289, + .q_bits = 14, + .q2_inv = 6145, + .n = 512, + .n_bits = 9, + .fft_params = &bliss_fft_12289_512, + .non_zero1 = 154, + .non_zero2 = 0, + .kappa = 23, + .nks_max = 46479, + .p_max = 0, /* not needed */ + .sigma = 215, + .k_sigma = 254, + .k_sigma_bits = 8, + .c = c_bliss_i, + .c_cols = 16, + .c_rows = 21, + .z1_bits = 12, + .d = 10, + .p = 24, + .M = 46539, /* with alpha = 1.000 */ + .B_inf = 2047, /* reduced from 2100 due to 12 bit z1 encoding */ + .B_l2 = 12872 * 12872 + }, + + /* BLISS-III scheme */ + { + .id = BLISS_III, + .oid = OID_BLISS_III, + .strength = 160, + .q = 12289, + .q_bits = 14, + .q2_inv = 6145, + .n = 512, + .n_bits = 9, + .fft_params = &bliss_fft_12289_512, + .non_zero1 = 216, + .non_zero2 = 16, + .kappa = 30, + .nks_max = 128626, + .p_max = 0, /* not needed */ + .sigma = 250, + .k_sigma = 295, + .k_sigma_bits = 9, + .c = c_bliss_iii, + .c_cols = 16, + .c_rows = 21, + .z1_bits = 12, + .d = 9, + .p = 48, + .M = 128113, /* with alpha = 0.700 */ + .B_inf = 1760, + .B_l2 = 10206 * 10206 + }, + + /* BLISS-IV scheme */ + { + .id = BLISS_IV, + .oid = OID_BLISS_IV, + .strength = 192, + .q = 12289, + .q_bits = 14, + .q2_inv = 6145, + .n = 512, + .n_bits = 9, + .fft_params = &bliss_fft_12289_512, + .non_zero1 = 231, + .non_zero2 = 31, + .kappa = 39, + .nks_max = 244669, + .p_max = 0, /* not needed */ + .sigma = 271, + .k_sigma = 320, + .k_sigma_bits = 9, + .c = c_bliss_iv, + .c_cols = 16, + .c_rows = 22, + .z1_bits = 12, + .d = 8, + .p = 96, + .M = 244186, /* with alpha = 0.550 */ + .B_inf = 1613, + .B_l2 = 9901 * 9901 + }, + + /* BLISS-B-I scheme */ + { + .id = BLISS_B_I, + .oid = OID_BLISS_B_I, + .strength = 128, + .q = 12289, + .q_bits = 14, + .q2_inv = 6145, + .n = 512, + .n_bits = 9, + .fft_params = &bliss_fft_12289_512, + .non_zero1 = 154, + .non_zero2 = 0, + .kappa = 23, + .nks_max = 0, /* not needed */ + .p_max = 17825, + .sigma = 215, + .k_sigma = 254, + .k_sigma_bits = 8, + .c = c_bliss_i, + .c_cols = 16, + .c_rows = 21, + .z1_bits = 12, + .d = 10, + .p = 24, + .M = 17954, /* with alpha = 1.610 */ + .B_inf = 2047, /* reduced from 2100 due to 12 bit z1 encoding */ + .B_l2 = 12872 * 12872 + }, + + /* BLISS-B-III scheme */ + { + .id = BLISS_B_III, + .oid = OID_BLISS_B_III, + .strength = 160, + .q = 12289, + .q_bits = 14, + .q2_inv = 6145, + .n = 512, + .n_bits = 9, + .fft_params = &bliss_fft_12289_512, + .non_zero1 = 216, + .non_zero2 = 16, + .kappa = 30, + .nks_max = 0, /* not needed */ + .p_max = 42270, + .sigma = 250, + .k_sigma = 295, + .k_sigma_bits = 9, + .c = c_bliss_iii, + .c_cols = 16, + .c_rows = 21, + .z1_bits = 12, + .d = 9, + .p = 48, + .M = 42455, /* with alpha = 1.216 */ + .B_inf = 1760, + .B_l2 = 10206 * 10206 + }, + + /* BLISS-B-IV scheme */ + { + .id = BLISS_B_IV, + .oid = OID_BLISS_B_IV, + .strength = 192, + .q = 12289, + .q_bits = 14, + .q2_inv = 6145, + .n = 512, + .n_bits = 9, + .fft_params = &bliss_fft_12289_512, + .non_zero1 = 231, + .non_zero2 = 31, + .kappa = 39, + .nks_max = 0, /* not needed */ + .p_max = 69576, + .sigma = 271, + .k_sigma = 320, + .k_sigma_bits = 9, + .c = c_bliss_iv, + .c_cols = 16, + .c_rows = 22, + .z1_bits = 12, + .d = 8, + .p = 96, + .M = 70034, /* with alpha = 1.027 */ + .B_inf = 1613, + .B_l2 = 9901 * 9901 + } + +}; + +/** + * See header. + */ +bliss_param_set_t* bliss_param_set_get_by_id(bliss_param_set_id_t id) +{ + int i; + + for (i = 0; i < countof(bliss_param_sets); i++) + { + if (bliss_param_sets[i].id == id) + { + return &bliss_param_sets[i]; + } + } + return NULL; +} + + +/** + * See header. + */ +bliss_param_set_t* bliss_param_set_get_by_oid(int oid) +{ + int i; + + for (i = 0; i < countof(bliss_param_sets); i++) + { + if (bliss_param_sets[i].oid == oid) + { + return &bliss_param_sets[i]; + } + } + return NULL; +} diff --git a/src/libstrongswan/plugins/bliss/bliss_param_set.h b/src/libstrongswan/plugins/bliss/bliss_param_set.h new file mode 100644 index 000000000..33a8009ff --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_param_set.h @@ -0,0 +1,201 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup bliss_param_set bliss_param_set + * @{ @ingroup bliss_p + */ + +#ifndef BLISS_PARAM_SET_H_ +#define BLISS_PARAM_SET_H_ + +typedef enum bliss_param_set_id_t bliss_param_set_id_t; +typedef struct bliss_param_set_t bliss_param_set_t; + +#include "bliss_fft_params.h" +#include "bliss_huffman_code.h" + +#include + +/** + * BLISS signature parameter set ID list + */ +enum bliss_param_set_id_t { + BLISS_I = 1, + BLISS_II = 2, + BLISS_III = 3, + BLISS_IV = 4, + BLISS_B_I = 5, + BLISS_B_II = 6, + BLISS_B_III = 7, + BLISS_B_IV = 8 +}; + +extern enum_name_t *bliss_param_set_id_names; + +/** + * BLISS + */ +struct bliss_param_set_t { + + /** + * BLISS parameter set ID + */ + bliss_param_set_id_t id; + + /** + * BLISS parameter set OID + */ + int oid; + + /** + * Security strength in bits + */ + uint16_t strength; + + /** + * Prime modulus + */ + uint16_t q; + + /** + * Number of bits in q + */ + uint16_t q_bits; + + /** + * Inverse of (q + 2) mod 2q + */ + uint16_t q2_inv; + + /** + * Ring dimension equal to the number of polynomial coefficients + */ + uint16_t n; + + /** + * Number of bits in n + */ + uint16_t n_bits; + + /** + * FFT parameters + */ + bliss_fft_params_t *fft_params; + + /** + * Number of [-1, +1] secret key coefficients + */ + uint16_t non_zero1; + + /** + * Number of [-2, +2] secret key coefficients + */ + uint16_t non_zero2; + + /** + * Number of secret key terms that go into Nk(S) norm + */ + uint16_t kappa; + + /** + * Maximum Nk(S) tolerable NK(S) norm (BLISS only) + */ + uint32_t nks_max; + + /** + * Maximum value Pmax for ||Sc'||^2 norm (BLISS-B only) + */ + uint32_t p_max; + + /** + * Standard deviation sigma + */ + uint16_t sigma; + + /** + * k_sigma = ceiling[ sqrt(2*ln 2) * sigma ] + */ + uint16_t k_sigma; + + /** + * Number of bits in k_sigma + */ + uint16_t k_sigma_bits; + + /** + * Coefficients for Bernoulli sampling with exponential biases + */ + uint8_t *c; + + /** + * Number of columns in Bernoulli coefficient table + */ + size_t c_cols; + + /** + * Number of rows in Bernoulli coefficient table + */ + size_t c_rows; + + /** + * Number of bits in z1 + */ + uint16_t z1_bits; + + /** + * Number of z2 bits to be dropped after rounding + */ + uint16_t d; + + /** + * Modulus p = floor(2q / 2^d) applied after bit dropping + */ + uint16_t p; + + /** + * M = sigma^2 / alpha_rejection^2 + */ + uint32_t M; + + /** + * B_infinity bound + */ + uint16_t B_inf; + + /** + * B_verify bound + */ + uint32_t B_l2; + +}; + +/** + * Get BLISS signature parameter set by BLISS parameter set ID + * + * @param id BLISS parameter set ID + * @return BLISS parameter set +*/ +bliss_param_set_t* bliss_param_set_get_by_id(bliss_param_set_id_t id); + +/** + * Get BLISS signature parameter set by BLISS parameter set OID + * + * @param oid BLISS parameter set OID + * @return BLISS parameter set +*/ +bliss_param_set_t* bliss_param_set_get_by_oid(int oid); + +#endif /** BLISS_PARAM_SET_H_ @}*/ diff --git a/src/libstrongswan/plugins/bliss/bliss_plugin.c b/src/libstrongswan/plugins/bliss/bliss_plugin.c new file mode 100644 index 000000000..07597c318 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_plugin.c @@ -0,0 +1,101 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "bliss_plugin.h" +#include "bliss_private_key.h" +#include "bliss_public_key.h" + +#include + +typedef struct private_bliss_plugin_t private_bliss_plugin_t; + +/** + * private data of bliss_plugin + */ +struct private_bliss_plugin_t { + + /** + * public functions + */ + bliss_plugin_t public; +}; + +METHOD(plugin_t, get_name, char*, + private_bliss_plugin_t *this) +{ + return "bliss"; +} + +METHOD(plugin_t, get_features, int, + private_bliss_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + /* private/public keys */ + PLUGIN_REGISTER(PRIVKEY, bliss_private_key_load, TRUE), + PLUGIN_PROVIDE(PRIVKEY, KEY_BLISS), + PLUGIN_REGISTER(PRIVKEY, bliss_private_key_load, TRUE), + PLUGIN_PROVIDE(PRIVKEY, KEY_ANY), + PLUGIN_REGISTER(PRIVKEY_GEN, bliss_private_key_gen, FALSE), + PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_BLISS), + PLUGIN_DEPENDS(RNG, RNG_TRUE), + PLUGIN_REGISTER(PUBKEY, bliss_public_key_load, TRUE), + PLUGIN_PROVIDE(PUBKEY, KEY_BLISS), + PLUGIN_REGISTER(PUBKEY, bliss_public_key_load, TRUE), + PLUGIN_PROVIDE(PUBKEY, KEY_ANY), + /* signature schemes, private */ + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA256), + PLUGIN_DEPENDS(HASHER, HASH_SHA256), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA384), + PLUGIN_DEPENDS(HASHER, HASH_SHA384), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA512), + PLUGIN_DEPENDS(HASHER, HASH_SHA512), + /* signature verification schemes */ + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA256), + PLUGIN_DEPENDS(HASHER, HASH_SHA256), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA384), + PLUGIN_DEPENDS(HASHER, HASH_SHA384), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA512), + PLUGIN_DEPENDS(HASHER, HASH_SHA512), + }; + *features = f; + + return countof(f); +} + +METHOD(plugin_t, destroy, void, + private_bliss_plugin_t *this) +{ + free(this); +} + +/* + * see header file + */ +plugin_t *bliss_plugin_create() +{ + private_bliss_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .destroy = _destroy, + }, + }, + ); + + return &this->public.plugin; +} diff --git a/src/libstrongswan/plugins/bliss/bliss_plugin.h b/src/libstrongswan/plugins/bliss/bliss_plugin.h new file mode 100644 index 000000000..d3d80ac5d --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup bliss_p bliss + * @ingroup plugins + * + * @defgroup bliss_plugin bliss_plugin + * @{ @ingroup bliss_p + */ + +#ifndef BLISS_PLUGIN_H_ +#define BLISS_PLUGIN_H_ + +#include + +typedef struct bliss_plugin_t bliss_plugin_t; + +/** + * Plugin implementing the BLISS post-quantu authentication algorithm + */ +struct bliss_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** BLISS_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/bliss/bliss_private_key.c b/src/libstrongswan/plugins/bliss/bliss_private_key.c new file mode 100644 index 000000000..e1064d2f2 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_private_key.c @@ -0,0 +1,1316 @@ +/* + * Copyright (C) 2014-2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "bliss_private_key.h" +#include "bliss_public_key.h" +#include "bliss_param_set.h" +#include "bliss_utils.h" +#include "bliss_sampler.h" +#include "bliss_signature.h" +#include "bliss_bitpacker.h" +#include "bliss_fft.h" + +#include +#include +#include +#include + +#define _GNU_SOURCE +#include + +typedef struct private_bliss_private_key_t private_bliss_private_key_t; + +#define SECRET_KEY_TRIALS_MAX 50 + +/** + * Private data of a bliss_private_key_t object. + */ +struct private_bliss_private_key_t { + /** + * Public interface for this signer. + */ + bliss_private_key_t public; + + /** + * BLISS signature parameter set + */ + bliss_param_set_t *set; + + /** + * BLISS secret key S1 (coefficients of polynomial f) + */ + int8_t *s1; + + /** + * BLISS secret key S2 (coefficients of polynomial 2g + 1) + */ + int8_t *s2; + + /** + * NTT of BLISS public key a (coefficients of polynomial (2g + 1)/f) + */ + uint32_t *A; + + /** + * reference count + */ + refcount_t ref; +}; + +METHOD(private_key_t, get_type, key_type_t, + private_bliss_private_key_t *this) +{ + return KEY_BLISS; +} + +/** + * Multiply secret vector s with binary challenge vector c + */ +static void multiply_by_c(int8_t *s, int n, uint16_t *c_indices, + uint16_t kappa, int32_t *product) +{ + int i, j, index; + + for (i = 0; i < n; i++) + { + product[i] = 0; + + for (j = 0; j < kappa; j++) + { + index = c_indices[j]; + if (i - index < 0) + { + product[i] -= s[i - index + n]; + } + else + { + product[i] += s[i - index]; + } + } + } +} + +/** + * BLISS-B GreedySC algorithm + */ +static void greedy_sc(int8_t *s1, int8_t *s2, int n, uint16_t *c_indices, + uint16_t kappa, int32_t *v1, int32_t *v2) +{ + int i, j, index; + int32_t sign; + + for (i = 0; i < n; i++) + { + v1[i] = v2[i] = 0; + } + for (j = 0; j < kappa; j++) + { + index = c_indices[j]; + sign = 0; + + for (i = 0; i < index; i++) + { + sign -= (v1[i] * s1[i - index + n] + v2[i] * s2[i - index + n]); + } + for (i = index; i < n; i++) + { + sign += (v1[i] * s1[i - index] + v2[i] * s2[i - index]); + } + for (i = 0; i < index; i++) + { + if (sign > 0) + { + v1[i] += s1[i - index + n]; + v2[i] += s2[i - index + n]; + } + else + { + v1[i] -= s1[i - index + n]; + v2[i] -= s2[i - index + n]; + } + } + for (i = index; i < n; i++) + { + if (sign > 0) + { + v1[i] -= s1[i - index]; + v2[i] -= s2[i - index]; + } + else + { + v1[i] += s1[i - index]; + v2[i] += s2[i - index]; + } + } + } +} + +/** + * Compute a BLISS signature + */ +static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg, + chunk_t data, chunk_t *signature) +{ + bliss_fft_t *fft; + bliss_signature_t *sig; + bliss_sampler_t *sampler = NULL; + rng_t *rng; + hasher_t *hasher; + hash_algorithm_t mgf1_alg; + size_t mgf1_seed_len; + uint8_t mgf1_seed_buf[HASH_SIZE_SHA512], data_hash_buf[HASH_SIZE_SHA512]; + chunk_t mgf1_seed, data_hash; + uint16_t q, q2, p, p2, *c_indices, tests = 0; + uint32_t *ay; + int32_t *y1, *y2, *z1, *z2, *u, *s1c, *s2c; + int32_t y1_min = 0, y1i, y1_max = 0, y2_min = 0, y2i, y2_max = 0; + int32_t scalar, norm, ui; + int16_t *ud, *uz2d, *z2d, value; + int i, n; + double mean1 = 0, mean2 = 0, sigma1 = 0, sigma2 = 0; + bool accepted, positive, success = FALSE, use_bliss_b; + + /* Initialize signature */ + *signature = chunk_empty; + + /* Create data hash */ + hasher = lib->crypto->create_hasher(lib->crypto, alg); + if (!hasher) + { + return FALSE; + } + data_hash = chunk_create(data_hash_buf, hasher->get_hash_size(hasher)); + + if (!hasher->get_hash(hasher, data, data_hash_buf)) + { + hasher->destroy(hasher); + return FALSE; + } + hasher->destroy(hasher); + + /* Create SHA512 hasher for c_indices oracle */ + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512); + if (!hasher) + { + return FALSE; + } + + /* Set MGF1 hash algorithm and seed length based on security strength */ + if (this->set->strength > 160) + { + mgf1_alg = HASH_SHA256; + mgf1_seed_len = HASH_SIZE_SHA256; + } + else + { + mgf1_alg = HASH_SHA1; + mgf1_seed_len = HASH_SIZE_SHA1; + } + mgf1_seed = chunk_create(mgf1_seed_buf, mgf1_seed_len); + + rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG); + if (!rng) + { + hasher->destroy(hasher); + return FALSE; + } + + /* Initialize a couple of needed variables */ + n = this->set->n; + q = this->set->q; + p = this->set->p; + q2 = 2 * q; + p2 = p / 2; + ay = malloc(n * sizeof(uint32_t)); + z2 = malloc(n * sizeof(int32_t)); + s1c = malloc(n * sizeof(int32_t)); + s2c = malloc(n * sizeof(int32_t)); + u = malloc(n * sizeof(int32_t)); + uz2d = malloc(n * sizeof(int16_t)); + + sig = bliss_signature_create(this->set); + sig->get_parameters(sig, &z1, &z2d, &c_indices); + y1 = z1; + y2 = z2; + ud = z2d; + + fft = bliss_fft_create(this->set->fft_params); + + /* Use of the enhanced BLISS-B signature algorithm? */ + switch (this->set->id) + { + default: + case BLISS_I: + case BLISS_II: + case BLISS_III: + case BLISS_IV: + use_bliss_b = FALSE; + break; + case BLISS_B_I: + case BLISS_B_II: + case BLISS_B_III: + case BLISS_B_IV: + use_bliss_b = TRUE; + break; + } + + while (true) + { + tests++; + + if (!rng->get_bytes(rng, mgf1_seed_len, mgf1_seed_buf)) + { + goto end; + } + DESTROY_IF(sampler); + + sampler = bliss_sampler_create(mgf1_alg, mgf1_seed, this->set); + if (!sampler) + { + goto end; + } + + /* Gaussian sampling for vectors y1 and y2 */ + for (i = 0; i < n; i++) + { + if (!sampler->gaussian(sampler, &y1i) || + !sampler->gaussian(sampler, &y2i)) + { + goto end; + } + y1[i] = y1i; + y2[i] = y2i; + + /* Collect statistical data on rejection sampling */ + if (i == 0) + { + y1_min = y1_max = y1i; + y2_min = y2_max = y2i; + } + else + { + if (y1i < y1_min) + { + y1_min = y1i; + } + else if (y1i > y1_max) + { + y1_max = y1i; + } + if (y2i < y2_min) + { + y2_min = y2i; + } + else if (y2i > y2_max) + { + y2_max = y2i; + } + } + mean1 += y1i; + mean2 += y2i; + sigma1 += y1i * y1i; + sigma2 += y2i * y2i; + + ay[i] = y1i < 0 ? q + y1i : y1i; + } + + /* Compute statistics on vectors y1 and y2 */ + mean1 /= n; + mean2 /= n; + sigma1 /= n; + sigma2 /= n; + sigma2 -= mean1 * mean1; + sigma2 -= mean2 * mean2; + DBG2(DBG_LIB, "y1 = %d..%d (sigma2 = %5.0f, mean = %4.1f)", + y1_min, y1_max, sigma1, mean1); + DBG2(DBG_LIB, "y2 = %d..%d (sigma2 = %5.0f, mean = %4.1f)", + y2_min, y2_max, sigma2, mean2); + + fft->transform(fft, ay, ay, FALSE); + + for (i = 0; i < n; i++) + { + ay[i] = (this->A[i] * ay[i]) % q; + } + fft->transform(fft, ay, ay, TRUE); + + for (i = 0; i < n; i++) + { + ui = 2 * this->set->q2_inv * (int32_t)ay[i] + y2[i]; + u[i] = ((ui < 0) ? q2 + ui : ui) % q2; + } + bliss_utils_round_and_drop(this->set, u, ud); + + /* Detailed debugging information */ + DBG3(DBG_LIB, " i u[i] ud[i]"); + for (i = 0; i < n; i++) + { + DBG3(DBG_LIB, "%3d %6d %4d", i, u[i], ud[i]); + } + + if (!bliss_utils_generate_c(hasher, data_hash, ud, n, this->set->kappa, + c_indices)) + { + goto end; + } + + if (use_bliss_b) + { + /* Compute v = (s1c, s2c) with the GreedySC algorithm */ + greedy_sc(this->s1, this->s2, n, c_indices, this->set->kappa, + s1c, s2c); + + /* Compute norm = ||v||^2 = ||Sc'||^2 */ + norm = bliss_utils_scalar_product(s1c, s1c, n) + + bliss_utils_scalar_product(s2c, s2c, n); + + /* Just in case. ||v||^2 <= P_max should always be fulfilled */ + if (norm > this->set->p_max) + { + goto end; + } + } + else + { + /* Compute s*c */ + multiply_by_c(this->s1, n, c_indices, this->set->kappa, s1c); + multiply_by_c(this->s2, n, c_indices, this->set->kappa, s2c); + + /* Compute norm = |Sc||^2 */ + norm = bliss_utils_scalar_product(s1c, s1c, n) + + bliss_utils_scalar_product(s2c, s2c, n); + } + + if (!sampler->bernoulli_exp(sampler, this->set->M - norm, &accepted)) + { + goto end; + } + if (use_bliss_b) + { + DBG2(DBG_LIB, "norm2(s1*c') + norm2(s2*c') = %u (%u max), %s", + norm, this->set->p_max, accepted ? "accepted" : "rejected"); + + } + else + { + DBG2(DBG_LIB, "norm2(s1*c) + norm2(s2*c) = %u, %s", + norm, accepted ? "accepted" : "rejected"); + } + if (!accepted) + { + continue; + } + + /* Compute z */ + if (!sampler->sign(sampler, &positive)) + { + goto end; + } + for (i = 0; i < n; i++) + { + if (positive) + { + z1[i] = y1[i] + s1c[i]; + z2[i] = y2[i] + s2c[i]; + } + else + { + z1[i] = y1[i] - s1c[i]; + z2[i] = y2[i] - s2c[i]; + } + } + /* Reject with probability 1/cosh(scalar/sigma^2) */ + scalar = bliss_utils_scalar_product(z1, s1c, n) + + bliss_utils_scalar_product(z2, s2c, n); + + if (!sampler->bernoulli_cosh(sampler, scalar, &accepted)) + { + goto end; + } + DBG2(DBG_LIB, "scalar(z1,s1*c) + scalar(z2,s2*c) = %d, %s", + scalar, accepted ? "accepted" : "rejected"); + if (!accepted) + { + continue; + } + + /* Compute z2 with dropped bits */ + for (i = 0; i < n; i++) + { + u[i] -= z2[i]; + if (u[i] < 0) + { + u[i] += q2; + } + else if (u[i] >= q2) + { + u[i] -= q2; + } + } + bliss_utils_round_and_drop(this->set, u, uz2d); + + for (i = 0; i < n; i++) + { + value = ud[i] - uz2d[i]; + if (value <= -p2) + { + value += p; + } + else if (value > p2) + { + value -= p; + } + z2d[i] = value; + } + + if (!bliss_utils_check_norms(this->set, z1, z2d)) + { + continue; + } + + *signature = sig->get_encoding(sig); + if (signature->len == 0) + { + DBG1(DBG_LIB, "inefficient Huffman coding of signature"); + continue; + } + DBG2(DBG_LIB, "signature generation needed %u round%s", tests, + (tests == 1) ? "" : "s"); + break; + } + success = TRUE; + +end: + /* cleanup */ + DESTROY_IF(sampler); + hasher->destroy(hasher); + sig->destroy(sig); + fft->destroy(fft); + rng->destroy(rng); + memwipe(s1c, n * sizeof(int32_t)); + memwipe(s2c, n * sizeof(int32_t)); + free(s1c); + free(s2c); + free(ay); + free(z2); + free(u); + free(uz2d); + + return success; +} + +METHOD(private_key_t, sign, bool, + private_bliss_private_key_t *this, signature_scheme_t scheme, + chunk_t data, chunk_t *signature) +{ + switch (scheme) + { + case SIGN_BLISS_WITH_SHA256: + return sign_bliss(this, HASH_SHA256, data, signature); + case SIGN_BLISS_WITH_SHA384: + return sign_bliss(this, HASH_SHA384, data, signature); + case SIGN_BLISS_WITH_SHA512: + return sign_bliss(this, HASH_SHA512, data, signature); + default: + DBG1(DBG_LIB, "signature scheme %N not supported with BLISS", + signature_scheme_names, scheme); + return FALSE; + } +} + +METHOD(private_key_t, decrypt, bool, + private_bliss_private_key_t *this, encryption_scheme_t scheme, + chunk_t crypto, chunk_t *plain) +{ + DBG1(DBG_LIB, "encryption scheme %N not supported", + encryption_scheme_names, scheme); + return FALSE; +} + +METHOD(private_key_t, get_keysize, int, + private_bliss_private_key_t *this) +{ + return this->set->strength; +} + +METHOD(private_key_t, get_public_key, public_key_t*, + private_bliss_private_key_t *this) +{ + public_key_t *public; + chunk_t pubkey; + + pubkey = bliss_public_key_info_encode(this->set->oid, this->A, this->set); + public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_BLISS, + BUILD_BLOB_ASN1_DER, pubkey, BUILD_END); + free(pubkey.ptr); + + return public; +} + +METHOD(private_key_t, get_encoding, bool, + private_bliss_private_key_t *this, cred_encoding_type_t type, + chunk_t *encoding) +{ + switch (type) + { + case PRIVKEY_ASN1_DER: + case PRIVKEY_PEM: + { + chunk_t s1, s2, pubkey; + bliss_bitpacker_t *packer; + size_t s_bits; + int8_t value; + bool success = TRUE; + int i; + + pubkey = bliss_public_key_encode(this->A, this->set); + + /* Use either 2 or 3 bits per array element */ + s_bits = 2 + (this->set->non_zero2 > 0); + + /* Encode secret s1 */ + packer = bliss_bitpacker_create(s_bits * this->set->n); + for (i = 0; i < this->set->n; i++) + { + packer->write_bits(packer, this->s1[i], s_bits); + } + s1 = packer->extract_buf(packer); + packer->destroy(packer); + + /* Encode secret s2 */ + packer = bliss_bitpacker_create(s_bits * this->set->n); + for (i = 0; i < this->set->n; i++) + { + value = this->s2[i]; + if (i == 0) + { + value -= 1; + } + value /= 2; + packer->write_bits(packer, value, s_bits); + } + s2 = packer->extract_buf(packer); + packer->destroy(packer); + + *encoding = asn1_wrap(ASN1_SEQUENCE, "mmss", + asn1_build_known_oid(this->set->oid), + asn1_bitstring("m", pubkey), + asn1_bitstring("m", s1), + asn1_bitstring("m", s2) + ); + if (type == PRIVKEY_PEM) + { + chunk_t asn1_encoding = *encoding; + + success = lib->encoding->encode(lib->encoding, PRIVKEY_PEM, + NULL, encoding, CRED_PART_BLISS_PRIV_ASN1_DER, + asn1_encoding, CRED_PART_END); + chunk_clear(&asn1_encoding); + } + return success; + } + default: + return FALSE; + } +} + +METHOD(private_key_t, get_fingerprint, bool, + private_bliss_private_key_t *this, cred_encoding_type_t type, chunk_t *fp) +{ + bool success; + + if (lib->encoding->get_cache(lib->encoding, type, this, fp)) + { + return TRUE; + } + success = bliss_public_key_fingerprint(this->set->oid, this->A, + this->set, type, fp); + if (success) + { + lib->encoding->cache(lib->encoding, type, this, *fp); + } + return success; +} + +METHOD(private_key_t, get_ref, private_key_t*, + private_bliss_private_key_t *this) +{ + ref_get(&this->ref); + return &this->public.key; +} + +METHOD(private_key_t, destroy, void, + private_bliss_private_key_t *this) +{ + if (ref_put(&this->ref)) + { + lib->encoding->clear_cache(lib->encoding, this); + if (this->s1) + { + memwipe(this->s1, this->set->n * sizeof(int8_t)); + free(this->s1); + } + if (this->s2) + { + memwipe(this->s2, this->set->n * sizeof(int8_t)); + free(this->s2); + } + free(this->A); + free(this); + } +} + +/** + * Internal generic constructor + */ +static private_bliss_private_key_t *bliss_private_key_create_empty(void) +{ + private_bliss_private_key_t *this; + + INIT(this, + .public = { + .key = { + .get_type = _get_type, + .sign = _sign, + .decrypt = _decrypt, + .get_keysize = _get_keysize, + .get_public_key = _get_public_key, + .equals = private_key_equals, + .belongs_to = private_key_belongs_to, + .get_fingerprint = _get_fingerprint, + .has_fingerprint = private_key_has_fingerprint, + .get_encoding = _get_encoding, + .get_ref = _get_ref, + .destroy = _destroy, + }, + }, + .ref = 1, + ); + return this; +} + +/** + * Compute the scalar product of a vector x with a negative wrapped vector y + */ +static int16_t wrapped_product(int8_t *x, int8_t *y, int n, int shift) +{ + int16_t product = 0; + int i; + + for (i = 0; i < n - shift; i++) + { + product += x[i] * y[i + shift]; + } + for (i = n - shift; i < n; i++) + { + product -= x[i] * y[i + shift - n]; + } + return product; +} + +/** + * Apply a negative wrapped rotation to a vector x + */ +static void wrap(int16_t *x, int n, int shift, int16_t *x_wrapped) +{ + int i; + + for (i = 0; i < n - shift; i++) + { + x_wrapped[i + shift] = x[i]; + } + for (i = n - shift; i < n; i++) + { + x_wrapped[i + shift - n] = -x[i]; + } +} + +/** + * int16_t compare function needed for qsort() + */ +static int compare(const int16_t *a, const int16_t *b) +{ + int16_t temp = *a - *b; + + if (temp > 0) + { + return 1; + } + else if (temp < 0) + { + return -1; + } + else + { + return 0; + } +} + +/** + * Compute the Nk(S) norm of S = (s1, s2) + */ +static uint32_t nks_norm(int8_t *s1, int8_t *s2, int n, uint16_t kappa) +{ + int16_t t[n], t_wrapped[n], max_kappa[n]; + uint32_t nks = 0; + int i, j; + + for (i = 0; i < n; i++) + { + t[i] = wrapped_product(s1, s1, n, i) + wrapped_product(s2, s2, n, i); + } + + for (i = 0; i < n; i++) + { + wrap(t, n, i, t_wrapped); + qsort(t_wrapped, n, sizeof(int16_t), (__compar_fn_t)compare); + max_kappa[i] = 0; + + for (j = 1; j <= kappa; j++) + { + max_kappa[i] += t_wrapped[n - j]; + } + } + qsort(max_kappa, n, sizeof(int16_t), (__compar_fn_t)compare); + + for (i = 1; i <= kappa; i++) + { + nks += max_kappa[n - i]; + } + return nks; +} + +/** + * Compute the inverse x1 of x modulo q as x^(-1) = x^(q-2) mod q + */ +static uint32_t invert(uint32_t x, uint16_t q) +{ + uint32_t x1, x2; + uint16_t q2; + int i, i_max; + + q2 = q - 2; + x1 = (q2 & 1) ? x : 1; + x2 = x; + i_max = 15; + + while ((q2 & (1 << i_max)) == 0) + { + i_max--; + } + for (i = 1; i <= i_max; i++) + { + x2 = (x2 * x2) % q; + + if (q2 & (1 << i)) + { + x1 = (x1 * x2) % q; + } + } + + return x1; +} + +/** + * Create a vector with sparse and small coefficients from seed + */ +static int8_t* create_vector_from_seed(private_bliss_private_key_t *this, + hash_algorithm_t alg, chunk_t seed) +{ + mgf1_bitspender_t *bitspender; + uint32_t index, sign; + int8_t *vector; + int non_zero; + + bitspender = mgf1_bitspender_create(alg, seed, FALSE); + if (!bitspender) + { + return NULL; + } + + vector = malloc(sizeof(int8_t) * this->set->n); + memset(vector, 0x00, this->set->n); + + non_zero = this->set->non_zero1; + while (non_zero) + { + if (!bitspender->get_bits(bitspender, this->set->n_bits, &index)) + { + free(vector); + return NULL; + } + if (vector[index] != 0) + { + continue; + } + + if (!bitspender->get_bits(bitspender, 1, &sign)) + { + free(vector); + return NULL; + } + vector[index] = sign ? 1 : -1; + non_zero--; + } + + non_zero = this->set->non_zero2; + while (non_zero) + { + if (!bitspender->get_bits(bitspender, this->set->n_bits, &index)) + { + free(vector); + return NULL; + } + if (vector[index] != 0) + { + continue; + } + + if (!bitspender->get_bits(bitspender, 1, &sign)) + { + free(vector); + return NULL; + } + vector[index] = sign ? 2 : -2; + non_zero--; + } + bitspender->destroy(bitspender); + + return vector; +} + +/** + * Generate the secret key S = (s1, s2) fulfilling the Nk(S) norm + */ +static bool create_secret(private_bliss_private_key_t *this, rng_t *rng, + int8_t **s1, int8_t **s2, int *trials) +{ + uint8_t seed_buf[32]; + uint8_t *f, *g; + uint32_t l2_norm, nks; + int i, n; + chunk_t seed; + size_t seed_len; + hash_algorithm_t alg; + + n = this->set->n; + *s1 = NULL; + *s2 = NULL; + + /* Set MGF1 hash algorithm and seed length based on security strength */ + if (this->set->strength > 160) + { + alg = HASH_SHA256; + seed_len = HASH_SIZE_SHA256; + } + else + { + alg = HASH_SHA1; + seed_len = HASH_SIZE_SHA1; + } + seed = chunk_create(seed_buf, seed_len); + + while (*trials < SECRET_KEY_TRIALS_MAX) + { + (*trials)++; + + if (!rng->get_bytes(rng, seed_len, seed_buf)) + { + return FALSE; + } + f = create_vector_from_seed(this, alg, seed); + if (f == NULL) + { + return FALSE; + } + if (!rng->get_bytes(rng, seed_len, seed_buf)) + { + free(f); + return FALSE; + } + g = create_vector_from_seed(this, alg, seed); + if (g == NULL) + { + free(f); + return FALSE; + } + + /* Compute 2g + 1 */ + for (i = 0; i < n; i++) + { + g[i] *= 2; + } + g[0] += 1; + + l2_norm = wrapped_product(f, f, n, 0) + wrapped_product(g, g, n, 0); + nks = nks_norm(f, g, n, this->set->kappa); + + switch (this->set->id) + { + case BLISS_I: + case BLISS_II: + case BLISS_III: + case BLISS_IV: + DBG2(DBG_LIB, "l2 norm of s1||s2: %d, Nk(S): %u (%u max)", + l2_norm, nks, this->set->nks_max); + if (nks < this->set->nks_max) + { + *s1 = f; + *s2 = g; + return TRUE; + } + free(f); + free(g); + break; + case BLISS_B_I: + case BLISS_B_II: + case BLISS_B_III: + case BLISS_B_IV: + DBG2(DBG_LIB, "l2 norm of s1||s2: %d, Nk(S): %u", + l2_norm, nks); + *s1 = f; + *s2 = g; + return TRUE; + } + } + + return FALSE; +} + +/** + * See header. + */ +bliss_private_key_t *bliss_private_key_gen(key_type_t type, va_list args) +{ + private_bliss_private_key_t *this; + u_int key_size = BLISS_B_I; + int i, n, trials = 0; + uint32_t *S1, *S2, *a; + uint16_t q; + bool success = FALSE; + bliss_param_set_t *set; + bliss_fft_t *fft; + rng_t *rng; + + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_KEY_SIZE: + key_size = va_arg(args, u_int); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + + if (lib->settings->get_bool(lib->settings, "%s.plugins.bliss.use_bliss_b", + TRUE, lib->ns)) + { + switch (key_size) + { + case BLISS_I: + key_size = BLISS_B_I; + break; + case BLISS_II: + key_size = BLISS_B_II; + break; + case BLISS_III: + key_size = BLISS_B_III; + break; + case BLISS_IV: + key_size = BLISS_B_IV; + break; + default: + break; + } + } + + /* Only BLISS or BLISS-B types I, III, or IV are currently supported */ + set = bliss_param_set_get_by_id(key_size); + if (!set) + { + DBG1(DBG_LIB, "BLISS parameter set %u not supported", key_size); + return NULL; + } + + /* Some shortcuts for often used variables */ + n = set->n; + q = set->q; + + if (set->fft_params->n != n || set->fft_params->q != q) + { + DBG1(DBG_LIB, "FFT parameters do not match BLISS parameters"); + return NULL; + } + this = bliss_private_key_create_empty(); + this->set = set; + + /* We derive the public key from the private key using the FFT */ + fft = bliss_fft_create(set->fft_params); + + /* Some vectors needed to derive the publi key */ + S1 = malloc(n * sizeof(uint32_t)); + S2 = malloc(n * sizeof(uint32_t)); + a = malloc(n * sizeof(uint32_t)); + this->A = malloc(n * sizeof(uint32_t)); + + /* Instantiate a true random generator */ + rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE); + + /* Loop until we have an invertible polynomial s1 */ + do + { + if (!create_secret(this, rng, &this->s1, &this->s2, &trials)) + { + break; + } + + /* Convert signed arrays to unsigned arrays before FFT */ + for (i = 0; i < n; i++) + { + S1[i] = (this->s1[i] < 0) ? this->s1[i] + q : this->s1[i]; + S2[i] = (this->s2[i] > 0) ? q - this->s2[i] : -this->s2[i]; + } + fft->transform(fft, S1, S1, FALSE); + fft->transform(fft, S2, S2, FALSE); + + success = TRUE; + for (i = 0; i < n; i++) + { + if (S1[i] == 0) + { + DBG1(DBG_LIB, "S1[%d] is zero - s1 is not invertible", i); + free(this->s1); + free(this->s2); + this->s1 = NULL; + this->s2 = NULL; + success = FALSE; + break; + } + this->A[i] = invert(S1[i], q); + this->A[i] = (S2[i] * this->A[i]) % q; + } + } + while (!success && trials < SECRET_KEY_TRIALS_MAX); + + DBG1(DBG_LIB, "secret key generation %s after %d trial%s", + success ? "succeeded" : "failed", trials, (trials == 1) ? "" : "s"); + + if (success) + { + fft->transform(fft, this->A, a, TRUE); + + DBG4(DBG_LIB, " i f g a F G A"); + for (i = 0; i < n; i++) + { + DBG4(DBG_LIB, "%4d %3d %3d %5u %5u %5u %5u", + i, this->s1[i], this->s2[i], a[i], S1[i], S2[i], this->A[i]); + } + } + else + { + destroy(this); + } + + /* Cleanup */ + fft->destroy(fft); + rng->destroy(rng); + memwipe(S1, n * sizeof(uint32_t)); + memwipe(S2, n * sizeof(uint32_t)); + free(S1); + free(S2); + free(a); + + return success ? &this->public : NULL; +} + +/** + * ASN.1 definition of a BLISS private key + */ +static const asn1Object_t privkeyObjects[] = { + { 0, "BLISSPrivateKey", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "keyType", ASN1_OID, ASN1_BODY }, /* 1 */ + { 1, "public", ASN1_BIT_STRING, ASN1_BODY }, /* 2 */ + { 1, "secret1", ASN1_BIT_STRING, ASN1_BODY }, /* 3 */ + { 1, "secret2", ASN1_BIT_STRING, ASN1_BODY }, /* 4 */ + { 0, "exit", ASN1_EOC, ASN1_EXIT } +}; +#define PRIV_KEY_TYPE 1 +#define PRIV_KEY_PUBLIC 2 +#define PRIV_KEY_SECRET1 3 +#define PRIV_KEY_SECRET2 4 + +/** + * See header. + */ +bliss_private_key_t *bliss_private_key_load(key_type_t type, va_list args) +{ + private_bliss_private_key_t *this; + chunk_t key = chunk_empty, object; + bliss_bitpacker_t *packer; + asn1_parser_t *parser; + size_t s_bits = 0; + int8_t s, s_min = 0, s_max = 0; + uint32_t s_sign = 0x02, s_mask = 0xfffffffc, value; + bool success = FALSE; + int objectID, oid, i; + + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_BLOB_ASN1_DER: + key = va_arg(args, chunk_t); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + + if (key.len == 0) + { + return NULL; + } + this = bliss_private_key_create_empty(); + + parser = asn1_parser_create(privkeyObjects, key); + parser->set_flags(parser, FALSE, TRUE); + + while (parser->iterate(parser, &objectID, &object)) + { + switch (objectID) + { + case PRIV_KEY_TYPE: + oid = asn1_known_oid(object); + if (oid == OID_UNKNOWN) + { + goto end; + } + this->set = bliss_param_set_get_by_oid(oid); + if (this->set == NULL) + { + goto end; + } + if (lib->settings->get_bool(lib->settings, + "%s.plugins.bliss.use_bliss_b",TRUE, lib->ns)) + { + switch (this->set->id) + { + case BLISS_I: + this->set = bliss_param_set_get_by_id(BLISS_B_I); + break; + case BLISS_III: + this->set = bliss_param_set_get_by_id(BLISS_B_III); + break; + case BLISS_IV: + this->set = bliss_param_set_get_by_id(BLISS_B_IV); + break; + default: + break; + } + } + if (this->set->non_zero2) + { + s_min = -2; + s_max = 2; + s_bits = 3; + } + else + { + s_min = -1; + s_max = 1; + s_bits = 2; + } + s_sign = 1 << (s_bits - 1); + s_mask = ((1 << (32 - s_bits)) - 1) << s_bits; + break; + case PRIV_KEY_PUBLIC: + if (!bliss_public_key_from_asn1(object, this->set, &this->A)) + { + goto end; + } + break; + case PRIV_KEY_SECRET1: + if (object.len != 1 + (s_bits * this->set->n + 7)/8) + { + goto end; + } + this->s1 = malloc(this->set->n); + + /* Skip unused bits octet */ + object = chunk_skip(object, 1); + packer = bliss_bitpacker_create_from_data(object); + for (i = 0; i < this->set->n; i++) + { + packer->read_bits(packer, &value, s_bits); + s = (value & s_sign) ? value | s_mask : value; + if (s < s_min || s > s_max) + { + packer->destroy(packer); + goto end; + } + this->s1[i] = s; + } + packer->destroy(packer); + break; + case PRIV_KEY_SECRET2: + if (object.len != 1 + (s_bits * this->set->n + 7)/8) + { + goto end; + } + this->s2 = malloc(this->set->n); + + /* Skip unused bits octet */ + object = chunk_skip(object, 1); + packer = bliss_bitpacker_create_from_data(object); + for (i = 0; i < this->set->n; i++) + { + packer->read_bits(packer, &value, s_bits); + s = (value & s_sign) ? value | s_mask : value; + if (s < s_min || s > s_max) + { + packer->destroy(packer); + goto end; + } + this->s2[i] = 2 * s; + if (i == 0) + { + this->s2[0] += 1; + } + } + packer->destroy(packer); + break; + } + } + success = parser->success(parser); + +end: + parser->destroy(parser); + if (!success) + { + destroy(this); + return NULL; + } + + return &this->public; +} + diff --git a/src/libstrongswan/plugins/bliss/bliss_private_key.h b/src/libstrongswan/plugins/bliss/bliss_private_key.h new file mode 100644 index 000000000..cb4ff807a --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_private_key.h @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup bliss_private_key bliss_private_key + * @{ @ingroup bliss_p + */ + +#ifndef BLISS_PRIVATE_KEY_H_ +#define BLISS_PRIVATE_KEY_H_ + +#include +#include + +typedef struct bliss_private_key_t bliss_private_key_t; + +/** + * Private_key_t implementation of BLISS signature algorithm. + */ +struct bliss_private_key_t { + + /** + * Implements private_key_t interface + */ + private_key_t key; +}; + +/** + * Generate a BLISS private key. + * + * Accepts the BUILD_KEY_SIZE argument. + * + * @param type type of the key, must be KEY_BLISS + * @param args builder_part_t argument list + * @return generated key, NULL on failure + */ +bliss_private_key_t *bliss_private_key_gen(key_type_t type, va_list args); + +/** + * Load a BLISS private key. + * + * Accepts BUILD_BLISS_* components. + * + * @param type type of the key, must be KEY_BLISS + * @param args builder_part_t argument list + * @return loaded key, NULL on failure + */ +bliss_private_key_t *bliss_private_key_load(key_type_t type, va_list args); + +#endif /** BLISS_PRIVATE_KEY_H_ @}*/ diff --git a/src/libstrongswan/plugins/bliss/bliss_public_key.c b/src/libstrongswan/plugins/bliss/bliss_public_key.c new file mode 100644 index 000000000..0175b0f8e --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_public_key.c @@ -0,0 +1,515 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "bliss_public_key.h" +#include "bliss_signature.h" +#include "bliss_bitpacker.h" +#include "bliss_fft.h" +#include "bliss_utils.h" + +#include +#include +#include + +typedef struct private_bliss_public_key_t private_bliss_public_key_t; + +/** + * Private data structure with signing context. + */ +struct private_bliss_public_key_t { + /** + * Public interface for this signer. + */ + bliss_public_key_t public; + + /** + * BLISS signature parameter set + */ + bliss_param_set_t *set; + + /** + * NTT of BLISS public key a (coefficients of polynomial (2g + 1)/f) + */ + uint32_t *A; + + /** + * reference counter + */ + refcount_t ref; +}; + +METHOD(public_key_t, get_type, key_type_t, + private_bliss_public_key_t *this) +{ + return KEY_BLISS; +} + +/** + * Verify a BLISS signature based on a SHA-512 hash + */ +static bool verify_bliss(private_bliss_public_key_t *this, hash_algorithm_t alg, + chunk_t data, chunk_t signature) +{ + int i, n; + int32_t *z1, *u; + int16_t *ud, *z2d; + uint16_t q, q2, p, *c_indices, *indices; + uint32_t *az; + uint8_t data_hash_buf[HASH_SIZE_SHA512]; + chunk_t data_hash; + hasher_t *hasher; + bliss_fft_t *fft; + bliss_signature_t *sig; + bool success = FALSE; + + /* Create data hash */ + hasher = lib->crypto->create_hasher(lib->crypto, alg); + if (!hasher ) + { + return FALSE; + } + data_hash = chunk_create(data_hash_buf, hasher->get_hash_size(hasher)); + + if (!hasher->get_hash(hasher, data, data_hash_buf)) + { + hasher->destroy(hasher); + return FALSE; + } + hasher->destroy(hasher); + + /* Create SHA512 hasher for c_indices oracle */ + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512); + if (!hasher) + { + return FALSE; + } + + sig = bliss_signature_create_from_data(this->set, signature); + if (!sig) + { + hasher->destroy(hasher); + return FALSE; + } + sig->get_parameters(sig, &z1, &z2d, &c_indices); + + if (!bliss_utils_check_norms(this->set, z1, z2d)) + { + hasher->destroy(hasher); + sig->destroy(sig); + return FALSE; + } + + /* Initialize a couple of needed variables */ + n = this->set->n; + q = this->set->q; + p = this->set->p; + q2 = 2 * q; + az = malloc(n * sizeof(uint32_t)); + u = malloc(n * sizeof(int32_t)); + ud = malloc(n * sizeof(int16_t)); + indices = malloc(this->set->kappa * sizeof(uint16_t)); + + for (i = 0; i < n; i++) + { + az[i] = z1[i] < 0 ? q + z1[i] : z1[i]; + } + fft = bliss_fft_create(this->set->fft_params); + fft->transform(fft, az, az, FALSE); + + for (i = 0; i < n; i++) + { + az[i] = (this->A[i] * az[i]) % q; + } + fft->transform(fft, az, az, TRUE); + + for (i = 0; i < n; i++) + { + u[i] = (2 * this->set->q2_inv * az[i]) % q2; + } + + for (i = 0; i < this->set->kappa; i++) + { + u[c_indices[i]] = (u[c_indices[i]] + q * this->set->q2_inv) % q2; + } + bliss_utils_round_and_drop(this->set, u, ud); + + for (i = 0; i < n; i++) + { + ud[i] += z2d[i]; + if (ud[i] < 0) + { + ud[i] += p; + } + else if (ud[i] >= p) + { + ud[i] -= p; + } + } + + /* Detailed debugging information */ + DBG3(DBG_LIB, " i u[i] ud[i] z2d[i]"); + for (i = 0; i < n; i++) + { + DBG3(DBG_LIB, "%3d %6d %4d %4d", i, u[i], ud[i], z2d[i]); + } + + if (!bliss_utils_generate_c(hasher, data_hash, ud, n, this->set->kappa, + indices)) + { + goto end; + } + + for (i = 0; i < this->set->kappa; i++) + { + if (indices[i] != c_indices[i]) + { + DBG1(DBG_LIB, "signature verification failed"); + goto end; + } + } + success = TRUE; + +end: + /* cleanup */ + hasher->destroy(hasher); + sig->destroy(sig); + fft->destroy(fft); + free(az); + free(u); + free(ud); + free(indices); + + return success; +} + +METHOD(public_key_t, verify, bool, + private_bliss_public_key_t *this, signature_scheme_t scheme, + chunk_t data, chunk_t signature) +{ + switch (scheme) + { + case SIGN_BLISS_WITH_SHA256: + return verify_bliss(this, HASH_SHA256, data, signature); + case SIGN_BLISS_WITH_SHA384: + return verify_bliss(this, HASH_SHA384, data, signature); + case SIGN_BLISS_WITH_SHA512: + return verify_bliss(this, HASH_SHA512, data, signature); + default: + DBG1(DBG_LIB, "signature scheme %N not supported by BLISS", + signature_scheme_names, scheme); + return FALSE; + } +} + +METHOD(public_key_t, encrypt_, bool, + private_bliss_public_key_t *this, encryption_scheme_t scheme, + chunk_t plain, chunk_t *crypto) +{ + DBG1(DBG_LIB, "encryption scheme %N not supported", + encryption_scheme_names, scheme); + return FALSE; +} + +METHOD(public_key_t, get_keysize, int, + private_bliss_public_key_t *this) +{ + return this->set->strength; +} + +METHOD(public_key_t, get_encoding, bool, + private_bliss_public_key_t *this, cred_encoding_type_t type, + chunk_t *encoding) +{ + bool success = TRUE; + + *encoding = bliss_public_key_info_encode(this->set->oid, this->A, this->set); + + if (type != PUBKEY_SPKI_ASN1_DER) + { + chunk_t asn1_encoding = *encoding; + + success = lib->encoding->encode(lib->encoding, type, + NULL, encoding, CRED_PART_BLISS_PUB_ASN1_DER, + asn1_encoding, CRED_PART_END); + chunk_clear(&asn1_encoding); + } + return success; +} + +METHOD(public_key_t, get_fingerprint, bool, + private_bliss_public_key_t *this, cred_encoding_type_t type, chunk_t *fp) +{ + bool success; + + if (lib->encoding->get_cache(lib->encoding, type, this, fp)) + { + return TRUE; + } + success = bliss_public_key_fingerprint(this->set->oid, this->A, + this->set, type, fp); + if (success) + { + lib->encoding->cache(lib->encoding, type, this, *fp); + } + return success; +} + +METHOD(public_key_t, get_ref, public_key_t*, + private_bliss_public_key_t *this) +{ + ref_get(&this->ref); + return &this->public.key; +} + +METHOD(public_key_t, destroy, void, + private_bliss_public_key_t *this) +{ + if (ref_put(&this->ref)) + { + lib->encoding->clear_cache(lib->encoding, this); + free(this->A); + free(this); + } +} + +/** + * ASN.1 definition of a BLISS public key + */ +static const asn1Object_t pubkeyObjects[] = { + { 0, "subjectPublicKeyInfo",ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */ + { 1, "algorithm", ASN1_EOC, ASN1_RAW }, /* 1 */ + { 1, "subjectPublicKey", ASN1_BIT_STRING, ASN1_BODY }, /* 2 */ + { 0, "exit", ASN1_EOC, ASN1_EXIT } +}; +#define BLISS_SUBJECT_PUBLIC_KEY_ALGORITHM 1 +#define BLISS_SUBJECT_PUBLIC_KEY 2 + +/** + * See header. + */ +bliss_public_key_t *bliss_public_key_load(key_type_t type, va_list args) +{ + private_bliss_public_key_t *this; + chunk_t blob = chunk_empty, object, param; + asn1_parser_t *parser; + bool success = FALSE; + int objectID, oid; + + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_BLOB_ASN1_DER: + blob = va_arg(args, chunk_t); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + + if (blob.len == 0) + { + return NULL; + } + + INIT(this, + .public = { + .key = { + .get_type = _get_type, + .verify = _verify, + .encrypt = _encrypt_, + .equals = public_key_equals, + .get_keysize = _get_keysize, + .get_fingerprint = _get_fingerprint, + .has_fingerprint = public_key_has_fingerprint, + .get_encoding = _get_encoding, + .get_ref = _get_ref, + .destroy = _destroy, + }, + }, + .ref = 1, + ); + + parser = asn1_parser_create(pubkeyObjects, blob); + + while (parser->iterate(parser, &objectID, &object)) + { + switch (objectID) + { + case BLISS_SUBJECT_PUBLIC_KEY_ALGORITHM: + { + oid = asn1_parse_algorithmIdentifier(object, + parser->get_level(parser)+1, ¶m); + if (oid != OID_BLISS_PUBLICKEY) + { + goto end; + } + if (!asn1_parse_simple_object(¶m, ASN1_OID, + parser->get_level(parser)+3, "blissKeyType")) + { + goto end; + } + oid = asn1_known_oid(param); + if (oid == OID_UNKNOWN) + { + goto end; + } + this->set = bliss_param_set_get_by_oid(oid); + if (this->set == NULL) + { + goto end; + } + break; + } + case BLISS_SUBJECT_PUBLIC_KEY: + if (!bliss_public_key_from_asn1(object, this->set, &this->A)) + { + goto end; + } + break; + } + } + success = parser->success(parser); + +end: + parser->destroy(parser); + if (!success) + { + destroy(this); + return NULL; + } + + return &this->public; +} + +/** + * See header. + */ +bool bliss_public_key_from_asn1(chunk_t object, bliss_param_set_t *set, + uint32_t **pubkey) +{ + bliss_bitpacker_t *packer; + uint32_t coefficient; + uint16_t needed_bits; + int i; + + /* skip initial bit string octet defining unused bits */ + object = chunk_skip(object, 1); + + needed_bits = set->n * set->q_bits; + + if (8 * object.len < needed_bits) + { + return FALSE; + } + *pubkey = malloc(set->n * sizeof(uint32_t)); + + packer = bliss_bitpacker_create_from_data(object); + + for (i = 0; i < set->n; i++) + { + packer->read_bits(packer, &coefficient, set->q_bits); + if (coefficient >= set->q) + { + packer->destroy(packer); + return FALSE; + } + (*pubkey)[i] = coefficient; + } + packer->destroy(packer); + + return TRUE; +} + +/** + * See header. + */ +chunk_t bliss_public_key_encode(uint32_t *pubkey, bliss_param_set_t *set) +{ + bliss_bitpacker_t *packer; + chunk_t encoding; + int i; + + packer = bliss_bitpacker_create(set->n * set->q_bits); + + for (i = 0; i < set->n; i++) + { + packer->write_bits(packer, pubkey[i], set->q_bits); + } + encoding = packer->extract_buf(packer); + packer->destroy(packer); + + return encoding; +} + +/** + * See header. + */ +chunk_t bliss_public_key_info_encode(int oid, uint32_t *pubkey, + bliss_param_set_t *set) +{ + chunk_t encoding, pubkey_encoding; + + pubkey_encoding = bliss_public_key_encode(pubkey, set); + + encoding = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_BLISS_PUBLICKEY), + asn1_build_known_oid(oid)), + asn1_bitstring("m", pubkey_encoding)); + + return encoding; +} + +/** + * See header. + */ +bool bliss_public_key_fingerprint(int oid, uint32_t *pubkey, + bliss_param_set_t *set, + cred_encoding_type_t type, chunk_t *fp) +{ + hasher_t *hasher; + chunk_t key; + + switch (type) + { + case KEYID_PUBKEY_SHA1: + key = bliss_public_key_encode(pubkey, set); + break; + case KEYID_PUBKEY_INFO_SHA1: + key = bliss_public_key_info_encode(oid, pubkey, set); + break; + default: + return FALSE; + } + + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + if (!hasher || !hasher->allocate_hash(hasher, key, fp)) + { + DBG1(DBG_LIB, "SHA1 hash algorithm not supported, fingerprinting failed"); + DESTROY_IF(hasher); + free(key.ptr); + + return FALSE; + } + hasher->destroy(hasher); + free(key.ptr); + + return TRUE; +} + diff --git a/src/libstrongswan/plugins/bliss/bliss_public_key.h b/src/libstrongswan/plugins/bliss/bliss_public_key.h new file mode 100644 index 000000000..cd8f231b2 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_public_key.h @@ -0,0 +1,101 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup bliss_public_key bliss_public_key + * @{ @ingroup bliss_p + */ + +#ifndef BLISS_PUBLIC_KEY_H_ +#define BLISS_PUBLIC_KEY_H_ + +#include "bliss_param_set.h" + +#include +#include +#include + +typedef struct bliss_public_key_t bliss_public_key_t; + +/** + * public_key_t implementation of BLISS signature algorithm + */ +struct bliss_public_key_t { + + /** + * Implements the public_key_t interface + */ + public_key_t key; +}; + +/** + * Load a BLISS public key. + * + * Accepts BUILD_BLISS_* components. + * + * @param type type of the key, must be KEY_BLISS + * @param args builder_part_t argument list + * @return loaded key, NULL on failure + */ +bliss_public_key_t *bliss_public_key_load(key_type_t type, va_list args); + +/* The following functions are shared with the bliss_private_key class */ + +/** + * Parse an ASN.1 BIT STRING into an array of public key coefficients + * + * @param object packed subjectPublicKey + * @param set BLISS parameter set for public key vector + * @param pubkey coefficients of public key vector + * @return TRUE if parsing successful + */ +bool bliss_public_key_from_asn1(chunk_t object, bliss_param_set_t *set, + uint32_t **pubkey); + +/** + * Encode a raw BLISS subjectPublicKey in ASN.1 DER format + * + * @param pubkey coefficients of public key vector + * @param set BLISS parameter set for the public key vector + * @result ASN.1 encoded subjectPublicKey + */ +chunk_t bliss_public_key_encode(uint32_t *pubkey, bliss_param_set_t *set); + +/** + * Encode a BLISS subjectPublicKeyInfo record in ASN.1 DER format + * + * @param oid BLISS public key type OID + * @param pubkey coefficients of public key vector + * @param set BLISS parameter set for the public key vector + * @result ASN.1 encoded subjectPublicKeyInfo record + */ +chunk_t bliss_public_key_info_encode(int oid, uint32_t *pubkey, + bliss_param_set_t *set); + +/** + * Generate a BLISS public key fingerprint + * + * @param oid BLISS public key type OID + * @param pubkey coefficients of public key vector + * @param set BLISS parameter set for the public key vector + * @param type type of fingerprint to be generated + * @param fp generated fingerprint (must be freed by caller) + * @result TRUE if generation was successful + */ +bool bliss_public_key_fingerprint(int oid, uint32_t *pubkey, + bliss_param_set_t *set, + cred_encoding_type_t type, chunk_t *fp); + +#endif /** BLISS_PUBLIC_KEY_H_ @}*/ diff --git a/src/libstrongswan/plugins/bliss/bliss_sampler.c b/src/libstrongswan/plugins/bliss/bliss_sampler.c new file mode 100644 index 000000000..fa45a2fac --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_sampler.c @@ -0,0 +1,250 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "bliss_sampler.h" + +typedef struct private_bliss_sampler_t private_bliss_sampler_t; + +#include + +/** + * Private data of a bliss_sampler_t object. + */ +struct private_bliss_sampler_t { + + /** + * Public interface. + */ + bliss_sampler_t public; + + /** + * BLISS parameter the rejection sampling is to be based on + */ + bliss_param_set_t *set; + + /** + * Bitspender used for random rejection sampling + */ + mgf1_bitspender_t *bitspender; + +}; + +METHOD(bliss_sampler_t, bernoulli_exp, bool, + private_bliss_sampler_t *this, uint32_t x, bool *accepted) +{ + uint32_t x_mask; + uint8_t *c, u; + int i; + + x_mask = 1 << (this->set->c_rows - 1); + c = this->set->c; + c += (this->set->c_rows - 1) * this->set->c_cols; + + while (x_mask > 0) + { + if (x & x_mask) + { + for (i = 0; i < this->set->c_cols; i++) + { + if (!this->bitspender->get_byte(this->bitspender, &u)) + { + return FALSE; + } + if (u < c[i]) + { + break; + } + else if (u > c[i]) + { + *accepted = FALSE; + return TRUE; + } + } + } + x_mask >>= 1; + c -= this->set->c_cols; + } + + *accepted = TRUE; + return TRUE; +} + +METHOD(bliss_sampler_t, bernoulli_cosh, bool, + private_bliss_sampler_t *this, int32_t x, bool *accepted) +{ + uint32_t u; + + x = 2 * (x < 0 ? -x : x); + + while (TRUE) + { + if (!bernoulli_exp(this, x, accepted)) + { + return FALSE; + } + if (*accepted) + { + return TRUE; + } + if (!this->bitspender->get_bits(this->bitspender, 1, &u)) + { + return FALSE; + } + if (u) + { + continue; + } + if (!bernoulli_exp(this, x, accepted)) + { + return FALSE; + } + if (!(*accepted)) + { + return TRUE; + } + } +} + +#define MAX_SAMPLE_INDEX 16 + +METHOD(bliss_sampler_t, pos_binary, bool, + private_bliss_sampler_t *this, uint32_t *x) +{ + uint32_t u, i; + + while (TRUE) + { + for (i = 0; i <= MAX_SAMPLE_INDEX; i++) + { + if (!this->bitspender->get_bits(this->bitspender, + i ? (2*i - 1) : 1, &u)) + { + return FALSE; + } + if (u == 0) + { + *x = i; + return TRUE; + } + if ((u >> 1) != 0) + { + break; + } + } + if (i > MAX_SAMPLE_INDEX) + { + return FALSE; + } + } +} + +METHOD(bliss_sampler_t, gaussian, bool, + private_bliss_sampler_t *this, int32_t *z) +{ + uint32_t u, x, y, z_pos; + bool accepted; + + while (TRUE) + { + if (!pos_binary(this, &x)) + { + return FALSE; + } + + do + { + if (!this->bitspender->get_bits(this->bitspender, + this->set->k_sigma_bits, &y)) + { + return FALSE; + } + } + while (y >= this->set->k_sigma); + + if (!bernoulli_exp(this, y * (y + 2*this->set->k_sigma * x), &accepted)) + { + return FALSE; + } + if (accepted) + { + if (!this->bitspender->get_bits(this->bitspender, 1, &u)) + { + return FALSE; + } + if (x || y || u) + { + break; + } + } + } + + z_pos = this->set->k_sigma * x + y; + *z = u ? z_pos : -z_pos; + + return TRUE; +} + +METHOD(bliss_sampler_t, sign, bool, + private_bliss_sampler_t *this, bool *positive) +{ + uint32_t u; + + if (!this->bitspender->get_bits(this->bitspender, 1, &u)) + { + return FALSE; + } + *positive = u; + + return TRUE; +} + +METHOD(bliss_sampler_t, destroy, void, + private_bliss_sampler_t *this) +{ + this->bitspender->destroy(this->bitspender); + free(this); +} + + +/** + * See header. + */ +bliss_sampler_t *bliss_sampler_create(hash_algorithm_t alg, chunk_t seed, + bliss_param_set_t *set) +{ + private_bliss_sampler_t *this; + mgf1_bitspender_t *bitspender; + + bitspender = mgf1_bitspender_create(alg, seed, FALSE); + if (!bitspender) + { + return NULL; + } + + INIT(this, + .public = { + .bernoulli_exp = _bernoulli_exp, + .bernoulli_cosh = _bernoulli_cosh, + .pos_binary = _pos_binary, + .gaussian = _gaussian, + .sign = _sign, + .destroy = _destroy, + }, + .set = set, + .bitspender = bitspender, + ); + + return &this->public; +} diff --git a/src/libstrongswan/plugins/bliss/bliss_sampler.h b/src/libstrongswan/plugins/bliss/bliss_sampler.h new file mode 100644 index 000000000..2c75d4480 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_sampler.h @@ -0,0 +1,94 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup bliss_sampler bliss_sampler + * @{ @ingroup bliss_p + */ + +#ifndef BLISS_SAMPLER_H_ +#define BLISS_SAMPLER_H_ + +typedef struct bliss_sampler_t bliss_sampler_t; + +#include "bliss_param_set.h" + +#include +#include + +/** + * Implementation various rejection sampling algorithms. + */ +struct bliss_sampler_t { + + /** + * Sample according to exp(-x/(2*sigma^2)) + * + * @param x Value to be sampled + * @param accepted TRUE if value is accepted, FALSE if rejected + * @result TRUE if sampling was successful + */ + bool (*bernoulli_exp)(bliss_sampler_t *this, uint32_t x, bool *accepted); + + /** + * Sample according to 1/cosh(x/sigma^2) + * + * @param x Value to be sampled + * @param accepted TRUE if value is accepted, FALSE if rejected + * @result TRUE if sampling was successful + */ + bool (*bernoulli_cosh)(bliss_sampler_t *this, int32_t x, bool *accepted); + + /** + * Sample according to 2^(-x^2) for positive x + * + * @param x Generated value + * @result TRUE if sampling was successful + */ + bool (*pos_binary)(bliss_sampler_t *this, uint32_t *x); + + /** + * Sample according to the Gaussian distribution exp(-x^2/(2*sigma^2)) + * + * @param z Generated value with Gaussian distribution + * @result TRUE if sampling was successful + */ + bool (*gaussian)(bliss_sampler_t *this, int32_t *z); + + /** + * Sample the sign according to the binary distribution + * + * @param positive TRUE if positive + * @result TRUE if sampling was successful + */ + bool (*sign)(bliss_sampler_t *this, bool *positive); + + /** + * Destroy bliss_sampler_t object + */ + void (*destroy)(bliss_sampler_t *this); +}; + +/** + * Create a bliss_sampler_t object. + * + * @param alg Hash algorithm to be used for the internal bitspender + * @param seed Seed used to initialize the internal bitspender + * @param set BLISS parameter set to be used + */ +bliss_sampler_t *bliss_sampler_create(hash_algorithm_t alg, chunk_t seed, + bliss_param_set_t *set); + +#endif /** BLISS_SAMPLER_H_ @}*/ diff --git a/src/libstrongswan/plugins/bliss/bliss_signature.c b/src/libstrongswan/plugins/bliss/bliss_signature.c new file mode 100644 index 000000000..e603da399 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_signature.c @@ -0,0 +1,233 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "bliss_signature.h" +#include "bliss_bitpacker.h" +#include "bliss_huffman_coder.h" + + +typedef struct private_bliss_signature_t private_bliss_signature_t; + +/** + * Private data of a bliss_signature_t object. + */ +struct private_bliss_signature_t { + /** + * Public interface for this signer. + */ + bliss_signature_t public; + + /** + * BLISS signature parameter set + */ + bliss_param_set_t *set; + + /** + * BLISS signature vector z1 of size n + */ + int32_t *z1; + + /** + * BLISS signature vector z2d of size n + */ + int16_t *z2d; + + /** + * Indices of sparse BLISS challenge vector c of size kappa + */ + uint16_t *c_indices; + +}; + +METHOD(bliss_signature_t, get_encoding, chunk_t, + private_bliss_signature_t *this) +{ + bliss_bitpacker_t *packer; + bliss_huffman_coder_t *coder; + bliss_huffman_code_t *code; + int32_t z1; + uint32_t z1_sign; + uint16_t z2d_bits; + chunk_t encoding = chunk_empty; + int i; + + z2d_bits = this->set->z1_bits - this->set->d; + + /* Get Huffman code for this BLISS parameter set */ + code = bliss_huffman_code_get_by_id(this->set->id); + if (!code) + { + DBG1(DBG_LIB, "no Huffman code found for parameter set %N", + bliss_param_set_id_names, this->set->id); + return chunk_empty; + } + + packer = bliss_bitpacker_create(this->set->n * this->set->z1_bits + + this->set->n * z2d_bits + + this->set->kappa * this->set->n_bits); + coder = bliss_huffman_coder_create(code, packer); + + for (i = 0; i < this->set->n; i++) + { + /* determine and remove the sign of z1[i]*/ + z1_sign = this->z1[i] < 0; + z1 = z1_sign ? -this->z1[i] : this->z1[i]; + + if (!packer->write_bits(packer, z1_sign, 1) || + !packer->write_bits(packer, z1 & 0xff, 8) || + !coder->encode(coder, z1 >> 8, this->z2d[i])) + { + goto end; + } + } + for (i = 0; i < this->set->kappa; i++) + { + if (!packer->write_bits(packer, this->c_indices[i], this->set->n_bits)) + { + goto end; + } + } + encoding = packer->extract_buf(packer); + + DBG2(DBG_LIB, "efficiency of Huffman coder is %6.4f bits/tuple (%u bits)", + coder->get_bits(coder)/(double)(this->set->n), + coder->get_bits(coder)); + DBG2(DBG_LIB, "generated BLISS signature (%u bits encoded in %u bytes)", + packer->get_bits(packer), encoding.len); + + end: + coder->destroy(coder); + packer->destroy(packer); + return encoding; +} + +METHOD(bliss_signature_t, get_parameters, void, + private_bliss_signature_t *this, int32_t **z1, int16_t **z2d, + uint16_t **c_indices) +{ + *z1 = this->z1; + *z2d = this->z2d; + *c_indices = this->c_indices; +} + +METHOD(bliss_signature_t, destroy, void, + private_bliss_signature_t *this) +{ + free(this->z1); + free(this->z2d); + free(this->c_indices); + free(this); +} + +/** + * See header. + */ +bliss_signature_t *bliss_signature_create(bliss_param_set_t *set) +{ + private_bliss_signature_t *this; + + INIT(this, + .public = { + .get_encoding = _get_encoding, + .get_parameters = _get_parameters, + .destroy = _destroy, + }, + .set = set, + .z1 = malloc(set->n * sizeof(int32_t)), + .z2d = malloc(set->n * sizeof(int16_t)), + .c_indices = malloc(set->n * sizeof(uint16_t)), + ); + + return &this->public; +} + +/** + * See header. + */ +bliss_signature_t *bliss_signature_create_from_data(bliss_param_set_t *set, + chunk_t encoding) +{ + private_bliss_signature_t *this; + bliss_bitpacker_t *packer; + bliss_huffman_coder_t *coder; + bliss_huffman_code_t *code; + uint32_t z1_sign, z1_low, value; + int32_t z1; + int16_t z2; + int i; + + /* Get Huffman code for this BLISS parameter set */ + code = bliss_huffman_code_get_by_id(set->id); + if (!code) + { + DBG1(DBG_LIB, "no Huffman code found for parameter set %N", + bliss_param_set_id_names, set->id); + return NULL; + } + + if (encoding.len == 0) + { + DBG1(DBG_LIB, "zero length BLISS signature"); + return NULL; + } + + INIT(this, + .public = { + .get_encoding = _get_encoding, + .get_parameters = _get_parameters, + .destroy = _destroy, + }, + .set = set, + .z1 = malloc(set->n * sizeof(int32_t)), + .z2d = malloc(set->n * sizeof(int16_t)), + .c_indices = malloc(set->n * sizeof(uint16_t)), + ); + + packer = bliss_bitpacker_create_from_data(encoding); + coder = bliss_huffman_coder_create(code, packer); + + for (i = 0; i < set->n; i++) + { + if (!packer->read_bits(packer, &z1_sign, 1) || + !packer->read_bits(packer, &z1_low, 8) || + !coder->decode(coder, &z1, &z2)) + { + DBG1(DBG_LIB, "truncated BLISS signature encoding of z1/z2"); + coder->destroy(coder); + packer->destroy(packer); + destroy(this); + return NULL; + } + z1 = (z1 << 8) + z1_low; + this->z1[i] = z1_sign ? -z1 : z1; + this->z2d[i] = z2; + } + coder->destroy(coder); + + for (i = 0; i < set->kappa; i++) + { + if (!packer->read_bits(packer, &value, set->n_bits)) + { + DBG1(DBG_LIB, "truncated BLISS signature encoding of c_indices"); + packer->destroy(packer); + destroy(this); + return NULL; + } + this->c_indices[i] = value; + } + packer->destroy(packer); + + return &this->public; +} diff --git a/src/libstrongswan/plugins/bliss/bliss_signature.h b/src/libstrongswan/plugins/bliss/bliss_signature.h new file mode 100644 index 000000000..d37f5398b --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_signature.h @@ -0,0 +1,75 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup bliss_signature bliss_signature + * @{ @ingroup bliss_p + */ + +#ifndef BLISS_SIGNATURE_H_ +#define BLISS_SIGNATURE_H_ + +typedef struct bliss_signature_t bliss_signature_t; + +#include "bliss_param_set.h" + +#include + +/** + * Public interface of BLISS signature object + */ +struct bliss_signature_t { + + /** + * Get compressed binary encoding of BLISS signature + * + * @result binary encoding of BLISS signature + */ + chunk_t (*get_encoding)(bliss_signature_t *this); + + /** + * Get signature parameters extracted from compressd binary encoding + * + * @param z1 signature vector z1 of size n + * @param z2d signature vector z2d of size n + * @param c_indices indices of sparse binary challenge vector of size kappa + */ + void (*get_parameters)(bliss_signature_t *this, int32_t **z1, int16_t **z2d, + uint16_t **c_indices); + + /** + * Destroy bliss_signature_t object + */ + void (*destroy)(bliss_signature_t *this); + +}; + +/** + * Create a BLISS signature object. + * + * @param set BLISS parameter set + */ +bliss_signature_t *bliss_signature_create(bliss_param_set_t *set); + +/** + * Create a BLISS signature object from encoding. + * + * @param set BLISS parameter set + * @param encoding binary signature encoding + */ +bliss_signature_t *bliss_signature_create_from_data(bliss_param_set_t *set, + chunk_t encoding); + +#endif /** BLISS_SIGNATURE_H_ @}*/ diff --git a/src/libstrongswan/plugins/bliss/bliss_utils.c b/src/libstrongswan/plugins/bliss/bliss_utils.c new file mode 100644 index 000000000..5a069989c --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_utils.c @@ -0,0 +1,167 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "bliss_utils.h" + +#include +#include +#include + +/** + * See header. + */ +int32_t bliss_utils_scalar_product(int32_t *x, int32_t *y, int n) +{ + int32_t product = 0; + int i; + + for (i = 0; i < n; i++) + { + product += x[i] * y[i]; + } + + return product; +} + +/** + * See header. + */ +void bliss_utils_round_and_drop(bliss_param_set_t *set, int32_t *x, int16_t *xd) +{ + int32_t factor; + int i; + + factor = 1 << set->d; + + for (i = 0; i < set->n; i++) + { + xd[i] = ((x[i] + (factor >> 1)) / factor) % set->p; + } +} + +/** + * See header. + */ +bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud, + int n, uint16_t kappa, uint16_t *c_indices) +{ + int i, j; + uint64_t extra_bits; + uint16_t index, rounds = 0; + uint8_t hash[HASH_SIZE_SHA512], un16_buf[2]; + chunk_t un16 = { un16_buf, 2 }; + bool index_taken[n]; + + while (TRUE) + { + if (!hasher->get_hash(hasher, data_hash, NULL)) + { + return FALSE; + } + + for (i = 0; i < n; i++) + { + htoun16(un16_buf, ud[i]); + if (!hasher->get_hash(hasher, un16, NULL)) + { + return FALSE; + } + index_taken[i] = FALSE; + } + + htoun16(un16_buf, rounds++); + if (!hasher->get_hash(hasher, un16, hash)) + { + return FALSE; + } + + extra_bits = untoh64(hash + sizeof(hash) - sizeof(uint64_t)); + + for (i = 0, j = 0; j < sizeof(hash); j++) + { + index = 2 * (uint16_t)hash[i] + (extra_bits & 1); + if (!index_taken[index]) + { + c_indices[i++] = index; + index_taken[index] = TRUE; + } + if (i == kappa) + { + return TRUE; + } + } + } +} + +/** + * See header. + */ +bool bliss_utils_check_norms(bliss_param_set_t *set, int32_t *z1, int16_t *z2d) +{ + int32_t z2ds[set->n]; + int32_t z1_min, z1_max, norm; + int16_t z2d_min, z2d_max; + int i; + + /* some statistics on the values of z1 and z2d */ + z1_min = z1_max = z1[0]; + z2d_min = z2d_max = z2d[0]; + + for (i = 1; i < set->n; i++) + { + if (z1[i] < z1_min) + { + z1_min = z1[i]; + } + else if (z1[i] > z1_max) + { + z1_max = z1[i]; + } + if (z2d[i] < z2d_min) + { + z2d_min = z2d[i]; + } + else if (z2d[i] > z2d_max) + { + z2d_max = z2d[i]; + } + } + DBG2(DBG_LIB, "z1 = %d..%d, z2d = %d..%d", z1_min, z1_max, z2d_min, z2d_max); + + /* Restriction on infinite norm */ + for (i = 0; i < set->n; i++) + { + z2ds[i] = (1 << set->d) * z2d[i]; + + if (z1[i] >= set->B_inf || z2ds[i] >= set->B_inf || + z1[i] <= -set->B_inf || z2ds[i] <= -set->B_inf) + { + DBG2(DBG_LIB, "signature rejected due to excessive infinite norm"); + return FALSE; + } + } + + /* Restriction on l2-norm */ + norm = bliss_utils_scalar_product(z1, z1, set->n) + + bliss_utils_scalar_product(z2ds, z2ds, set->n); + + if (norm >= set->B_l2) + { + DBG2(DBG_LIB, "signature rejected due to excessive l2-norm"); + return FALSE; + } + + return TRUE; +} diff --git a/src/libstrongswan/plugins/bliss/bliss_utils.h b/src/libstrongswan/plugins/bliss/bliss_utils.h new file mode 100644 index 000000000..063fd91c8 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/bliss_utils.h @@ -0,0 +1,70 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup bliss_utils bliss_utils + * @{ @ingroup bliss_p + */ + +#ifndef BLISS_UTILS_H_ +#define BLISS_UTILS_H_ + +#include "bliss_param_set.h" + +#include + +/** + * Compute the scalar product of two vectors of size n + * + * @param x input vector of size n + * @param y input vector of size n + * @param n size of input vectors x and y + * @result scalar product of x and y + */ +int32_t bliss_utils_scalar_product(int32_t *x, int32_t *y, int n); + +/** + * Drop d bits but round first + * + * @param set BLISS parameter set + * @param x input vector x of size n + * @param xd rounded vector x with d bits dropped + */ +void bliss_utils_round_and_drop(bliss_param_set_t *set, int32_t *x, int16_t *xd); + +/** + * Generate the binary challenge vector c as an array of kappa indices + * + * @param hasher hasher used as an oracle + * @param data_hash hash of the data to be signed + * @param ud input vector ud of size n + * @param n size of input vector ud + * @param kappa parameter kappa + * @param c_indices indexes of non-zero challenge coefficients + */ +bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud, + int n, uint16_t kappa, uint16_t *c_indices); + +/** + * Check the infinity and l2 norms of the vectors z1 and z2d << d + * + * @param set BLISS parameter set + * @param z1 input vector + * @param z2d input vector + * @result TRUE if infinite and l2 norms do not exceed boundaries + */ +bool bliss_utils_check_norms(bliss_param_set_t *set, int32_t *z1, int16_t *z2d); + +#endif /** BLISS_UTILS_H_ @}*/ diff --git a/src/libstrongswan/plugins/bliss/tests/Makefile.am b/src/libstrongswan/plugins/bliss/tests/Makefile.am new file mode 100644 index 000000000..bd87753f5 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/tests/Makefile.am @@ -0,0 +1,27 @@ +TESTS = bliss_tests + +check_PROGRAMS = $(TESTS) + +bliss_tests_SOURCES = \ + suites/test_bliss_fft.c \ + suites/test_bliss_bitpacker.c \ + suites/test_bliss_huffman.c \ + suites/test_bliss_keys.c \ + suites/test_bliss_sampler.c \ + suites/test_bliss_signature.c \ + suites/test_bliss_sign.c \ + bliss_tests.h bliss_tests.c + +bliss_tests_CFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libstrongswan/tests \ + -I$(top_srcdir)/src/libstrongswan/plugins/bliss \ + -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ + -DPLUGINS=\""${s_plugins}\"" \ + @COVERAGE_CFLAGS@ + +bliss_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +bliss_tests_LDADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la \ + ../libbliss.la diff --git a/src/libstrongswan/plugins/bliss/tests/Makefile.in b/src/libstrongswan/plugins/bliss/tests/Makefile.in new file mode 100644 index 000000000..5a1ce3d50 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/tests/Makefile.in @@ -0,0 +1,985 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +TESTS = bliss_tests$(EXEEXT) +check_PROGRAMS = $(am__EXEEXT_1) +subdir = src/libstrongswan/plugins/bliss/tests +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__EXEEXT_1 = bliss_tests$(EXEEXT) +am__dirstamp = $(am__leading_dot)dirstamp +am_bliss_tests_OBJECTS = suites/bliss_tests-test_bliss_fft.$(OBJEXT) \ + suites/bliss_tests-test_bliss_bitpacker.$(OBJEXT) \ + suites/bliss_tests-test_bliss_huffman.$(OBJEXT) \ + suites/bliss_tests-test_bliss_keys.$(OBJEXT) \ + suites/bliss_tests-test_bliss_sampler.$(OBJEXT) \ + suites/bliss_tests-test_bliss_signature.$(OBJEXT) \ + suites/bliss_tests-test_bliss_sign.$(OBJEXT) \ + bliss_tests-bliss_tests.$(OBJEXT) +bliss_tests_OBJECTS = $(am_bliss_tests_OBJECTS) +bliss_tests_DEPENDENCIES = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la \ + ../libbliss.la +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +bliss_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(bliss_tests_CFLAGS) \ + $(CFLAGS) $(bliss_tests_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(bliss_tests_SOURCES) +DIST_SOURCES = $(bliss_tests_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__tty_colors_dummy = \ + mgn= red= grn= lgn= blu= brg= std=; \ + am__color_tests=no +am__tty_colors = { \ + $(am__tty_colors_dummy); \ + if test "X$(AM_COLOR_TESTS)" = Xno; then \ + am__color_tests=no; \ + elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ + am__color_tests=yes; \ + elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ + am__color_tests=yes; \ + fi; \ + if test $$am__color_tests = yes; then \ + red=''; \ + grn=''; \ + lgn=''; \ + blu=''; \ + mgn=''; \ + brg=''; \ + std=''; \ + fi; \ +} +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +bliss_tests_SOURCES = \ + suites/test_bliss_fft.c \ + suites/test_bliss_bitpacker.c \ + suites/test_bliss_huffman.c \ + suites/test_bliss_keys.c \ + suites/test_bliss_sampler.c \ + suites/test_bliss_signature.c \ + suites/test_bliss_sign.c \ + bliss_tests.h bliss_tests.c + +bliss_tests_CFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libstrongswan/tests \ + -I$(top_srcdir)/src/libstrongswan/plugins/bliss \ + -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ + -DPLUGINS=\""${s_plugins}\"" \ + @COVERAGE_CFLAGS@ + +bliss_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +bliss_tests_LDADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la \ + ../libbliss.la + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/bliss/tests/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/bliss/tests/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list +suites/$(am__dirstamp): + @$(MKDIR_P) suites + @: > suites/$(am__dirstamp) +suites/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) suites/$(DEPDIR) + @: > suites/$(DEPDIR)/$(am__dirstamp) +suites/bliss_tests-test_bliss_fft.$(OBJEXT): suites/$(am__dirstamp) \ + suites/$(DEPDIR)/$(am__dirstamp) +suites/bliss_tests-test_bliss_bitpacker.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/bliss_tests-test_bliss_huffman.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/bliss_tests-test_bliss_keys.$(OBJEXT): suites/$(am__dirstamp) \ + suites/$(DEPDIR)/$(am__dirstamp) +suites/bliss_tests-test_bliss_sampler.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/bliss_tests-test_bliss_signature.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/bliss_tests-test_bliss_sign.$(OBJEXT): suites/$(am__dirstamp) \ + suites/$(DEPDIR)/$(am__dirstamp) + +bliss_tests$(EXEEXT): $(bliss_tests_OBJECTS) $(bliss_tests_DEPENDENCIES) $(EXTRA_bliss_tests_DEPENDENCIES) + @rm -f bliss_tests$(EXEEXT) + $(AM_V_CCLD)$(bliss_tests_LINK) $(bliss_tests_OBJECTS) $(bliss_tests_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + -rm -f suites/*.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_tests-bliss_tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +suites/bliss_tests-test_bliss_fft.o: suites/test_bliss_fft.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_fft.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Tpo -c -o suites/bliss_tests-test_bliss_fft.o `test -f 'suites/test_bliss_fft.c' || echo '$(srcdir)/'`suites/test_bliss_fft.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_fft.c' object='suites/bliss_tests-test_bliss_fft.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_fft.o `test -f 'suites/test_bliss_fft.c' || echo '$(srcdir)/'`suites/test_bliss_fft.c + +suites/bliss_tests-test_bliss_fft.obj: suites/test_bliss_fft.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_fft.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Tpo -c -o suites/bliss_tests-test_bliss_fft.obj `if test -f 'suites/test_bliss_fft.c'; then $(CYGPATH_W) 'suites/test_bliss_fft.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_fft.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_fft.c' object='suites/bliss_tests-test_bliss_fft.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_fft.obj `if test -f 'suites/test_bliss_fft.c'; then $(CYGPATH_W) 'suites/test_bliss_fft.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_fft.c'; fi` + +suites/bliss_tests-test_bliss_bitpacker.o: suites/test_bliss_bitpacker.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_bitpacker.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Tpo -c -o suites/bliss_tests-test_bliss_bitpacker.o `test -f 'suites/test_bliss_bitpacker.c' || echo '$(srcdir)/'`suites/test_bliss_bitpacker.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_bitpacker.c' object='suites/bliss_tests-test_bliss_bitpacker.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_bitpacker.o `test -f 'suites/test_bliss_bitpacker.c' || echo '$(srcdir)/'`suites/test_bliss_bitpacker.c + +suites/bliss_tests-test_bliss_bitpacker.obj: suites/test_bliss_bitpacker.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_bitpacker.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Tpo -c -o suites/bliss_tests-test_bliss_bitpacker.obj `if test -f 'suites/test_bliss_bitpacker.c'; then $(CYGPATH_W) 'suites/test_bliss_bitpacker.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_bitpacker.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_bitpacker.c' object='suites/bliss_tests-test_bliss_bitpacker.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_bitpacker.obj `if test -f 'suites/test_bliss_bitpacker.c'; then $(CYGPATH_W) 'suites/test_bliss_bitpacker.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_bitpacker.c'; fi` + +suites/bliss_tests-test_bliss_huffman.o: suites/test_bliss_huffman.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_huffman.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Tpo -c -o suites/bliss_tests-test_bliss_huffman.o `test -f 'suites/test_bliss_huffman.c' || echo '$(srcdir)/'`suites/test_bliss_huffman.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_huffman.c' object='suites/bliss_tests-test_bliss_huffman.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_huffman.o `test -f 'suites/test_bliss_huffman.c' || echo '$(srcdir)/'`suites/test_bliss_huffman.c + +suites/bliss_tests-test_bliss_huffman.obj: suites/test_bliss_huffman.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_huffman.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Tpo -c -o suites/bliss_tests-test_bliss_huffman.obj `if test -f 'suites/test_bliss_huffman.c'; then $(CYGPATH_W) 'suites/test_bliss_huffman.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_huffman.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_huffman.c' object='suites/bliss_tests-test_bliss_huffman.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_huffman.obj `if test -f 'suites/test_bliss_huffman.c'; then $(CYGPATH_W) 'suites/test_bliss_huffman.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_huffman.c'; fi` + +suites/bliss_tests-test_bliss_keys.o: suites/test_bliss_keys.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_keys.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Tpo -c -o suites/bliss_tests-test_bliss_keys.o `test -f 'suites/test_bliss_keys.c' || echo '$(srcdir)/'`suites/test_bliss_keys.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_keys.c' object='suites/bliss_tests-test_bliss_keys.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_keys.o `test -f 'suites/test_bliss_keys.c' || echo '$(srcdir)/'`suites/test_bliss_keys.c + +suites/bliss_tests-test_bliss_keys.obj: suites/test_bliss_keys.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_keys.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Tpo -c -o suites/bliss_tests-test_bliss_keys.obj `if test -f 'suites/test_bliss_keys.c'; then $(CYGPATH_W) 'suites/test_bliss_keys.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_keys.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_keys.c' object='suites/bliss_tests-test_bliss_keys.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_keys.obj `if test -f 'suites/test_bliss_keys.c'; then $(CYGPATH_W) 'suites/test_bliss_keys.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_keys.c'; fi` + +suites/bliss_tests-test_bliss_sampler.o: suites/test_bliss_sampler.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_sampler.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Tpo -c -o suites/bliss_tests-test_bliss_sampler.o `test -f 'suites/test_bliss_sampler.c' || echo '$(srcdir)/'`suites/test_bliss_sampler.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_sampler.c' object='suites/bliss_tests-test_bliss_sampler.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_sampler.o `test -f 'suites/test_bliss_sampler.c' || echo '$(srcdir)/'`suites/test_bliss_sampler.c + +suites/bliss_tests-test_bliss_sampler.obj: suites/test_bliss_sampler.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_sampler.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Tpo -c -o suites/bliss_tests-test_bliss_sampler.obj `if test -f 'suites/test_bliss_sampler.c'; then $(CYGPATH_W) 'suites/test_bliss_sampler.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_sampler.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_sampler.c' object='suites/bliss_tests-test_bliss_sampler.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_sampler.obj `if test -f 'suites/test_bliss_sampler.c'; then $(CYGPATH_W) 'suites/test_bliss_sampler.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_sampler.c'; fi` + +suites/bliss_tests-test_bliss_signature.o: suites/test_bliss_signature.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_signature.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Tpo -c -o suites/bliss_tests-test_bliss_signature.o `test -f 'suites/test_bliss_signature.c' || echo '$(srcdir)/'`suites/test_bliss_signature.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_signature.c' object='suites/bliss_tests-test_bliss_signature.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_signature.o `test -f 'suites/test_bliss_signature.c' || echo '$(srcdir)/'`suites/test_bliss_signature.c + +suites/bliss_tests-test_bliss_signature.obj: suites/test_bliss_signature.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_signature.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Tpo -c -o suites/bliss_tests-test_bliss_signature.obj `if test -f 'suites/test_bliss_signature.c'; then $(CYGPATH_W) 'suites/test_bliss_signature.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_signature.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_signature.c' object='suites/bliss_tests-test_bliss_signature.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_signature.obj `if test -f 'suites/test_bliss_signature.c'; then $(CYGPATH_W) 'suites/test_bliss_signature.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_signature.c'; fi` + +suites/bliss_tests-test_bliss_sign.o: suites/test_bliss_sign.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_sign.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Tpo -c -o suites/bliss_tests-test_bliss_sign.o `test -f 'suites/test_bliss_sign.c' || echo '$(srcdir)/'`suites/test_bliss_sign.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_sign.c' object='suites/bliss_tests-test_bliss_sign.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_sign.o `test -f 'suites/test_bliss_sign.c' || echo '$(srcdir)/'`suites/test_bliss_sign.c + +suites/bliss_tests-test_bliss_sign.obj: suites/test_bliss_sign.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_sign.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Tpo -c -o suites/bliss_tests-test_bliss_sign.obj `if test -f 'suites/test_bliss_sign.c'; then $(CYGPATH_W) 'suites/test_bliss_sign.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_sign.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_sign.c' object='suites/bliss_tests-test_bliss_sign.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_sign.obj `if test -f 'suites/test_bliss_sign.c'; then $(CYGPATH_W) 'suites/test_bliss_sign.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_sign.c'; fi` + +bliss_tests-bliss_tests.o: bliss_tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT bliss_tests-bliss_tests.o -MD -MP -MF $(DEPDIR)/bliss_tests-bliss_tests.Tpo -c -o bliss_tests-bliss_tests.o `test -f 'bliss_tests.c' || echo '$(srcdir)/'`bliss_tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/bliss_tests-bliss_tests.Tpo $(DEPDIR)/bliss_tests-bliss_tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='bliss_tests.c' object='bliss_tests-bliss_tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o bliss_tests-bliss_tests.o `test -f 'bliss_tests.c' || echo '$(srcdir)/'`bliss_tests.c + +bliss_tests-bliss_tests.obj: bliss_tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT bliss_tests-bliss_tests.obj -MD -MP -MF $(DEPDIR)/bliss_tests-bliss_tests.Tpo -c -o bliss_tests-bliss_tests.obj `if test -f 'bliss_tests.c'; then $(CYGPATH_W) 'bliss_tests.c'; else $(CYGPATH_W) '$(srcdir)/bliss_tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/bliss_tests-bliss_tests.Tpo $(DEPDIR)/bliss_tests-bliss_tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='bliss_tests.c' object='bliss_tests-bliss_tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o bliss_tests-bliss_tests.obj `if test -f 'bliss_tests.c'; then $(CYGPATH_W) 'bliss_tests.c'; else $(CYGPATH_W) '$(srcdir)/bliss_tests.c'; fi` + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + $(am__tty_colors); \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + col=$$red; res=XPASS; \ + ;; \ + *) \ + col=$$grn; res=PASS; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xfail=`expr $$xfail + 1`; \ + col=$$lgn; res=XFAIL; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + col=$$red; res=FAIL; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + col=$$blu; res=SKIP; \ + fi; \ + echo "$${col}$$res$${std}: $$tst"; \ + done; \ + if test "$$all" -eq 1; then \ + tests="test"; \ + All=""; \ + else \ + tests="tests"; \ + All="All "; \ + fi; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="$$All$$all $$tests passed"; \ + else \ + if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ + banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all $$tests failed"; \ + else \ + if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ + banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + if test "$$skip" -eq 1; then \ + skipped="($$skip test was not run)"; \ + else \ + skipped="($$skip tests were not run)"; \ + fi; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + if test "$$failed" -eq 0; then \ + col="$$grn"; \ + else \ + col="$$red"; \ + fi; \ + echo "$${col}$$dashes$${std}"; \ + echo "$${col}$$banner$${std}"; \ + test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \ + test -z "$$report" || echo "$${col}$$report$${std}"; \ + echo "$${col}$$dashes$${std}"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile +installdirs: +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + -rm -f suites/$(DEPDIR)/$(am__dirstamp) + -rm -f suites/$(am__dirstamp) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) suites/$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) suites/$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: + +.MAKE: check-am install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ + clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/bliss/tests/bliss_tests.c b/src/libstrongswan/plugins/bliss/tests/bliss_tests.c new file mode 100644 index 000000000..de21e77b7 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/tests/bliss_tests.c @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include + +/* declare test suite constructors */ +#define TEST_SUITE(x) test_suite_t* x(); +#include "bliss_tests.h" +#undef TEST_SUITE + +static test_configuration_t tests[] = { +#define TEST_SUITE(x) \ + { .suite = x, }, +#include "bliss_tests.h" + { .suite = NULL, } +}; + +static bool test_runner_init(bool init) +{ + if (init) + { + char *plugins, *plugindir; + + plugins = lib->settings->get_str(lib->settings, + "tests.load", PLUGINS); + plugindir = lib->settings->get_str(lib->settings, + "tests.plugindir", PLUGINDIR); + plugin_loader_add_plugindirs(plugindir, plugins); + if (!lib->plugins->load(lib->plugins, plugins)) + { + return FALSE; + } + } + else + { + lib->processor->set_threads(lib->processor, 0); + lib->processor->cancel(lib->processor); + lib->plugins->unload(lib->plugins); + } + return TRUE; +} + +int main(int argc, char *argv[]) +{ + return test_runner_run("bliss", tests, test_runner_init); +} diff --git a/src/libstrongswan/plugins/bliss/tests/bliss_tests.h b/src/libstrongswan/plugins/bliss/tests/bliss_tests.h new file mode 100644 index 000000000..f0959cc08 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/tests/bliss_tests.h @@ -0,0 +1,23 @@ +/* + * Copyright (C) 2014-2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +TEST_SUITE(bliss_fft_suite_create) +TEST_SUITE(bliss_bitpacker_suite_create) +TEST_SUITE(bliss_huffman_suite_create) +TEST_SUITE(bliss_keys_suite_create) +TEST_SUITE(bliss_sampler_suite_create) +TEST_SUITE(bliss_signature_suite_create) +TEST_SUITE(bliss_sign_suite_create) + diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_bitpacker.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_bitpacker.c new file mode 100644 index 000000000..6a728e280 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_bitpacker.c @@ -0,0 +1,112 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include + +static uint32_t bits[] = { 0, 1, 2, 3, 4, 7, 1, 14, 2, 29, 3, 28, 67, 0x2fe3a9c1}; + +static chunk_t packed_bits = chunk_from_chars(0x6e, 0x71, 0xe1, 0x74, + 0x37, 0x21, 0x97, 0xf1, + 0xd4, 0xe0, 0x80); + +START_TEST(test_bliss_sign_bitpacker_write) +{ + chunk_t buf; + bliss_bitpacker_t *packer; + int i; + + packer = bliss_bitpacker_create(81); + + for (i = 0; i < 13; i++) + { + ck_assert(packer->write_bits(packer, bits[i], 1 + i/2)); + } + ck_assert(packer->write_bits(packer, bits[13], 32)); + + buf = packer->extract_buf(packer); + ck_assert_int_eq(packer->get_bits(packer), 81); + ck_assert_chunk_eq(buf, packed_bits); + + packer->destroy(packer); + free(buf.ptr); +} +END_TEST + +START_TEST(test_bliss_sign_bitpacker_read) +{ + uint32_t value; + bliss_bitpacker_t *packer; + int i; + + packer = bliss_bitpacker_create_from_data(packed_bits); + + ck_assert(!packer->read_bits(packer, &value, 33)); + + for (i = 0; i < 13; i++) + { + ck_assert(packer->read_bits(packer, &value, 1 + i/2)); + ck_assert_int_eq(value, bits[i]); + } + ck_assert(packer->read_bits(packer, &value, 32)); + ck_assert_int_eq(value, bits[13]); + + packer->destroy(packer); +} +END_TEST + +START_TEST(test_bliss_sign_bitpacker_fail) +{ + bliss_bitpacker_t *packer; + uint32_t value; + + packer = bliss_bitpacker_create(32); + ck_assert( packer->write_bits(packer, 0xff, 0)); + ck_assert(!packer->write_bits(packer, 0, 33)); + ck_assert( packer->write_bits(packer, 0x7f2a3b01, 31)); + ck_assert(!packer->write_bits(packer, 3, 2)); + packer->destroy(packer); + + packer = bliss_bitpacker_create_from_data( + chunk_from_chars(0x7f, 0x2a, 0x3b, 0x01)); + ck_assert(!packer->read_bits(packer, &value, 33)); + ck_assert( packer->read_bits(packer, &value, 31)); + ck_assert(!packer->read_bits(packer, &value, 2)); + packer->destroy(packer); +} +END_TEST + +Suite *bliss_bitpacker_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("bliss_bitpacker"); + + tc = tcase_create("bitpacker_write"); + tcase_add_test(tc, test_bliss_sign_bitpacker_write); + suite_add_tcase(s, tc); + + tc = tcase_create("bitpacker_read"); + tcase_add_test(tc, test_bliss_sign_bitpacker_read); + suite_add_tcase(s, tc); + + tc = tcase_create("bitpacker_fail"); + tcase_add_test(tc, test_bliss_sign_bitpacker_fail); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_fft.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_fft.c new file mode 100644 index 000000000..009aaf802 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_fft.c @@ -0,0 +1,110 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include + +static bliss_fft_params_t *fft_params[] = { + &bliss_fft_17_8, + &bliss_fft_12289_512 +}; + +START_TEST(test_bliss_fft_impulse) +{ + bliss_fft_t *fft; + uint16_t n = fft_params[_i]->n; + uint32_t x[n], X[n]; + int i; + + for (i = 0; i < n; i++) + { + x[i] = 0; + } + x[0] = 1; + + fft = bliss_fft_create(fft_params[_i]); + fft->transform(fft, x, X, FALSE); + + for (i = 0; i < n; i++) + { + ck_assert(X[i] == 1); + } + fft->transform(fft, X, x, TRUE); + + for (i = 0; i < n; i++) + { + ck_assert(x[i] == (i == 0)); + } + fft->destroy(fft); +} +END_TEST + +START_TEST(test_bliss_fft_wrap) +{ + bliss_fft_t *fft; + uint16_t n = fft_params[_i]->n; + uint16_t q = fft_params[_i]->q; + uint32_t x[n],y[n], X[n], Y[n]; + int i, j; + + for (i = 0; i < n; i++) + { + x[i] = i; + y[i] = 0; + } + fft = bliss_fft_create(fft_params[_i]); + ck_assert(fft->get_size(fft) == n); + ck_assert(fft->get_modulus(fft) == q); + fft->transform(fft, x, X, FALSE); + + for (j = 0; j < n; j++) + { + y[j] = 1; + fft->transform(fft, y, Y, FALSE); + + for (i = 0; i < n; i++) + { + Y[i] = (X[i] * Y[i]) % q; + } + fft->transform(fft, Y, Y, TRUE); + + for (i = 0; i < n; i++) + { + ck_assert(Y[i] == ( i < j ? q - n - i + j : i - j)); + } + y[j] = 0; + } + fft->destroy(fft); +} +END_TEST + +Suite *bliss_fft_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("bliss_fft"); + + tc = tcase_create("impulse"); + tcase_add_loop_test(tc, test_bliss_fft_impulse, 0, countof(fft_params)); + suite_add_tcase(s, tc); + + tc = tcase_create("negative_wrap"); + tcase_add_loop_test(tc, test_bliss_fft_wrap, 0, countof(fft_params)); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_huffman.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_huffman.c new file mode 100644 index 000000000..5447d0741 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_huffman.c @@ -0,0 +1,122 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include + +static chunk_t data = chunk_from_chars(0x5f, 0x71, 0x9e, 0x4c); + +START_TEST(test_bliss_huffman_encode) +{ + bliss_bitpacker_t *packer; + bliss_huffman_code_t *code; + bliss_huffman_coder_t *coder; + chunk_t encoding; + + packer = bliss_bitpacker_create(32); + ck_assert(packer); + + code = bliss_huffman_code_get_by_id(BLISS_B_I); + ck_assert(code); + + coder = bliss_huffman_coder_create(code, packer); + ck_assert(coder); + + ck_assert( coder->encode(coder, 0, 0)); /* 0 */ + ck_assert( coder->encode(coder, 1, 0)); /* 10 */ + ck_assert( coder->encode(coder, 2, 0)); /* 111 */ + ck_assert( coder->encode(coder, 0, 1)); /* 1101 */ + ck_assert( coder->encode(coder, 0, -1)); /* 11000 */ + ck_assert( coder->encode(coder, 1, 1)); /* 110011 */ + ck_assert( coder->encode(coder, 1, -1)); /* 1100100 */ + ck_assert(!coder->encode(coder, 3, 0)); /* 11001010 */ + ck_assert(!coder->encode(coder, 8, 0)); /* - */ + + encoding = packer->extract_buf(packer); + ck_assert(chunk_equals(encoding, data)); + + chunk_free(&encoding); + coder->destroy(coder); + packer->destroy(packer); +} +END_TEST + +START_TEST(test_bliss_huffman_decode) +{ + bliss_bitpacker_t *packer; + bliss_huffman_code_t *code; + bliss_huffman_coder_t *coder; + int32_t z1; + int16_t z2; + + packer = bliss_bitpacker_create_from_data(data); + ck_assert(packer); + + code = bliss_huffman_code_get_by_id(BLISS_II); + ck_assert(!code); + code = bliss_huffman_code_get_by_id(BLISS_B_II); + ck_assert(!code); + code = bliss_huffman_code_get_by_id(BLISS_B_I); + ck_assert(code); + + coder = bliss_huffman_coder_create(code, packer); + ck_assert(coder); + + ck_assert(coder->decode(coder, &z1, &z2)); /* 0 */ + ck_assert(z1 == 0 && z2 == 0); + + ck_assert(coder->decode(coder, &z1, &z2)); /* 10 */ + ck_assert(z1 == 1 && z2 == 0); + + ck_assert(coder->decode(coder, &z1, &z2)); /* 111 */ + ck_assert(z1 == 2 && z2 == 0); + + ck_assert(coder->decode(coder, &z1, &z2)); /* 1101 */ + ck_assert(z1 == 0 && z2 == 1); + + ck_assert(coder->decode(coder, &z1, &z2)); /* 11000 */ + ck_assert(z1 == 0 && z2 == -1); + + ck_assert(coder->decode(coder, &z1, &z2)); /* 110011 */ + ck_assert(z1 == 1 && z2 == 1); + + ck_assert(coder->decode(coder, &z1, &z2)); /* 1100100 */ + ck_assert(z1 == 1 && z2 == -1); + + ck_assert(!coder->decode(coder, &z1, &z2)); /* 11001010 */ + + coder->destroy(coder); + packer->destroy(packer); +} +END_TEST + +Suite *bliss_huffman_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("bliss_huffman"); + + tc = tcase_create("huffman_encode"); + tcase_add_test(tc, test_bliss_huffman_encode); + suite_add_tcase(s, tc); + + tc = tcase_create("huffman_decode"); + tcase_add_test(tc, test_bliss_huffman_decode); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_keys.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_keys.c new file mode 100644 index 000000000..f48bc1d79 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_keys.c @@ -0,0 +1,249 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include +#include + +static chunk_t privkey_chunk[] = { + {NULL, 0}, + chunk_from_chars(0x30, 0x00), + chunk_from_chars(0x30, 0x01), + chunk_from_chars(0x30, 0x03, 0x06, 0x01, 0x01), + chunk_from_chars(0x30, 0x0d, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, + 0xa0, 0x2a, 0x05, 0x02, 0x06), + chunk_from_chars(0x30, 0x0f, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, + 0xa0, 0x2a, 0x05, 0x02, 0x05, 0x03, 0x00), + chunk_from_chars(0x30, 0x82, 0x04, 0x9a, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04, + 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x02, 0x05, 0x03, 0x82, 0x03, + 0x81, 0x00, 0x81, 0xe5, 0xd2, 0x71, 0xeb, 0x98, 0xe5, 0x24, + 0x34, 0xe4, 0x8a, 0x27, 0x23, 0x7d, 0x7d, 0x2c, 0xa3, 0xa7, + 0x3f, 0x87, 0xad, 0xae, 0xfa, 0xe4, 0x66, 0x1c, 0xef, 0x69, + 0x63, 0x5e, 0x91, 0xda, 0x41, 0x45, 0xd5, 0x8a, 0xb5, 0x26, + 0x33, 0x32, 0xe0, 0xa2, 0x9b, 0x52, 0x5e, 0x49, 0x5d, 0x0d, + 0x62, 0x72, 0x68, 0xa5, 0x94, 0x24, 0x03, 0x98, 0x48, 0x60, + 0x4a, 0x98, 0x97, 0x0d, 0x60, 0x7d, 0x00, 0x4f, 0xb9, 0xaf, + 0xcb, 0x6b, 0x41, 0x3d, 0x5b, 0xe4, 0x3e, 0x9a, 0xee, 0x06, + /* 100 */ 0xa1, 0xd0, 0x93, 0x53, 0x88, 0x58, 0x83, 0xb2, 0x44, 0xa1, + 0x16, 0x58, 0x3d, 0x32, 0xa1, 0x29, 0x85, 0x1a, 0x24, 0xc8, + 0xb8, 0x8c, 0x1f, 0x43, 0xbb, 0x4b, 0xdd, 0x8e, 0x72, 0xd3, + 0xf4, 0xfc, 0x02, 0x69, 0x47, 0xa5, 0x9d, 0xd0, 0xfc, 0xa6, + 0x94, 0x2e, 0x02, 0x6d, 0x85, 0x2c, 0x6d, 0xe3, 0x91, 0xd5, + 0xf1, 0x54, 0xbd, 0x1e, 0x63, 0x6b, 0xee, 0x28, 0xf9, 0xc6, + 0xec, 0x05, 0x99, 0xd5, 0xdd, 0xe5, 0x72, 0x9b, 0xbc, 0xa7, + 0x5a, 0x4a, 0x46, 0x3e, 0xec, 0xd7, 0x0b, 0xc5, 0x23, 0x00, + 0xdc, 0x08, 0x09, 0x57, 0x44, 0x2e, 0x43, 0x0f, 0xea, 0xca, + 0x2a, 0x31, 0xbe, 0xf3, 0x04, 0x8f, 0x8b, 0xa6, 0x3c, 0x35, + /* 200 */ 0x80, 0x2b, 0xe2, 0x18, 0x22, 0xfd, 0xe9, 0x39, 0x57, 0xed, + 0x77, 0x1d, 0x32, 0x02, 0x48, 0x2c, 0x85, 0x53, 0x9f, 0x4a, + 0xd8, 0x86, 0x4d, 0xd2, 0x26, 0x19, 0x12, 0x19, 0xa2, 0xb5, + 0xdf, 0x02, 0x50, 0xe4, 0x32, 0x9a, 0x27, 0xd0, 0x9e, 0x49, + 0x4a, 0x13, 0x9a, 0xfc, 0x07, 0x98, 0x60, 0x65, 0xf4, 0xc1, + 0x6c, 0x9a, 0x15, 0x28, 0x74, 0x5c, 0xd0, 0xa8, 0xe6, 0x2e, + 0x1f, 0xe9, 0xe6, 0x2b, 0xc8, 0x46, 0xe9, 0x26, 0xb0, 0xf0, + 0x8a, 0xe6, 0x8c, 0x9b, 0xbf, 0x64, 0xa0, 0x59, 0x33, 0x4f, + 0xc0, 0x0c, 0x16, 0x72, 0x89, 0x79, 0x2a, 0x3a, 0x5e, 0x3d, + 0x40, 0xbb, 0x73, 0xa9, 0xc0, 0x52, 0x70, 0x57, 0x06, 0xc1, + /* 300 */ 0xe7, 0x70, 0xb8, 0x6d, 0x1b, 0x50, 0x61, 0x85, 0xee, 0x3e, + 0xe5, 0x5a, 0x8a, 0x75, 0x9f, 0x1e, 0xb7, 0xea, 0x54, 0x5a, + 0x8f, 0x52, 0xc2, 0xae, 0x2c, 0x7a, 0x58, 0xe6, 0xcb, 0xa6, + 0x9b, 0x68, 0x84, 0x79, 0xf2, 0x82, 0x05, 0x57, 0xaa, 0xd5, + 0x51, 0x82, 0xec, 0x84, 0x63, 0xce, 0xf4, 0xa7, 0xdf, 0x4e, + 0xac, 0x7d, 0xdd, 0xc3, 0x02, 0x68, 0xe0, 0x35, 0xa1, 0x92, + 0x29, 0x02, 0x2c, 0xa0, 0xe4, 0x29, 0x66, 0xd3, 0xe8, 0xd9, + 0x52, 0x0f, 0x3b, 0xec, 0x53, 0x63, 0x57, 0xc3, 0xd2, 0x59, + 0x38, 0xe7, 0x74, 0xf4, 0x1d, 0x03, 0x88, 0x3c, 0xe9, 0x97, + 0x37, 0xd7, 0x12, 0x66, 0x2a, 0xb5, 0xf8, 0xcd, 0x10, 0x87, + /* 400 */ 0x5d, 0x6a, 0x69, 0xbb, 0x9b, 0xc5, 0x55, 0x3c, 0x09, 0x46, + 0x04, 0x57, 0xc0, 0x2f, 0x77, 0x89, 0xe2, 0x88, 0x15, 0x6b, + 0x71, 0x56, 0xe1, 0xa2, 0x30, 0x71, 0x5f, 0x1d, 0x27, 0x12, + 0xbf, 0xc3, 0x55, 0xde, 0xe5, 0x9c, 0x4e, 0xb8, 0xc6, 0xec, + 0x96, 0x3a, 0x5d, 0x6d, 0xe9, 0xd3, 0xf8, 0x28, 0xda, 0x3f, + 0x75, 0x24, 0xd0, 0x34, 0x50, 0xa6, 0x28, 0x65, 0x6a, 0xe9, + 0xa6, 0x89, 0xe5, 0x5d, 0x45, 0xaf, 0x63, 0x34, 0xaf, 0x31, + 0x29, 0x82, 0xe6, 0x03, 0x80, 0x5c, 0x34, 0x28, 0xd1, 0x9f, + 0xca, 0xd3, 0x96, 0xcb, 0x31, 0xde, 0xdb, 0xf0, 0x07, 0x2b, + 0xc5, 0xbc, 0x29, 0xd1, 0x11, 0xf4, 0x23, 0x3b, 0x14, 0xb5, + /* 500 */ 0xa6, 0xf1, 0x02, 0x9e, 0x66, 0xbe, 0xdc, 0xc4, 0xca, 0xf7, + 0xc0, 0x81, 0x92, 0x7c, 0xea, 0xe3, 0x42, 0x54, 0x8a, 0x6f, + 0x0a, 0x2a, 0xa7, 0x2a, 0x92, 0xab, 0x09, 0xb1, 0x61, 0x91, + 0xaa, 0x90, 0x54, 0xa3, 0x76, 0x64, 0xe2, 0xfd, 0x81, 0x9a, + 0x4c, 0x35, 0x11, 0x28, 0xf3, 0x14, 0x97, 0x1b, 0x61, 0xa4, + 0x67, 0x43, 0xae, 0x90, 0x6b, 0xe4, 0x29, 0x34, 0xec, 0x08, + 0xbc, 0x6a, 0x82, 0x45, 0xc7, 0x7d, 0xdc, 0xd0, 0x03, 0x98, + 0x29, 0x63, 0x05, 0x94, 0xb2, 0xb9, 0x04, 0xce, 0x34, 0x9a, + 0x64, 0xae, 0x9a, 0xa9, 0x11, 0xa5, 0x13, 0x07, 0xcc, 0x92, + 0xe9, 0xe5, 0x98, 0x13, 0x13, 0x8f, 0x8b, 0xb2, 0x77, 0x75, + /* 600 */ 0x2a, 0x6f, 0xb1, 0xa6, 0x98, 0xbf, 0x50, 0xaf, 0xa7, 0x15, + 0x2a, 0xe6, 0xdf, 0x41, 0xb6, 0x5e, 0x72, 0xb2, 0x74, 0xf2, + 0x38, 0x88, 0x41, 0x56, 0x53, 0xea, 0x83, 0x23, 0x8a, 0x6d, + 0x6c, 0x64, 0x6c, 0xa6, 0x04, 0x79, 0x51, 0x92, 0x89, 0xbe, + 0x2a, 0x54, 0xd8, 0x5a, 0x8d, 0x5b, 0x9c, 0xfc, 0x62, 0x05, + 0x0f, 0xbd, 0x85, 0x12, 0x57, 0x45, 0x96, 0x2e, 0x8f, 0x76, + 0xd4, 0x33, 0xfb, 0x4a, 0xc2, 0x9f, 0x57, 0x96, 0xb3, 0xa2, + 0xc6, 0xa6, 0x95, 0x3c, 0x9e, 0x7e, 0x15, 0x12, 0xd7, 0xe4, + 0x65, 0x05, 0x5d, 0x72, 0xc2, 0x28, 0x10, 0xa9, 0x68, 0xa9, + 0x01, 0xfe, 0x9e, 0x36, 0x07, 0x80, 0x41, 0xc8, 0xa3, 0x5f, + /* 700 */ 0x18, 0x3b, 0x38, 0x09, 0x95, 0xe2, 0x87, 0xad, 0x03, 0xfd, + 0xdd, 0xa6, 0xe9, 0x8e, 0xa8, 0x3a, 0xc9, 0x45, 0x7b, 0xdc, + 0xc2, 0x6a, 0x30, 0x78, 0xaa, 0xba, 0x32, 0xe9, 0x8a, 0x65, + 0x48, 0x13, 0x5b, 0x29, 0x18, 0x2e, 0x5c, 0x68, 0x8d, 0x71, + 0x01, 0x09, 0xab, 0x7d, 0x1a, 0xe9, 0x09, 0x74, 0x1b, 0xe1, + 0x90, 0x00, 0xb9, 0xda, 0xa3, 0x03, 0xb7, 0x6c, 0xdd, 0x40, + 0xb6, 0xe3, 0xde, 0xa6, 0x7b, 0xe9, 0x3d, 0x41, 0x4d, 0xc7, + 0xad, 0xa5, 0xf9, 0x8b, 0x88, 0xd4, 0x1a, 0x75, 0xb5, 0xb6, + 0x9f, 0x51, 0x9b, 0x8b, 0xd7, 0xa4, 0x02, 0xb0, 0x62, 0x45, + 0xdd, 0x6c, 0x11, 0x35, 0x03, 0x77, 0x1c, 0xdb, 0xc5, 0xac, + /* 800 */ 0x60, 0x37, 0x20, 0x15, 0xaf, 0xbd, 0xae, 0x76, 0x51, 0xd2, + 0xfb, 0x63, 0x23, 0x19, 0x81, 0xa6, 0x59, 0x7b, 0x68, 0x00, + 0x3d, 0x68, 0x89, 0x6b, 0x5a, 0x29, 0xbd, 0x4f, 0xc1, 0x50, + 0xe4, 0x98, 0x85, 0xe6, 0x1a, 0xdd, 0xc8, 0xe4, 0xa1, 0x2b, + 0x99, 0x42, 0x81, 0x4d, 0x07, 0xf4, 0x24, 0x93, 0x88, 0xfe, + 0x40, 0x90, 0x5a, 0x56, 0x0b, 0x7f, 0x8d, 0x14, 0x82, 0x6d, + 0xaf, 0xf6, 0x0a, 0x3d, 0xe6, 0x64, 0xb5, 0x48, 0x01, 0x37, + 0xfe, 0xf3, 0xba, 0x67, 0xcc, 0xd2, 0xba, 0x32, 0x76, 0xe8, + 0xa7, 0x41, 0x1f, 0x2a, 0xfc, 0xa9, 0x72, 0x66, 0xc7, 0xd5, + 0x76, 0x02, 0x6b, 0x77, 0xba, 0x6c, 0xd4, 0x84, 0x68, 0x0e, + /* 900 */ 0x62, 0xc8, 0x43, 0xb0, 0x81, 0xd5, 0x8f, 0xdb, 0x42, 0xc9, + 0xf4, 0xaf, 0x71, 0xbd, 0xb9, 0x6c, 0xd6, 0xdc, 0x03, 0x81, + 0x81, 0x00, 0xc5, 0x10, 0x40, 0x33, 0x0f, 0xc0, 0x14, 0x01, + 0x00, 0x03, 0x0c, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x0f, 0x10, + 0x03, 0x10, 0x00, 0x00, 0x01, 0xc0, 0x43, 0x40, 0x03, 0x5c, + 0x00, 0x07, 0xc0, 0x51, 0x34, 0x01, 0x30, 0x0c, 0x00, 0x00, + 0x04, 0xc0, 0x3d, 0x40, 0x03, 0x07, 0x40, 0xd3, 0x50, 0x0c, + 0x04, 0x03, 0x00, 0x11, 0x41, 0x30, 0x00, 0xc1, 0xc0, 0xc3, + 0x03, 0x5f, 0x04, 0x30, 0x01, 0x40, 0x40, 0x00, 0x40, 0x40, + 0x10, 0x40, 0x05, 0x05, 0x00, 0x53, 0x00, 0x04, 0x50, 0x00, + /* 1000 */ 0x00, 0x00, 0x0c, 0x00, 0x51, 0x00, 0x00, 0x00, 0x04, 0xc7, + 0x01, 0x50, 0xc0, 0x11, 0x00, 0x04, 0x03, 0xc0, 0x04, 0x00, + 0x70, 0x4c, 0x31, 0x03, 0xc0, 0x40, 0xc4, 0x40, 0x40, 0xc0, + 0x0c, 0x0c, 0xf1, 0x40, 0xc1, 0x31, 0x70, 0x17, 0xc0, 0x30, + 0xc1, 0x04, 0x0c, 0x04, 0x00, 0xc4, 0x01, 0x00, 0x34, 0x00, + 0x03, 0x81, 0x81, 0x00, 0xcc, 0x00, 0x50, 0x30, 0xc4, 0x13, + 0x0f, 0xf0, 0x43, 0x01, 0x33, 0x40, 0x30, 0x01, 0x40, 0x10, + 0x57, 0x04, 0x03, 0x04, 0x10, 0x00, 0xf0, 0x03, 0x04, 0x01, + 0x00, 0x10, 0x34, 0x03, 0xf0, 0x1c, 0x01, 0x40, 0x30, 0xf4, + 0x00, 0x40, 0x34, 0xc3, 0x00, 0x00, 0x01, 0x00, 0x01, 0x10, + /* 1100 */ 0x3f, 0x03, 0x40, 0x00, 0x10, 0x10, 0x00, 0x40, 0x03, 0x00, + 0x03, 0x04, 0x40, 0x03, 0x00, 0x13, 0x03, 0x00, 0xc0, 0x01, + 0x34, 0x01, 0x00, 0x00, 0x10, 0xf4, 0x00, 0xf0, 0x30, 0x00, + 0x00, 0xc3, 0x1c, 0x41, 0x00, 0x40, 0x30, 0x04, 0x10, 0xc4, + 0x11, 0x03, 0x00, 0x10, 0x04, 0x4f, 0x17, 0xc0, 0x00, 0x30, + 0xcd, 0x3c, 0x40, 0xc4, 0x00, 0xf0, 0x00, 0x00, 0x04, 0x30, + 0x0f, 0x31, 0x34, 0xf0, 0x00, 0x07, 0x0c, 0x34, 0x00, 0x50, + 0x05, 0x03, 0x10, 0x70, 0x00, 0x33, 0x0c, 0x00, 0xc4, 0x54, + 0x07, 0x00) +}; + +START_TEST(test_bliss_keys_priv) +{ + private_key_t *privkey; + + privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS, + BUILD_BLOB, privkey_chunk[_i], BUILD_END); + if (_i == countof(privkey_chunk) - 1) + { + ck_assert(privkey); + privkey->destroy(privkey); + } + else + { + ck_assert(!privkey); + } +} +END_TEST + +typedef struct privkey_mod_t privkey_mod_t; + +struct privkey_mod_t { + int offset; + char byte; +}; + +static privkey_mod_t privkey_mod[] = { + { 20, 0x80 }, + { 22, 0xc1 }, + { 920, 0x80 }, + { 922, 0x85 }, + { 1052, 0x80 }, + { 1054, 0x8c } +}; + +START_TEST(test_bliss_keys_priv_mod) +{ + private_key_t *privkey; + chunk_t data; + + data = chunk_clone(privkey_chunk[countof(privkey_chunk) - 1]); + data.ptr[privkey_mod[_i].offset] = privkey_mod[_i].byte; + + privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS, + BUILD_BLOB, data, BUILD_END); + ck_assert(!privkey); + chunk_free(&data); +} +END_TEST + +static chunk_t pubkey_chunk[] = { + {NULL, 0}, + chunk_from_chars(0x30, 0x00), + chunk_from_chars(0x30, 0x01), + chunk_from_chars(0x30, 0x02, 0x30, 0x00), + chunk_from_chars(0x30, 0x05, 0x30, 0x03, 0x06, 0x01, 0x01), + chunk_from_chars(0x30, 0x11, 0x30, 0x0F, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04, + 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x01, 0x01, 0x04, 0x00), + chunk_from_chars(0x30, 0x12, 0x30, 0x10, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04, + 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x01, 0x01, 0x06, 0x01, 0x01), + chunk_from_chars(0x30, 0x1c, 0x30, 0x1a, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04, + 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x01, 0x01, 0x06, 0x0b, 0x2b, + 0x06, 0x01, 0x04, 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x02, 0x06), + chunk_from_chars(0x30, 0x1e, 0x30, 0x1a, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04, + 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x01, 0x01, 0x06, 0x0b, 0x2b, + 0x06, 0x01, 0x04, 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x02, 0x05, + 0x03, 0x00) +}; + +START_TEST(test_bliss_keys_pub) +{ + public_key_t *pubkey; + + pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, + BUILD_BLOB, pubkey_chunk[_i], BUILD_END); + ck_assert(!pubkey); +} +END_TEST + +Suite *bliss_keys_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("bliss_keys"); + + tc = tcase_create("keys_priv"); + tcase_add_loop_test(tc, test_bliss_keys_priv, 0, countof(privkey_chunk)); + suite_add_tcase(s, tc); + + tc = tcase_create("keys_priv_mod"); + tcase_add_loop_test(tc, test_bliss_keys_priv_mod, 0, countof(privkey_mod)); + suite_add_tcase(s, tc); + + tc = tcase_create("keys_pub"); + tcase_add_loop_test(tc, test_bliss_keys_pub, 0, countof(pubkey_chunk)); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c new file mode 100644 index 000000000..1bd1266ad --- /dev/null +++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c @@ -0,0 +1,97 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include + +static u_int key_size[] = { 1, 3, 4}; + +START_TEST(test_bliss_sampler_gaussian) +{ + bliss_sampler_t *sampler; + bliss_param_set_t *set; + int i, k, count; + uint32_t hist[8], sign[3]; + int32_t z; + hash_algorithm_t alg; + size_t seed_len; + chunk_t seed; + + set = bliss_param_set_get_by_id(key_size[_i]); + alg = HASH_SHA256; + seed_len = 32; + count = 10000000; + + seed = chunk_alloc(seed_len); + memset(seed.ptr, 0xcc, seed_len); + + for (k = 0; k < 3; k++) + { + sign[k] = 0; + } + for (k = 0; k < 8; k++) + { + hist[k] = 0; + } + + sampler = bliss_sampler_create(alg, seed, set); + for (i = 0; i < count; i++) + { + ck_assert(sampler->gaussian(sampler, &z)); + if (z == 0) + { + sign[1]++; + hist[0]++; + } + else if (z > 0) + { + sign[2]++; + hist[z/256]++; + } + else + { + sign[0]++; + hist[(-z)/256]++; + } + } + sampler->destroy(sampler); + free(seed.ptr); + + DBG1(DBG_LIB, "histogram"); + for (k = 0; k < 8; k++) + { + DBG1(DBG_LIB, "%d %7d", k, hist[k]); + } + DBG1(DBG_LIB, "- %7d", sign[0]); + DBG1(DBG_LIB, "0 %7d", sign[1]); + DBG1(DBG_LIB, "+ %7d", sign[2]); +} +END_TEST + +Suite *bliss_sampler_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("bliss_sampler"); + + tc = tcase_create("sampler_gaussian"); + tcase_set_timeout(tc, 10); + tcase_add_loop_test(tc, test_bliss_sampler_gaussian, 0, countof(key_size)); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c new file mode 100644 index 000000000..8b4e9cbf0 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c @@ -0,0 +1,211 @@ +/* + * Copyright (C) 2014-2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include +#include + +static u_int key_type[] = { 1, 3, 4 }; +static u_int key_strength[] = { 128, 160, 192 }; + +START_TEST(test_bliss_sign_all) +{ + signature_scheme_t signature_scheme; + private_key_t *privkey, *privkey1; + public_key_t *pubkey, *pubkey1; + chunk_t msg, signature, privkey_blob, pubkey_blob, pubkey_fp, privkey_fp; + int k; + + for (k = 0; k < 4; k++) + { + int verify_count = 1000; + + switch (k) + { + case 1: + signature_scheme = SIGN_BLISS_WITH_SHA256; + break; + case 2: + signature_scheme = SIGN_BLISS_WITH_SHA384; + break; + default: + signature_scheme = SIGN_BLISS_WITH_SHA512; + } + + /* enforce BLISS-B key for k = 2, 3 */ + lib->settings->set_bool(lib->settings, + "%s.plugins.bliss.use_bliss_b", k >= 2, lib->ns); + + msg = chunk_from_str("Hello Dolly!"); + + /* generate private key */ + privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS, + BUILD_KEY_SIZE, key_type[_i], BUILD_END); + ck_assert(privkey); + + /* generate ASN.1 DER and PEM encoding of private key */ + ck_assert(privkey->get_encoding(privkey, (k % 2) ? + PRIVKEY_ASN1_DER : PRIVKEY_PEM, &privkey_blob)); + + /* extract public key from private key */ + pubkey = privkey->get_public_key(privkey); + ck_assert(pubkey); + + /* generate ASN.1 DER and PEM encodings of public key */ + ck_assert(pubkey->get_encoding(pubkey, (k % 2) ? + PUBKEY_SPKI_ASN1_DER : PUBKEY_PEM, &pubkey_blob)); + + /* compare fingerprints of public and private key */ + ck_assert(pubkey->get_fingerprint(pubkey, (k % 2) ? + KEYID_PUBKEY_INFO_SHA1 : KEYID_PUBKEY_SHA1, &pubkey_fp)); + ck_assert(privkey->get_fingerprint(privkey, (k % 2) ? + KEYID_PUBKEY_INFO_SHA1 : KEYID_PUBKEY_SHA1, &privkey_fp)); + ck_assert(chunk_equals(pubkey_fp, privkey_fp)); + + /* retrieve fingerprints of public and private key from cache */ + ck_assert(pubkey->get_fingerprint(pubkey, (k % 2) ? + KEYID_PUBKEY_INFO_SHA1 : KEYID_PUBKEY_SHA1, &pubkey_fp)); + ck_assert(privkey->get_fingerprint(privkey, (k % 2) ? + KEYID_PUBKEY_INFO_SHA1 : KEYID_PUBKEY_SHA1, &privkey_fp)); + + /* get a reference of the private key and destroy both instances */ + privkey1 = privkey->get_ref(privkey); + ck_assert(privkey1); + ck_assert(privkey1 == privkey); + privkey->destroy(privkey); + privkey1->destroy(privkey1); + + /* get a reference of the public key and destroy both instances */ + pubkey1 = pubkey->get_ref(pubkey); + ck_assert(pubkey1); + ck_assert(pubkey1 == pubkey); + pubkey->destroy(pubkey); + pubkey1->destroy(pubkey1); + + /* enforce BLISS-B key for k = 1, 3 */ + lib->settings->set_bool(lib->settings, + "%s.plugins.bliss.use_bliss_b", k % 2, lib->ns); + + /* load private key from ASN.1 blob */ + privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS, + BUILD_BLOB, privkey_blob, BUILD_END); + ck_assert(privkey); + ck_assert(privkey->get_type(privkey) == KEY_BLISS); + ck_assert(privkey->get_keysize(privkey) == key_strength[_i]); + chunk_free(&privkey_blob); + + /* load public key from ASN.1 blob */ + pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, + BUILD_BLOB, pubkey_blob, BUILD_END); + ck_assert(pubkey); + ck_assert(pubkey->get_type(pubkey) == KEY_BLISS); + ck_assert(pubkey->get_keysize(pubkey) == key_strength[_i]); + chunk_free(&pubkey_blob); + + /* generate and verify 1000 BLISS signatures */ + while (verify_count--) + { + ck_assert(privkey->sign(privkey, signature_scheme, msg, + &signature)); + ck_assert(pubkey->verify(pubkey, signature_scheme, msg, + signature)); + free(signature.ptr); + } + privkey->destroy(privkey); + pubkey->destroy(pubkey); + } +} +END_TEST + +START_TEST(test_bliss_sign_fail) +{ + private_key_t *privkey; + public_key_t *pubkey; + chunk_t msg, signature, encoding, fp; + + /* generate non-supported BLISS-II private key */ + privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS, + BUILD_KEY_SIZE, BLISS_II, BUILD_END); + ck_assert(!privkey); + + /* generate non-supported BLISS-B-II private key */ + privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS, + BUILD_KEY_SIZE, BLISS_B_II, BUILD_END); + ck_assert(!privkey); + + /* generate supported BLISS-B-I private key */ + privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS, + BUILD_KEY_SIZE, BLISS_B_I, BUILD_END); + ck_assert(privkey); + + /* wrong private key encoding format */ + ck_assert(!privkey->get_encoding(privkey, PUBKEY_PEM, &encoding)); + + /* wrong fingerprint encoding format */ + ck_assert(!privkey->get_fingerprint(privkey, KEYID_PGPV4, &fp)); + + /* extract public key */ + pubkey = privkey->get_public_key(privkey); + ck_assert(pubkey); + + /* wrong private key encoding format */ + ck_assert(!pubkey->get_encoding(pubkey, PRIVKEY_PEM, &encoding)); + + /* wrong fingerprint encoding format */ + ck_assert(!pubkey->get_fingerprint(pubkey, KEYID_PGPV4, &fp)); + + /* encryption / decryption operation is not defined for BLISS */ + ck_assert(!pubkey->encrypt(pubkey, ENCRYPT_UNKNOWN, chunk_empty, NULL)); + ck_assert(!privkey->decrypt(privkey, ENCRYPT_UNKNOWN, chunk_empty, NULL)); + + /* sign with invalid signature scheme */ + ck_assert(!privkey->sign(privkey, SIGN_UNKNOWN, msg, &signature)); + + /* generate valid signature */ + msg = chunk_from_str("Hello Dolly!"); + ck_assert(privkey->sign(privkey, SIGN_BLISS_WITH_SHA512, msg, &signature)); + + /* verify with invalid signature scheme */ + ck_assert(!pubkey->verify(pubkey, SIGN_UNKNOWN, msg, signature)); + + /* corrupt signature */ + signature.ptr[signature.len - 1] ^= 0x80; + ck_assert(!pubkey->verify(pubkey, SIGN_BLISS_WITH_SHA512, msg, signature)); + + free(signature.ptr); + privkey->destroy(privkey); + pubkey->destroy(pubkey); +} +END_TEST + +Suite *bliss_sign_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("bliss_sign"); + + tc = tcase_create("sign_all"); + test_case_set_timeout(tc, 30); + tcase_add_loop_test(tc, test_bliss_sign_all, 0, countof(key_type)); + suite_add_tcase(s, tc); + + tc = tcase_create("sign_fail"); + tcase_add_test(tc, test_bliss_sign_fail); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_signature.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_signature.c new file mode 100644 index 000000000..2a2f48c53 --- /dev/null +++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_signature.c @@ -0,0 +1,141 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include + +static chunk_t data = chunk_from_chars( + 0xC1, 0xA1, 0x96, 0x98, 0x4F, 0x60, 0xF5, 0xCA, 0x89, 0x9E, + 0x78, 0xAF, 0x64, 0xDD, 0x01, 0x76, 0x04, 0x29, 0x11, 0xD0, + 0x21, 0x9E, 0xE4, 0x2D, 0xC5, 0x82, 0x69, 0x19, 0x82, 0x75, + 0x30, 0xAC, 0xB0, 0x64, 0xCB, 0x65, 0x19, 0x22, 0x4A, 0x03, + 0x03, 0x61, 0x4A, 0x37, 0x8E, 0xA3, 0xB6, 0xB3, 0x58, 0x44, + 0xFD, 0x68, 0x38, 0xF1, 0x4B, 0xCF, 0xE8, 0xA2, 0x05, 0x39, + 0x87, 0xE0, 0x5E, 0x7C, 0x45, 0x33, 0x4A, 0xEB, 0x2E, 0xCF, + 0x98, 0x01, 0x3D, 0x28, 0x60, 0xCE, 0x90, 0x45, 0xF0, 0x8E, + 0x36, 0x25, 0x50, 0x8B, 0xA2, 0xC0, 0x6E, 0xDF, 0xC2, 0xA1, + 0x35, 0xC1, 0x16, 0x14, 0xE8, 0x6A, 0xE3, 0x9C, 0x0B, 0x32, + 0x53, 0x55, 0x60, 0x52, 0x43, 0x93, 0xBB, 0x9F, 0x1D, 0x17, + 0xDC, 0x6E, 0x26, 0x99, 0x60, 0x83, 0x12, 0x53, 0xB0, 0x2B, + 0x36, 0xE2, 0x95, 0xA7, 0xBF, 0x9B, 0xC0, 0x0A, 0x63, 0xD6, + 0x32, 0xA9, 0xE2, 0xAD, 0x02, 0x53, 0x10, 0x81, 0x00, 0xD4, + 0x9A, 0xC2, 0x04, 0x1B, 0x48, 0x53, 0x37, 0xF0, 0x95, 0x39, + 0x4B, 0x2E, 0x37, 0x28, 0xE2, 0x70, 0xAD, 0xB5, 0xF1, 0x63, + 0x48, 0x17, 0xEF, 0x45, 0xC0, 0x30, 0xA6, 0xAA, 0x37, 0x9A, + 0x00, 0x8F, 0x8D, 0xAC, 0x66, 0x2C, 0x96, 0x8C, 0xC2, 0x74, + 0x9D, 0x66, 0x16, 0x5D, 0x70, 0x70, 0x1D, 0x2F, 0x11, 0xBD, + 0x11, 0x62, 0x58, 0xC6, 0xB2, 0xA6, 0xFA, 0xB7, 0x8C, 0x10, + 0x6A, 0x13, 0x34, 0x25, 0xB8, 0xF2, 0x46, 0xE3, 0x08, 0xAD, + 0x8D, 0x49, 0x33, 0x24, 0x37, 0xA5, 0x0A, 0xF9, 0x5E, 0x95, + 0xF9, 0x50, 0xDA, 0x2B, 0x80, 0x4F, 0x10, 0x4F, 0xAB, 0xE4, + 0x96, 0xB1, 0xA1, 0x28, 0xCE, 0x6D, 0xB6, 0x17, 0x33, 0x2A, + 0xE0, 0xC3, 0x80, 0xAA, 0x3D, 0x1A, 0x5C, 0x48, 0xA0, 0x48, + 0x60, 0xCC, 0xC7, 0x29, 0x4F, 0xB8, 0x96, 0xDF, 0xC6, 0x6A, + 0xC2, 0x83, 0x5E, 0xFC, 0xD7, 0x4E, 0xCA, 0x14, 0xB4, 0xC6, + 0x30, 0x29, 0xC7, 0xCE, 0x79, 0x42, 0x2D, 0x22, 0x28, 0x99, + 0x59, 0x14, 0xFB, 0x04, 0xAD, 0x79, 0x3C, 0x74, 0x34, 0xC6, + 0x7A, 0x1C, 0x13, 0x07, 0x17, 0xB1, 0x8A, 0x02, 0xA7, 0x70, + 0x3C, 0x5B, 0xBA, 0x88, 0xA2, 0xE6, 0x4B, 0x2A, 0xC1, 0x1E, + 0x42, 0xDD, 0x83, 0x2B, 0x00, 0xCC, 0xF8, 0x80, 0x03, 0x7E, + 0x97, 0xA4, 0x04, 0xE1, 0xB2, 0x0B, 0xE2, 0xF3, 0x91, 0x91, + 0x80, 0xA0, 0xC5, 0x44, 0x67, 0xB1, 0x56, 0xD0, 0x13, 0x58, + 0x7B, 0x6E, 0x12, 0xE7, 0x3A, 0x90, 0xE4, 0x2C, 0x44, 0x17, + 0xA3, 0xBD, 0x21, 0x68, 0x45, 0x61, 0x20, 0x57, 0x8D, 0x4A, + 0xF1, 0xE6, 0xD3, 0x17, 0xC9, 0xB0, 0xF8, 0x3A, 0x87, 0x6A, + 0x7E, 0x25, 0x45, 0xDC, 0x9A, 0x1D, 0xAC, 0x10, 0xB6, 0xF6, + 0x07, 0x4C, 0x50, 0x92, 0xF9, 0xE1, 0x3E, 0xAD, 0x3B, 0x80, + 0x20, 0xA8, 0x34, 0x04, 0xD6, 0x0D, 0x2D, 0x46, 0x69, 0x5E, + 0x8C, 0x4B, 0xB0, 0x1C, 0x37, 0xD8, 0x0D, 0x72, 0x7B, 0xE6, + 0xEE, 0x04, 0x81, 0x98, 0x78, 0x69, 0x88, 0xD8, 0xDF, 0x04, + 0xF0, 0x80, 0xE2, 0x0A, 0xD3, 0x60, 0x94, 0xDF, 0x49, 0xF7, + 0x52, 0x95, 0xA6, 0xAF, 0x8C, 0x13, 0x10, 0x09, 0xAA, 0x03, + 0xAC, 0x2C, 0x89, 0x2D, 0x2C, 0x61, 0x0F, 0xBE, 0x5C, 0x29, + 0x01, 0x7C, 0x9E, 0xD2, 0xFF, 0x34, 0xA1, 0x9E, 0xEE, 0xBF, + 0x28, 0x18, 0x3A, 0x17, 0xA6, 0x40, 0x94, 0xD5, 0xC4, 0xEC, + 0x27, 0x0A, 0x40, 0x1C, 0xC4, 0x16, 0x80, 0x4E, 0x6F, 0xDD, + 0xA5, 0x6A, 0x03, 0xE8, 0xBA, 0xB2, 0xAA, 0x7A, 0x7F, 0x4B, + 0x30, 0x11, 0x11, 0x12, 0x4A, 0xFE, 0xB2, 0x99, 0xC6, 0x12, + 0x1A, 0x98, 0xC0, 0x15, 0x41, 0xE1, 0x55, 0x35, 0x54, 0xF2, + 0x1C, 0xE2, 0x78, 0x85, 0x66, 0xD3, 0x9C, 0x8A, 0x88, 0x7C, + 0x86, 0x7F, 0x48, 0xBE, 0xB7, 0x1C, 0xE4, 0xCF, 0x35, 0xEE, + 0x24, 0xA6, 0x62, 0xD6, 0x36, 0x1F, 0x66, 0x10, 0x5D, 0xEF, + 0x07, 0x64, 0xA8, 0xD0, 0xAD, 0x2F, 0x47, 0x02, 0xA2, 0x0F, + 0x73, 0x96, 0x2A, 0x21, 0x20, 0x36, 0x01, 0xA3, 0x2F, 0x5E, + 0xC8, 0x80, 0x3A, 0x54, 0xA6, 0xB5, 0xD0, 0x19, 0xBF, 0xC4, + 0x35, 0x01, 0x0B, 0x2A, 0x8E, 0x61, 0x4A, 0xDD, 0xB2, 0x4A, + 0xE1, 0x0C, 0x15, 0x94, 0x9C, 0xD2, 0x54, 0x93, 0x85, 0x16, + 0x49, 0x69, 0xA0, 0x41, 0x34, 0x16, 0x69, 0x28, 0x74, 0x11, + 0x88, 0x44, 0xC8, 0x46, 0x5E, 0x62, 0xFF, 0x6E, 0xC5, 0xA8, + 0xE8, 0x8A, 0x8A, 0xFA, 0x2D, 0x94, 0x14, 0xD4, 0x51, 0x16, + 0xB0, 0x40, 0xDC, 0xF3, 0xAA, 0x97, 0x39, 0x1A, 0xDA, 0x7F, + 0x41, 0x61, 0x25, 0x1E, 0xDF, 0x46, 0x29, 0x44, 0x80, 0xEA, + 0x10, 0xE4, 0x0F, 0x94, 0xA6, 0x52, 0x20, 0x06, 0x9C, 0x69, + 0x48, 0x1F, 0x45, 0x30, 0x4B, 0x21, 0x02, 0xE6, 0xF3, 0x44, + 0x35, 0xC1, 0xC8, 0xC9, 0x68, 0x6C, 0x43, 0xA4, 0x56, 0x07, + 0x36, 0x11, 0xFB, 0x6D, 0x8E, 0xF0, 0x62, 0x5A, 0x3C, 0x8B, + 0x23, 0xF1, 0x46, 0xE2, 0x76, 0x2A, 0x6F, 0xBB, 0x09, 0x24, + 0x18, 0x64, 0xE6, 0x5C, 0xD0, 0x85, 0x69, 0xF0, 0x4F, 0x66, + 0x97, 0x40, 0x01, 0x27, 0xD1, 0x41, 0xCC, 0xEB, 0x4D, 0xB7, + 0x04, 0xC4, 0x91, 0xE0, 0x95, 0x8A, 0x43, 0x26, 0x2D, 0x1F, + 0x88, 0xA0, 0xD8 +); + +START_TEST(test_bliss_signature_fail) +{ + bliss_param_set_t set2 = { .id = BLISS_B_II }; + bliss_param_set_t *set; + bliss_signature_t *signature; + chunk_t encoding; + int k; + + signature = bliss_signature_create(&set2); + ck_assert(signature); + encoding = signature->get_encoding(signature); + ck_assert(encoding.len == 0); + signature->destroy(signature); + + signature = bliss_signature_create_from_data(&set2, data); + ck_assert(!signature); + + set = bliss_param_set_get_by_id(BLISS_B_I); + ck_assert(set); + + for (k = 0; k < data.len - 2; k++) + { + chunk_t fragment = { data.ptr, k }; + + signature = bliss_signature_create_from_data(set, fragment); + ck_assert(!signature); + } + signature = bliss_signature_create_from_data(set, data); + ck_assert(signature); + signature->destroy(signature); +} +END_TEST + +Suite *bliss_signature_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("bliss_signature"); + + tc = tcase_create("signature_fail"); + tcase_add_test(tc, test_bliss_signature_fail); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in index 33e5958ed..f19616552 100644 --- a/src/libstrongswan/plugins/blowfish/Makefile.in +++ b/src/libstrongswan/plugins/blowfish/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in index 43bdf1fc5..ca7cadbe4 100644 --- a/src/libstrongswan/plugins/ccm/Makefile.in +++ b/src/libstrongswan/plugins/ccm/Makefile.in @@ -226,6 +226,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in index 7c5674045..9e249399b 100644 --- a/src/libstrongswan/plugins/cmac/Makefile.in +++ b/src/libstrongswan/plugins/cmac/Makefile.in @@ -226,6 +226,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/cmac/cmac.c b/src/libstrongswan/plugins/cmac/cmac.c index c8cb7fbf2..4f222ff4e 100644 --- a/src/libstrongswan/plugins/cmac/cmac.c +++ b/src/libstrongswan/plugins/cmac/cmac.c @@ -247,6 +247,9 @@ METHOD(mac_t, set_key, bool, { chunk_t resized, iv, l; + memset(this->t, 0, this->b); + this->remaining_bytes = 0; + /* we support variable keys as defined in RFC 4615 */ if (key.len == this->b) { diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in index 39469368c..2e623ad3b 100644 --- a/src/libstrongswan/plugins/constraints/Makefile.in +++ b/src/libstrongswan/plugins/constraints/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c index 62ccc7108..a0f4a7465 100644 --- a/src/libstrongswan/plugins/constraints/constraints_validator.c +++ b/src/libstrongswan/plugins/constraints/constraints_validator.c @@ -52,16 +52,67 @@ static bool check_pathlen(x509_t *issuer, int pathlen) } /** - * Check if a FQDN/RFC822 constraint matches (suffix match) + * Check if a FQDN constraint matches */ -static bool suffix_matches(identification_t *constraint, identification_t *id) +static bool fqdn_matches(identification_t *constraint, identification_t *id) { - chunk_t c, i; + chunk_t c, i, diff; c = constraint->get_encoding(constraint); i = id->get_encoding(id); - return i.len >= c.len && chunk_equals(c, chunk_skip(i, i.len - c.len)); + if (!c.len || i.len < c.len) + { + return FALSE; + } + diff = chunk_create(i.ptr, i.len - c.len); + if (!chunk_equals(c, chunk_skip(i, diff.len))) + { + return FALSE; + } + if (!diff.len) + { + return TRUE; + } + if (c.ptr[0] == '.' || diff.ptr[diff.len - 1] == '.') + { + return TRUE; + } + return FALSE; +} + +/** + * Check if a RFC822 constraint matches + */ +static bool email_matches(identification_t *constraint, identification_t *id) +{ + chunk_t c, i, diff; + + c = constraint->get_encoding(constraint); + i = id->get_encoding(id); + + if (!c.len || i.len < c.len) + { + return FALSE; + } + if (memchr(c.ptr, '@', c.len)) + { /* constraint is a full email address */ + return chunk_equals(c, i); + } + diff = chunk_create(i.ptr, i.len - c.len); + if (!diff.len || !chunk_equals(c, chunk_skip(i, diff.len))) + { + return FALSE; + } + if (c.ptr[0] == '.') + { /* constraint is domain, suffix match */ + return TRUE; + } + if (diff.ptr[diff.len - 1] == '@') + { /* constraint is host specific, only username can be appended */ + return TRUE; + } + return FALSE; } /** @@ -121,8 +172,10 @@ static bool name_constraint_matches(identification_t *constraint, switch (type) { case ID_FQDN: + matches = fqdn_matches(constraint, id); + break; case ID_RFC822_ADDR: - matches = suffix_matches(constraint, id); + matches = email_matches(constraint, id); break; case ID_DER_ASN1_DN: matches = dn_matches(constraint, id); @@ -151,7 +204,7 @@ static bool name_constraint_inherited(identification_t *constraint, x509_t *x509, bool permitted) { enumerator_t *enumerator; - identification_t *id; + identification_t *id, *a, *b; bool inherited = FALSE; id_type_t type; @@ -166,28 +219,26 @@ static bool name_constraint_inherited(identification_t *constraint, { if (id->get_type(id) == type) { + if (permitted) + { /* permitted constraint can be narrowed */ + a = constraint; + b = id; + } + else + { /* excluded constraint can be widened */ + a = id; + b = constraint; + } switch (type) { case ID_FQDN: + inherited = fqdn_matches(a, b); + break; case ID_RFC822_ADDR: - if (permitted) - { /* permitted constraint can be narrowed */ - inherited = suffix_matches(constraint, id); - } - else - { /* excluded constraint can be widened */ - inherited = suffix_matches(id, constraint); - } + inherited = email_matches(a, b); break; case ID_DER_ASN1_DN: - if (permitted) - { - inherited = dn_matches(constraint, id); - } - else - { - inherited = dn_matches(id, constraint); - } + inherited = dn_matches(a, b); break; default: DBG1(DBG_CFG, "%N NameConstraint matching not implemented", @@ -298,8 +349,7 @@ static bool has_policy(x509_t *issuer, chunk_t oid) /** * Check certificatePolicies. */ -static bool check_policy(x509_t *subject, x509_t *issuer, bool check, - auth_cfg_t *auth) +static bool check_policy(x509_t *subject, x509_t *issuer) { certificate_t *cert = (certificate_t*)subject; x509_policy_mapping_t *mapping; @@ -323,33 +373,85 @@ static bool check_policy(x509_t *subject, x509_t *issuer, bool check, } enumerator->destroy(enumerator); - if (check) + enumerator = subject->create_cert_policy_enumerator(subject); + while (enumerator->enumerate(enumerator, &policy)) + { + if (!has_policy(issuer, policy->oid)) + { + oid = asn1_oid_to_string(policy->oid); + DBG1(DBG_CFG, "policy %s missing in issuing certificate '%Y'", + oid, cert->get_issuer(cert)); + free(oid); + enumerator->destroy(enumerator); + return FALSE; + } + } + enumerator->destroy(enumerator); + + return TRUE; +} + +/** + * Check if a given policy is valid under a trustchain + */ +static bool is_policy_valid(linked_list_t *chain, chunk_t oid) +{ + x509_policy_mapping_t *mapping; + x509_cert_policy_t *policy; + x509_t *issuer; + enumerator_t *issuers, *policies, *mappings; + bool found = TRUE; + + issuers = chain->create_enumerator(chain); + while (issuers->enumerate(issuers, &issuer)) { - enumerator = subject->create_cert_policy_enumerator(subject); - while (enumerator->enumerate(enumerator, &policy)) + int maxmap = 8; + + while (found) { - if (!has_policy(issuer, policy->oid)) + found = FALSE; + + policies = issuer->create_cert_policy_enumerator(issuer); + while (policies->enumerate(policies, &policy)) { - oid = asn1_oid_to_string(policy->oid); - DBG1(DBG_CFG, "policy %s missing in issuing certificate '%Y'", - oid, cert->get_issuer(cert)); - free(oid); - enumerator->destroy(enumerator); - return FALSE; + if (chunk_equals(oid, policy->oid) || + chunk_equals(any_policy, policy->oid)) + { + found = TRUE; + break; + } } - if (auth) + policies->destroy(policies); + if (found) { - oid = asn1_oid_to_string(policy->oid); - if (oid) + break; + } + /* fall back to a mapped policy */ + mappings = issuer->create_policy_mapping_enumerator(issuer); + while (mappings->enumerate(mappings, &mapping)) + { + if (chunk_equals(mapping->subject, oid)) { - auth->add(auth, AUTH_RULE_CERT_POLICY, oid); + oid = mapping->issuer; + found = TRUE; + break; } } + mappings->destroy(mappings); + if (--maxmap == 0) + { + found = FALSE; + break; + } + } + if (!found) + { + break; } - enumerator->destroy(enumerator); } + issuers->destroy(issuers); - return TRUE; + return found; } /** @@ -364,7 +466,7 @@ static bool has_policy_chain(linked_list_t *chain, x509_t *subject, int len) enumerator = chain->create_enumerator(chain); while (len-- > 0 && enumerator->enumerate(enumerator, &issuer)) { - if (!check_policy(subject, issuer, TRUE, NULL)) + if (!check_policy(subject, issuer)) { valid = FALSE; break; @@ -450,6 +552,7 @@ static bool check_policy_constraints(x509_t *issuer, u_int pathlen, { if (subject->get_type(subject) == CERT_X509) { + x509_cert_policy_t *policy; enumerator_t *enumerator; linked_list_t *chain; certificate_t *cert; @@ -457,6 +560,7 @@ static bool check_policy_constraints(x509_t *issuer, u_int pathlen, x509_t *x509; int len = 0; u_int expl, inh; + char *oid; /* prepare trustchain to validate */ chain = linked_list_create(); @@ -517,6 +621,31 @@ static bool check_policy_constraints(x509_t *issuer, u_int pathlen, } enumerator->destroy(enumerator); + if (valid) + { + x509 = (x509_t*)subject; + + enumerator = x509->create_cert_policy_enumerator(x509); + while (enumerator->enumerate(enumerator, &policy)) + { + oid = asn1_oid_to_string(policy->oid); + if (oid) + { + if (is_policy_valid(chain, policy->oid)) + { + auth->add(auth, AUTH_RULE_CERT_POLICY, oid); + } + else + { + DBG1(DBG_CFG, "certificate policy %s for '%Y' " + "not allowed by trustchain, ignored", + oid, subject->get_subject(subject)); + free(oid); + } + } + } + enumerator->destroy(enumerator); + } chain->destroy(chain); } } @@ -543,12 +672,6 @@ METHOD(cert_validator_t, validate, bool, subject); return FALSE; } - if (!check_policy((x509_t*)subject, (x509_t*)issuer, !pathlen, auth)) - { - lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION, - subject); - return FALSE; - } if (anchor) { if (!check_policy_constraints((x509_t*)issuer, pathlen, auth)) diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in index 4b397e85d..7b7231b85 100644 --- a/src/libstrongswan/plugins/ctr/Makefile.in +++ b/src/libstrongswan/plugins/ctr/Makefile.in @@ -226,6 +226,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in index 2e221c8b4..d525eac02 100644 --- a/src/libstrongswan/plugins/curl/Makefile.in +++ b/src/libstrongswan/plugins/curl/Makefile.in @@ -226,6 +226,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in index 0025a2b20..96b2f6055 100644 --- a/src/libstrongswan/plugins/des/Makefile.in +++ b/src/libstrongswan/plugins/des/Makefile.in @@ -226,6 +226,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in index 0b30923a5..910289906 100644 --- a/src/libstrongswan/plugins/dnskey/Makefile.in +++ b/src/libstrongswan/plugins/dnskey/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/files/Makefile.am b/src/libstrongswan/plugins/files/Makefile.am new file mode 100644 index 000000000..67767495c --- /dev/null +++ b/src/libstrongswan/plugins/files/Makefile.am @@ -0,0 +1,16 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-files.la +else +plugin_LTLIBRARIES = libstrongswan-files.la +endif + +libstrongswan_files_la_SOURCES = \ + files_plugin.h files_plugin.c files_fetcher.c files_fetcher.h + +libstrongswan_files_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/files/Makefile.in b/src/libstrongswan/plugins/files/Makefile.in new file mode 100644 index 000000000..31dc4a3ac --- /dev/null +++ b/src/libstrongswan/plugins/files/Makefile.in @@ -0,0 +1,775 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libstrongswan/plugins/files +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_files_la_LIBADD = +am_libstrongswan_files_la_OBJECTS = files_plugin.lo files_fetcher.lo +libstrongswan_files_la_OBJECTS = $(am_libstrongswan_files_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libstrongswan_files_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_files_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_files_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_files_la_rpath = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libstrongswan_files_la_SOURCES) +DIST_SOURCES = $(libstrongswan_files_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-files.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-files.la +libstrongswan_files_la_SOURCES = \ + files_plugin.h files_plugin.c files_fetcher.c files_fetcher.h + +libstrongswan_files_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/files/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/files/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libstrongswan-files.la: $(libstrongswan_files_la_OBJECTS) $(libstrongswan_files_la_DEPENDENCIES) $(EXTRA_libstrongswan_files_la_DEPENDENCIES) + $(AM_V_CCLD)$(libstrongswan_files_la_LINK) $(am_libstrongswan_files_la_rpath) $(libstrongswan_files_la_OBJECTS) $(libstrongswan_files_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/files_fetcher.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/files_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-pluginLTLIBRARIES install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/files/files_fetcher.c b/src/libstrongswan/plugins/files/files_fetcher.c new file mode 100644 index 000000000..e0b7cbdb6 --- /dev/null +++ b/src/libstrongswan/plugins/files/files_fetcher.c @@ -0,0 +1,117 @@ +/* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include +#include + +#include "files_fetcher.h" + +typedef struct private_files_fetcher_t private_files_fetcher_t; + +/** + * private data of a files_fetcher_t object. + */ +struct private_files_fetcher_t { + + /** + * Public data + */ + files_fetcher_t public; + + /** + * Callback function + */ + fetcher_callback_t cb; +}; + +METHOD(fetcher_t, fetch, status_t, + private_files_fetcher_t *this, char *uri, void *userdata) +{ + chunk_t *data; + status_t status = FAILED; + + if (this->cb == fetcher_default_callback) + { + *(chunk_t*)userdata = chunk_empty; + } + if (!strpfx(uri, "file://")) + { + return NOT_SUPPORTED; + } + uri = uri + strlen("file://"); + data = chunk_map(uri, FALSE); + if (!data) + { + DBG1(DBG_LIB, " opening '%s' failed: %s", uri, strerror(errno)); + return FAILED; + } + if (this->cb(userdata, *data)) + { + status = SUCCESS; + } + chunk_unmap(data); + return status; +} + +METHOD(fetcher_t, set_option, bool, + private_files_fetcher_t *this, fetcher_option_t option, ...) +{ + bool supported = TRUE; + va_list args; + + va_start(args, option); + switch (option) + { + case FETCH_CALLBACK: + { + this->cb = va_arg(args, fetcher_callback_t); + break; + } + default: + supported = FALSE; + break; + } + va_end(args); + return supported; +} + +METHOD(fetcher_t, destroy, void, + private_files_fetcher_t *this) +{ + free(this); +} + +/* + * Described in header. + */ +files_fetcher_t *files_fetcher_create() +{ + private_files_fetcher_t *this; + + INIT(this, + .public = { + .interface = { + .fetch = _fetch, + .set_option = _set_option, + .destroy = _destroy, + }, + }, + .cb = fetcher_default_callback, + ); + + return &this->public; +} diff --git a/src/libstrongswan/plugins/files/files_fetcher.h b/src/libstrongswan/plugins/files/files_fetcher.h new file mode 100644 index 000000000..7fc4ec98e --- /dev/null +++ b/src/libstrongswan/plugins/files/files_fetcher.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup files_fetcher files_fetcher + * @{ @ingroup files_p + */ + +#ifndef FILES_FETCHER_H_ +#define FILES_FETCHER_H_ + +typedef struct files_fetcher_t files_fetcher_t; + +/** + * Fetcher implementation loading local files + */ +struct files_fetcher_t { + + /** + * Implements fetcher interface + */ + fetcher_t interface; +}; + +/** + * Create a files_fetcher instance. + */ +files_fetcher_t *files_fetcher_create(); + +#endif /** FILES_FETCHER_H_ @}*/ diff --git a/src/libstrongswan/plugins/files/files_plugin.c b/src/libstrongswan/plugins/files/files_plugin.c new file mode 100644 index 000000000..6ab735dab --- /dev/null +++ b/src/libstrongswan/plugins/files/files_plugin.c @@ -0,0 +1,76 @@ +/* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "files_plugin.h" +#include "files_fetcher.h" + +#include +#include + +typedef struct private_files_plugin_t private_files_plugin_t; + +/** + * private data of files_plugin + */ +struct private_files_plugin_t { + + /** + * public functions + */ + files_plugin_t public; +}; + +METHOD(plugin_t, get_name, char*, + private_files_plugin_t *this) +{ + return "files"; +} + +METHOD(plugin_t, get_features, int, + private_files_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_REGISTER(FETCHER, files_fetcher_create), + PLUGIN_PROVIDE(FETCHER, "file://"), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, destroy, void, + private_files_plugin_t *this) +{ + free(this); +} + +/* + * see header file + */ +plugin_t *files_plugin_create() +{ + private_files_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .destroy = _destroy, + }, + }, + ); + + return &this->public.plugin; +} diff --git a/src/libstrongswan/plugins/files/files_plugin.h b/src/libstrongswan/plugins/files/files_plugin.h new file mode 100644 index 000000000..c121b9652 --- /dev/null +++ b/src/libstrongswan/plugins/files/files_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup files_p files + * @ingroup plugins + * + * @defgroup files_plugin files_plugin + * @{ @ingroup files_p + */ + +#ifndef FILES_PLUGIN_H_ +#define FILES_PLUGIN_H_ + +#include + +typedef struct files_plugin_t files_plugin_t; + +/** + * Plugin implementing fetcher interface loading local files directly. + */ +struct files_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** FILES_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in index 64ae66559..b7ca1ce97 100644 --- a/src/libstrongswan/plugins/fips_prf/Makefile.in +++ b/src/libstrongswan/plugins/fips_prf/Makefile.in @@ -228,6 +228,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.c b/src/libstrongswan/plugins/fips_prf/fips_prf.c index 23825078e..25accf996 100644 --- a/src/libstrongswan/plugins/fips_prf/fips_prf.c +++ b/src/libstrongswan/plugins/fips_prf/fips_prf.c @@ -116,6 +116,12 @@ METHOD(prf_t, get_bytes, bool, u_int8_t *xkey = this->key; u_int8_t one[this->b]; + if (!w) + { + /* append mode is not supported */ + return FALSE; + } + memset(one, 0, this->b); one[this->b - 1] = 0x01; @@ -250,4 +256,3 @@ fips_prf_t *fips_prf_create(pseudo_random_function_t algo) return &this->public; } - diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in index 511bfc365..e125ab884 100644 --- a/src/libstrongswan/plugins/gcm/Makefile.in +++ b/src/libstrongswan/plugins/gcm/Makefile.in @@ -226,6 +226,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in index 0c7d22d71..4ce7438fc 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.in +++ b/src/libstrongswan/plugins/gcrypt/Makefile.in @@ -230,6 +230,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c index f418b941d..744ec0bbf 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c @@ -35,7 +35,7 @@ struct private_gcrypt_dh_t { /** * Diffie Hellman group number */ - u_int16_t group; + diffie_hellman_group_t group; /* * Generator value @@ -73,12 +73,17 @@ struct private_gcrypt_dh_t { size_t p_len; }; -METHOD(diffie_hellman_t, set_other_public_value, void, +METHOD(diffie_hellman_t, set_other_public_value, bool, private_gcrypt_dh_t *this, chunk_t value) { gcry_mpi_t p_min_1; gcry_error_t err; + if (!diffie_hellman_verify_value(this->group, value)) + { + return FALSE; + } + if (this->yb) { gcry_mpi_release(this->yb); @@ -88,7 +93,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void, if (err) { DBG1(DBG_LIB, "importing mpi yb failed: %s", gpg_strerror(err)); - return; + return FALSE; } p_min_1 = gcry_mpi_new(this->p_len * 8); @@ -112,6 +117,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void, " y < 2 || y > p - 1 "); } gcry_mpi_release(p_min_1); + return this->zz != NULL; } /** @@ -132,21 +138,22 @@ static chunk_t export_mpi(gcry_mpi_t value, size_t len) return chunk; } -METHOD(diffie_hellman_t, get_my_public_value, void, +METHOD(diffie_hellman_t, get_my_public_value, bool, private_gcrypt_dh_t *this, chunk_t *value) { *value = export_mpi(this->ya, this->p_len); + return TRUE; } -METHOD(diffie_hellman_t, get_shared_secret, status_t, +METHOD(diffie_hellman_t, get_shared_secret, bool, private_gcrypt_dh_t *this, chunk_t *secret) { if (!this->zz) { - return FAILED; + return FALSE; } *secret = export_mpi(this->zz, this->p_len); - return SUCCESS; + return TRUE; } METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t, diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in index eab4a0047..788cb931e 100644 --- a/src/libstrongswan/plugins/gmp/Makefile.in +++ b/src/libstrongswan/plugins/gmp/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c index b74d35169..4fcb168fa 100644 --- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c +++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c @@ -42,7 +42,7 @@ struct private_gmp_diffie_hellman_t { /** * Diffie Hellman group number. */ - u_int16_t group; + diffie_hellman_group_t group; /* * Generator value. @@ -85,11 +85,16 @@ struct private_gmp_diffie_hellman_t { bool computed; }; -METHOD(diffie_hellman_t, set_other_public_value, void, +METHOD(diffie_hellman_t, set_other_public_value, bool, private_gmp_diffie_hellman_t *this, chunk_t value) { mpz_t p_min_1; + if (!diffie_hellman_verify_value(this->group, value)) + { + return FALSE; + } + mpz_init(p_min_1); mpz_sub_ui(p_min_1, this->p, 1); @@ -142,9 +147,10 @@ METHOD(diffie_hellman_t, set_other_public_value, void, " y < 2 || y > p - 1 "); } mpz_clear(p_min_1); + return this->computed; } -METHOD(diffie_hellman_t, get_my_public_value, void, +METHOD(diffie_hellman_t, get_my_public_value, bool, private_gmp_diffie_hellman_t *this,chunk_t *value) { value->len = this->p_len; @@ -153,22 +159,23 @@ METHOD(diffie_hellman_t, get_my_public_value, void, { value->len = 0; } + return TRUE; } -METHOD(diffie_hellman_t, get_shared_secret, status_t, +METHOD(diffie_hellman_t, get_shared_secret, bool, private_gmp_diffie_hellman_t *this, chunk_t *secret) { if (!this->computed) { - return FAILED; + return FALSE; } secret->len = this->p_len; secret->ptr = mpz_export(NULL, NULL, 1, secret->len, 1, 0, this->zz); if (secret->ptr == NULL) { - return FAILED; + return FALSE; } - return SUCCESS; + return TRUE; } METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t, @@ -245,7 +252,7 @@ static gmp_diffie_hellman_t *create_generic(diffie_hellman_group_t group, *random.ptr &= 0x7F; } mpz_import(this->xa, random.len, 1, 1, 1, 0, random.ptr); - chunk_free(&random); + chunk_clear(&random); DBG2(DBG_LIB, "size of DH secret exponent: %u bits", mpz_sizeinbase(this->xa, 2)); diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in index bf34e4c9f..a8c39cbab 100644 --- a/src/libstrongswan/plugins/hmac/Makefile.in +++ b/src/libstrongswan/plugins/hmac/Makefile.in @@ -226,6 +226,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/hmac/hmac.c b/src/libstrongswan/plugins/hmac/hmac.c index 44cb46b4d..96a14aed9 100644 --- a/src/libstrongswan/plugins/hmac/hmac.c +++ b/src/libstrongswan/plugins/hmac/hmac.c @@ -103,7 +103,8 @@ METHOD(mac_t, set_key, bool, if (key.len > this->b) { /* if key is too long, it will be hashed */ - if (!this->h->get_hash(this->h, key, buffer)) + if (!this->h->reset(this->h) || + !this->h->get_hash(this->h, key, buffer)) { return FALSE; } diff --git a/src/libstrongswan/plugins/keychain/Makefile.in b/src/libstrongswan/plugins/keychain/Makefile.in index 17faa569d..8f6a6f54d 100644 --- a/src/libstrongswan/plugins/keychain/Makefile.in +++ b/src/libstrongswan/plugins/keychain/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in index 332a587c9..5316323a4 100644 --- a/src/libstrongswan/plugins/ldap/Makefile.in +++ b/src/libstrongswan/plugins/ldap/Makefile.in @@ -226,6 +226,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in index 91fe8c45f..d5f9c6c81 100644 --- a/src/libstrongswan/plugins/md4/Makefile.in +++ b/src/libstrongswan/plugins/md4/Makefile.in @@ -226,6 +226,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in index ba6cb0cf6..1dd3892cd 100644 --- a/src/libstrongswan/plugins/md5/Makefile.in +++ b/src/libstrongswan/plugins/md5/Makefile.in @@ -226,6 +226,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in index bca4562d6..e2fb7e720 100644 --- a/src/libstrongswan/plugins/mysql/Makefile.in +++ b/src/libstrongswan/plugins/mysql/Makefile.in @@ -228,6 +228,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in index 0d15d7c2e..0b51ba5d8 100644 --- a/src/libstrongswan/plugins/nonce/Makefile.in +++ b/src/libstrongswan/plugins/nonce/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/ntru/Makefile.am b/src/libstrongswan/plugins/ntru/Makefile.am index b959afa8e..c9fcee982 100644 --- a/src/libstrongswan/plugins/ntru/Makefile.am +++ b/src/libstrongswan/plugins/ntru/Makefile.am @@ -16,7 +16,6 @@ libstrongswan_ntru_la_SOURCES = \ ntru_convert.h ntru_convert.c \ ntru_drbg.h ntru_drbg.c \ ntru_ke.h ntru_ke.c \ - ntru_mgf1.h ntru_mgf1.c \ ntru_param_set.h ntru_param_set.c \ ntru_poly.h ntru_poly.c \ ntru_public_key.h ntru_public_key.c \ diff --git a/src/libstrongswan/plugins/ntru/Makefile.in b/src/libstrongswan/plugins/ntru/Makefile.in index e57a3673e..5636692ab 100644 --- a/src/libstrongswan/plugins/ntru/Makefile.in +++ b/src/libstrongswan/plugins/ntru/Makefile.in @@ -129,9 +129,8 @@ am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) libstrongswan_ntru_la_LIBADD = am_libstrongswan_ntru_la_OBJECTS = ntru_plugin.lo ntru_convert.lo \ - ntru_drbg.lo ntru_ke.lo ntru_mgf1.lo ntru_param_set.lo \ - ntru_poly.lo ntru_public_key.lo ntru_private_key.lo \ - ntru_trits.lo + ntru_drbg.lo ntru_ke.lo ntru_param_set.lo ntru_poly.lo \ + ntru_public_key.lo ntru_private_key.lo ntru_trits.lo libstrongswan_ntru_la_OBJECTS = $(am_libstrongswan_ntru_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -229,6 +228,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -438,7 +442,6 @@ libstrongswan_ntru_la_SOURCES = \ ntru_convert.h ntru_convert.c \ ntru_drbg.h ntru_drbg.c \ ntru_ke.h ntru_ke.c \ - ntru_mgf1.h ntru_mgf1.c \ ntru_param_set.h ntru_param_set.c \ ntru_poly.h ntru_poly.c \ ntru_public_key.h ntru_public_key.c \ @@ -539,7 +542,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_convert.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_drbg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_ke.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_mgf1.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_param_set.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_plugin.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_poly.Plo@am__quote@ diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c index abaa22336..3b5df81d9 100644 --- a/src/libstrongswan/plugins/ntru/ntru_ke.c +++ b/src/libstrongswan/plugins/ntru/ntru_ke.c @@ -56,7 +56,7 @@ struct private_ntru_ke_t { /** * Diffie Hellman group number. */ - u_int16_t group; + diffie_hellman_group_t group; /** * NTRU Parameter Set @@ -106,10 +106,10 @@ struct private_ntru_ke_t { /** * Deterministic Random Bit Generator */ - ntru_drbg_t *drbg; + ntru_drbg_t *drbg; }; -METHOD(diffie_hellman_t, get_my_public_value, void, +METHOD(diffie_hellman_t, get_my_public_value, bool, private_ntru_ke_t *this, chunk_t *value) { *value = chunk_empty; @@ -130,30 +130,30 @@ METHOD(diffie_hellman_t, get_my_public_value, void, if (!this->privkey) { DBG1(DBG_LIB, "NTRU keypair generation failed"); - return; + return FALSE; } this->pubkey = this->privkey->get_public_key(this->privkey); } *value = chunk_clone(this->pubkey->get_encoding(this->pubkey)); DBG3(DBG_LIB, "NTRU public key: %B", value); } + return TRUE; } -METHOD(diffie_hellman_t, get_shared_secret, status_t, +METHOD(diffie_hellman_t, get_shared_secret, bool, private_ntru_ke_t *this, chunk_t *secret) { if (!this->computed || !this->shared_secret.len) { *secret = chunk_empty; - return FAILED; + return FALSE; } *secret = chunk_clone(this->shared_secret); - return SUCCESS; + return TRUE; } - -METHOD(diffie_hellman_t, set_other_public_value, void, +METHOD(diffie_hellman_t, set_other_public_value, bool, private_ntru_ke_t *this, chunk_t value) { if (this->privkey) @@ -162,15 +162,15 @@ METHOD(diffie_hellman_t, set_other_public_value, void, if (value.len == 0) { DBG1(DBG_LIB, "empty NTRU ciphertext"); - return; + return FALSE; } DBG3(DBG_LIB, "NTRU ciphertext: %B", &value); /* decrypt the shared secret */ - if (!this->privkey->decrypt(this->privkey, value, &this->shared_secret)) + if (!this->privkey->decrypt(this->privkey, value, &this->shared_secret)) { DBG1(DBG_LIB, "NTRU decryption of shared secret failed"); - return; + return FALSE; } this->computed = TRUE; } @@ -185,13 +185,13 @@ METHOD(diffie_hellman_t, set_other_public_value, void, pubkey = ntru_public_key_create_from_data(this->drbg, value); if (!pubkey) { - return; + return FALSE; } if (pubkey->get_id(pubkey) != this->param_set->id) { DBG1(DBG_LIB, "received NTRU public key with wrong OUI"); pubkey->destroy(pubkey); - return; + return FALSE; } this->pubkey = pubkey; @@ -204,7 +204,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void, { DBG1(DBG_LIB, "generation of shared secret failed"); chunk_free(&this->shared_secret); - return; + return FALSE; } this->computed = TRUE; @@ -212,10 +212,11 @@ METHOD(diffie_hellman_t, set_other_public_value, void, if (!pubkey->encrypt(pubkey, this->shared_secret, &this->ciphertext)) { DBG1(DBG_LIB, "NTRU encryption of shared secret failed"); - return; + return FALSE; } DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext); } + return this->computed; } METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t, @@ -301,10 +302,10 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p) drbg = ntru_drbg_create(strength, chunk_from_str("IKE NTRU-KE"), entropy); if (!drbg) - { + { DBG1(DBG_LIB, "could not instantiate DRBG at %u bit security", strength); entropy->destroy(entropy); - return NULL; + return NULL; } INIT(this, @@ -326,4 +327,3 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p) return &this->public; } - diff --git a/src/libstrongswan/plugins/ntru/ntru_mgf1.c b/src/libstrongswan/plugins/ntru/ntru_mgf1.c deleted file mode 100644 index 2338db208..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_mgf1.c +++ /dev/null @@ -1,182 +0,0 @@ -/* - * Copyright (C) 2013 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "ntru_mgf1.h" - -#include -#include -#include - -typedef struct private_ntru_mgf1_t private_ntru_mgf1_t; - -/** - * Private data of an ntru_mgf1_t object. - */ -struct private_ntru_mgf1_t { - - /** - * Public ntru_mgf1_t interface. - */ - ntru_mgf1_t public; - - /** - * Hasher the MGF1 Mask Generation Function is based on - */ - hasher_t *hasher; - - /** - * Counter - */ - u_int32_t counter; - - /** - * Set if counter has reached 2^32 - */ - bool overflow; - - /** - * Current state to be hashed - */ - chunk_t state; - - /** - * Position of the 4 octet counter string - */ - u_char *ctr_str; - -}; - -METHOD(ntru_mgf1_t, get_hash_size, size_t, - private_ntru_mgf1_t *this) -{ - return this->hasher->get_hash_size(this->hasher); -} - -METHOD(ntru_mgf1_t, get_mask, bool, - private_ntru_mgf1_t *this, size_t mask_len, u_char *mask) -{ - u_char buf[HASH_SIZE_SHA512]; - size_t hash_len; - - hash_len = this->hasher->get_hash_size(this->hasher); - - while (mask_len > 0) - { - /* detect overflow, set counter string and increment counter */ - if (this->overflow) - { - return FALSE; - } - htoun32(this->ctr_str, this->counter++); - if (this->counter == 0) - { - this->overflow = TRUE; - } - - /* get the next or final mask block from the hash function */ - if (!this->hasher->get_hash(this->hasher, this->state, - (mask_len < hash_len) ? buf : mask)) - { - return FALSE; - } - if (mask_len < hash_len) - { - memcpy(mask, buf, mask_len); - return TRUE; - } - mask_len -= hash_len; - mask += hash_len; - } - return TRUE; -} - -METHOD(ntru_mgf1_t, allocate_mask, bool, - private_ntru_mgf1_t *this, size_t mask_len, chunk_t *mask) -{ - if (mask_len == 0) - { - *mask = chunk_empty; - return TRUE; - } - *mask = chunk_alloc(mask_len); - - return get_mask(this, mask_len, mask->ptr); -} - -METHOD(ntru_mgf1_t, destroy, void, - private_ntru_mgf1_t *this) -{ - this->hasher->destroy(this->hasher); - chunk_clear(&this->state); - free(this); -} - -/* - * Described in header. - */ -ntru_mgf1_t *ntru_mgf1_create(hash_algorithm_t alg, chunk_t seed, - bool hash_seed) -{ - private_ntru_mgf1_t *this; - hasher_t *hasher; - size_t state_len; - - if (seed.len == 0) - { - DBG1(DBG_LIB, "empty seed for MGF1"); - return NULL; - } - - hasher = lib->crypto->create_hasher(lib->crypto, alg); - if (!hasher) - { - DBG1(DBG_LIB, "failed to create %N hasher for MGF1", - hash_algorithm_names, alg); - return NULL; - } - state_len = (hash_seed ? hasher->get_hash_size(hasher) : seed.len) + 4; - - INIT(this, - .public = { - .get_hash_size = _get_hash_size, - .allocate_mask = _allocate_mask, - .get_mask = _get_mask, - .destroy = _destroy, - }, - .hasher = hasher, - .state = chunk_alloc(state_len), - ); - - /* determine position of the 4 octet counter string */ - this->ctr_str = this->state.ptr + state_len - 4; - - if (hash_seed) - { - if (!hasher->get_hash(hasher, seed, this->state.ptr)) - { - DBG1(DBG_LIB, "failed to hash seed for MGF1"); - destroy(this); - return NULL; - } - } - else - { - memcpy(this->state.ptr, seed.ptr, seed.len); - } - - return &this->public; -} - -EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_mgf1_create); diff --git a/src/libstrongswan/plugins/ntru/ntru_mgf1.h b/src/libstrongswan/plugins/ntru/ntru_mgf1.h deleted file mode 100644 index 53e90412a..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_mgf1.h +++ /dev/null @@ -1,77 +0,0 @@ -/* - * Copyright (C) 2013 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup ntru_mgf1 ntru_mgf1 - * @{ @ingroup ntru_p - */ - -#ifndef NTRU_MGF1_H_ -#define NTRU_MGF1_H_ - -typedef struct ntru_mgf1_t ntru_mgf1_t; - -#include - -/** - * Implements the PKCS#1 MGF1 Mask Generation Function based on a hash function - * defined in section 10.2.1 of RFC 2437 - */ -struct ntru_mgf1_t { - - /** - * Get the hash size of the underlying hash function - * - * @return hash size in bytes - */ - size_t (*get_hash_size)(ntru_mgf1_t *this); - - /** - * Generate a mask pattern and copy it to an output buffer - * If the maximum number of requests has been reached, reseeding occurs - * - * @param mask_len number of mask bytes to generate - * @param mask output buffer of minimum size mask_len - * @return TRUE if successful - */ - bool (*get_mask)(ntru_mgf1_t *this, size_t mask_len, u_char *mask); - - /** - * Generate a mask pattern and return it in an allocated chunk - * - * @param mask_len number of mask bytes to generate - * @param mask chunk containing generated mask - * @return TRUE if successful - */ - bool (*allocate_mask)(ntru_mgf1_t *this, size_t mask_len, chunk_t *mask); - - /** - * Destroy the MGF1 object - */ - void (*destroy)(ntru_mgf1_t *this); -}; - -/** - * Create an MGF1 object - * - * @param alg hash algorithm to be used by MGF1 - * @param seed seed used by MGF1 to generate mask from - * @param hash_seed hash seed before using it as a seed from MGF1 - */ -ntru_mgf1_t *ntru_mgf1_create(hash_algorithm_t alg, chunk_t seed, - bool hash_seed); - -#endif /** NTRU_MGF1_H_ @}*/ - diff --git a/src/libstrongswan/plugins/ntru/ntru_poly.c b/src/libstrongswan/plugins/ntru/ntru_poly.c index 77ab54a5c..cb11601cd 100644 --- a/src/libstrongswan/plugins/ntru/ntru_poly.c +++ b/src/libstrongswan/plugins/ntru/ntru_poly.c @@ -16,8 +16,8 @@ */ #include "ntru_poly.h" -#include "ntru_mgf1.h" +#include #include #include @@ -297,22 +297,17 @@ ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed, bool is_product_form) { private_ntru_poly_t *this; - size_t hash_len, octet_count = 0, i; - uint8_t octets[HASH_SIZE_SHA512], *used, num_left = 0, num_needed; - uint16_t index, limit, left = 0; int n, num_indices, index_i = 0; - ntru_mgf1_t *mgf1; + uint32_t index, limit; + uint8_t *used; + mgf1_bitspender_t *bitspender; - DBG2(DBG_LIB, "MGF1 is seeded with %u bytes", seed.len); - mgf1 = ntru_mgf1_create(alg, seed, TRUE); - if (!mgf1) + bitspender = mgf1_bitspender_create(alg, seed, TRUE); + if (!bitspender) { return NULL; } - i = hash_len = mgf1->get_hash_size(mgf1); - this = ntru_poly_create(N, q, indices_len_p, indices_len_m, is_product_form); - used = malloc(N); limit = N * ((1 << c_bits) / N); @@ -328,43 +323,12 @@ ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed, /* generate a random candidate index with a size of c_bits */ do { - /* use any leftover bits first */ - index = num_left ? left << (c_bits - num_left) : 0; - - /* get the rest of the bits needed from new octets */ - num_needed = c_bits - num_left; - - while (num_needed) + if (!bitspender->get_bits(bitspender, c_bits, &index)) { - if (i == hash_len) - { - /* get another block from MGF1 */ - if (!mgf1->get_mask(mgf1, hash_len, octets)) - { - mgf1->destroy(mgf1); - destroy(this); - free(used); - return NULL; - } - octet_count += hash_len; - i = 0; - } - left = octets[i++]; - - if (num_needed <= 8) - { - /* all bits needed to fill the index are in this octet */ - index |= left >> (8 - num_needed); - num_left = 8 - num_needed; - num_needed = 0; - left &= 0xff >> (8 - num_left); - } - else - { - /* more than one octet will be needed */ - index |= left << (num_needed - 8); - num_needed -= 8; - } + bitspender->destroy(bitspender); + destroy(this); + free(used); + return NULL; } } while (index >= limit); @@ -380,9 +344,7 @@ ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed, } } - DBG2(DBG_LIB, "MGF1 generates %u octets to derive %u indices", - octet_count, this->num_indices); - mgf1->destroy(mgf1); + bitspender->destroy(bitspender); free(used); return &this->public; diff --git a/src/libstrongswan/plugins/ntru/ntru_trits.c b/src/libstrongswan/plugins/ntru/ntru_trits.c index 1abb7671c..57b3532ef 100644 --- a/src/libstrongswan/plugins/ntru/ntru_trits.c +++ b/src/libstrongswan/plugins/ntru/ntru_trits.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -14,9 +14,9 @@ */ #include "ntru_trits.h" -#include "ntru_mgf1.h" #include "ntru_convert.h" +#include #include #include @@ -70,17 +70,15 @@ METHOD(ntru_trits_t, destroy, void, ntru_trits_t *ntru_trits_create(size_t len, hash_algorithm_t alg, chunk_t seed) { private_ntru_trits_t *this; - uint8_t octets[HASH_SIZE_SHA512], buf[5], *trits; - size_t hash_len, octet_count = 0, trits_needed, i; - ntru_mgf1_t *mgf1; + uint8_t octet, buf[5], *trits; + size_t trits_needed; + mgf1_bitspender_t *bitspender; - DBG2(DBG_LIB, "MGF1 is seeded with %u bytes", seed.len); - mgf1 = ntru_mgf1_create(alg, seed, TRUE); - if (!mgf1) + bitspender = mgf1_bitspender_create(alg, seed, TRUE); + if (!bitspender) { return NULL; } - i = hash_len = mgf1->get_hash_size(mgf1); INIT(this, .public = { @@ -97,21 +95,15 @@ ntru_trits_t *ntru_trits_create(size_t len, hash_algorithm_t alg, chunk_t seed) while (trits_needed > 0) { - if (i == hash_len) + if (!bitspender->get_byte(bitspender, &octet)) { - /* get another block from MGF1 */ - if (!mgf1->get_mask(mgf1, hash_len, octets)) - { - mgf1->destroy(mgf1); - destroy(this); - return NULL; - } - octet_count += hash_len; - i = 0; + bitspender->destroy(bitspender); + destroy(this); + return NULL; } - if (octets[i] < 243) /* 243 = 3^5 */ + if (octet < 243) /* 243 = 3^5 */ { - ntru_octet_2_trits(octets[i], (trits_needed < 5) ? buf : trits); + ntru_octet_2_trits(octet, (trits_needed < 5) ? buf : trits); if (trits_needed < 5) { memcpy(trits, buf, trits_needed); @@ -120,11 +112,8 @@ ntru_trits_t *ntru_trits_create(size_t len, hash_algorithm_t alg, chunk_t seed) trits += 5; trits_needed -= 5; } - i++; } - DBG2(DBG_LIB, "MGF1 generates %u octets to extract %u trits", - octet_count, len); - mgf1->destroy(mgf1); + bitspender->destroy(bitspender); return &this->public; } diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index ac0db0150..a667ca47e 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -236,6 +236,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -296,10 +297,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -373,6 +376,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c index 07b96b320..c2478a4ed 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crypter.c +++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c @@ -135,7 +135,7 @@ METHOD(crypter_t, get_block_size, size_t, METHOD(crypter_t, get_iv_size, size_t, private_openssl_crypter_t *this) { - return this->cipher->block_size; + return this->cipher->iv_len; } METHOD(crypter_t, get_key_size, size_t, diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c index ff3382473..2615d60a2 100644 --- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c @@ -38,7 +38,7 @@ struct private_openssl_diffie_hellman_t { /** * Diffie Hellman group number. */ - u_int16_t group; + diffie_hellman_group_t group; /** * Diffie Hellman object @@ -61,36 +61,42 @@ struct private_openssl_diffie_hellman_t { bool computed; }; -METHOD(diffie_hellman_t, get_my_public_value, void, +METHOD(diffie_hellman_t, get_my_public_value, bool, private_openssl_diffie_hellman_t *this, chunk_t *value) { *value = chunk_alloc(DH_size(this->dh)); memset(value->ptr, 0, value->len); BN_bn2bin(this->dh->pub_key, value->ptr + value->len - BN_num_bytes(this->dh->pub_key)); + return TRUE; } -METHOD(diffie_hellman_t, get_shared_secret, status_t, +METHOD(diffie_hellman_t, get_shared_secret, bool, private_openssl_diffie_hellman_t *this, chunk_t *secret) { if (!this->computed) { - return FAILED; + return FALSE; } /* shared secret should requires a len according the DH group */ *secret = chunk_alloc(DH_size(this->dh)); memset(secret->ptr, 0, secret->len); memcpy(secret->ptr + secret->len - this->shared_secret.len, this->shared_secret.ptr, this->shared_secret.len); - return SUCCESS; + return TRUE; } -METHOD(diffie_hellman_t, set_other_public_value, void, +METHOD(diffie_hellman_t, set_other_public_value, bool, private_openssl_diffie_hellman_t *this, chunk_t value) { int len; + if (!diffie_hellman_verify_value(this->group, value)) + { + return FALSE; + } + BN_bin2bn(value.ptr, value.len, this->pub_key); chunk_clear(&this->shared_secret); this->shared_secret.ptr = malloc(DH_size(this->dh)); @@ -99,10 +105,11 @@ METHOD(diffie_hellman_t, set_other_public_value, void, if (len < 0) { DBG1(DBG_LIB, "DH shared secret computation failed"); - return; + return FALSE; } this->shared_secret.len = len; this->computed = TRUE; + return TRUE; } METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t, diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c index b487d59a5..550a5432f 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c @@ -40,7 +40,7 @@ struct private_openssl_ec_diffie_hellman_t { /** * Diffie Hellman group number. */ - u_int16_t group; + diffie_hellman_group_t group; /** * EC private (public) key @@ -216,40 +216,47 @@ error: return ret; } -METHOD(diffie_hellman_t, set_other_public_value, void, +METHOD(diffie_hellman_t, set_other_public_value, bool, private_openssl_ec_diffie_hellman_t *this, chunk_t value) { + if (!diffie_hellman_verify_value(this->group, value)) + { + return FALSE; + } + if (!chunk2ecp(this->ec_group, value, this->pub_key)) { DBG1(DBG_LIB, "ECDH public value is malformed"); - return; + return FALSE; } chunk_clear(&this->shared_secret); if (!compute_shared_key(this, &this->shared_secret)) { DBG1(DBG_LIB, "ECDH shared secret computation failed"); - return; + return FALSE; } this->computed = TRUE; + return TRUE; } -METHOD(diffie_hellman_t, get_my_public_value, void, +METHOD(diffie_hellman_t, get_my_public_value, bool, private_openssl_ec_diffie_hellman_t *this,chunk_t *value) { ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value, FALSE); + return TRUE; } -METHOD(diffie_hellman_t, get_shared_secret, status_t, +METHOD(diffie_hellman_t, get_shared_secret, bool, private_openssl_ec_diffie_hellman_t *this, chunk_t *secret) { if (!this->computed) { - return FAILED; + return FALSE; } *secret = chunk_clone(this->shared_secret); - return SUCCESS; + return TRUE; } METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t, diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in index 4bd958784..44603afb1 100644 --- a/src/libstrongswan/plugins/padlock/Makefile.in +++ b/src/libstrongswan/plugins/padlock/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in index f9c5b9b52..4c982fdf5 100644 --- a/src/libstrongswan/plugins/pem/Makefile.in +++ b/src/libstrongswan/plugins/pem/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c index 62780c384..f0e508abf 100644 --- a/src/libstrongswan/plugins/pem/pem_builder.c +++ b/src/libstrongswan/plugins/pem/pem_builder.c @@ -364,6 +364,29 @@ static status_t pem_to_bin(chunk_t *blob, bool *pgp) return status; } +/** + * Check if a blob looks like an ASN1 SEQUENCE or SET with BER indefinite length + */ +static bool is_ber_indefinite_length(chunk_t blob) +{ + if (blob.len >= 4) + { + switch (blob.ptr[0]) + { + case ASN1_SEQUENCE: + case ASN1_SET: + /* BER indefinite length uses 0x80, and is terminated with + * end-of-content using 0x00,0x00 */ + return blob.ptr[1] == 0x80 && + blob.ptr[blob.len - 2] == 0 && + blob.ptr[blob.len - 1] == 0; + default: + break; + } + } + return FALSE; +} + /** * load the credential from a blob */ @@ -374,7 +397,7 @@ static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype, bool pgp = FALSE; blob = chunk_clone(blob); - if (!is_asn1(blob)) + if (!is_ber_indefinite_length(blob) && !is_asn1(blob)) { if (pem_to_bin(&blob, &pgp) != SUCCESS) { diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c index df4b77cc3..35ea3e885 100644 --- a/src/libstrongswan/plugins/pem/pem_encoder.c +++ b/src/libstrongswan/plugins/pem/pem_encoder.c @@ -53,6 +53,11 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, break; } } + if (cred_encoding_args(args, CRED_PART_BLISS_PUB_ASN1_DER, + &asn1, CRED_PART_END)) + { + break; + } return FALSE; case PRIVKEY_PEM: label ="RSA PRIVATE KEY"; @@ -86,6 +91,12 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, label ="EC PRIVATE KEY"; break; } + if (cred_encoding_args(args, CRED_PART_BLISS_PRIV_ASN1_DER, + &asn1, CRED_PART_END)) + { + label ="BLISS PRIVATE KEY"; + break; + } return FALSE; case CERT_PEM: if (cred_encoding_args(args, CRED_PART_X509_ASN1_DER, diff --git a/src/libstrongswan/plugins/pem/pem_plugin.c b/src/libstrongswan/plugins/pem/pem_plugin.c index e7edd7b89..d5bcbb617 100644 --- a/src/libstrongswan/plugins/pem/pem_plugin.c +++ b/src/libstrongswan/plugins/pem/pem_plugin.c @@ -60,6 +60,9 @@ METHOD(plugin_t, get_features, int, PLUGIN_PROVIDE(PRIVKEY, KEY_DSA), PLUGIN_DEPENDS(PRIVKEY, KEY_DSA), PLUGIN_SDEPEND(HASHER, HASH_MD5), + PLUGIN_REGISTER(PRIVKEY, pem_private_key_load, FALSE), + PLUGIN_PROVIDE(PRIVKEY, KEY_BLISS), + PLUGIN_DEPENDS(PRIVKEY, KEY_BLISS), /* public key PEM decoding */ PLUGIN_REGISTER(PUBKEY, pem_public_key_load, FALSE), @@ -74,6 +77,8 @@ METHOD(plugin_t, get_features, int, PLUGIN_REGISTER(PUBKEY, pem_public_key_load, FALSE), PLUGIN_PROVIDE(PUBKEY, KEY_DSA), PLUGIN_DEPENDS(PUBKEY, KEY_DSA), + PLUGIN_REGISTER(PUBKEY, pem_public_key_load, FALSE), + PLUGIN_PROVIDE(PUBKEY, KEY_BLISS), /* certificate PEM decoding */ PLUGIN_REGISTER(CERT_DECODE, pem_certificate_load, FALSE), diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in index 8e351c273..4d4215bfe 100644 --- a/src/libstrongswan/plugins/pgp/Makefile.in +++ b/src/libstrongswan/plugins/pgp/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in index 445bc2d24..2a708364a 100644 --- a/src/libstrongswan/plugins/pkcs1/Makefile.in +++ b/src/libstrongswan/plugins/pkcs1/Makefile.in @@ -228,6 +228,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c index c6661fcda..767b3acf2 100644 --- a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c +++ b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c @@ -63,11 +63,18 @@ static public_key_t *parse_public_key(chunk_t blob) } else if (oid == OID_EC_PUBLICKEY) { - /* we need the whole subjectPublicKeyInfo for EC public keys */ + /* Need the whole subjectPublicKeyInfo for EC public keys */ key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA, BUILD_BLOB_ASN1_DER, blob, BUILD_END); goto end; } + else if (oid == OID_BLISS_PUBLICKEY) + { + /* Need the whole subjectPublicKeyInfo for BLISS public keys */ + key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, + KEY_BLISS, BUILD_BLOB_ASN1_DER, blob, BUILD_END); + goto end; + } else { /* key type not supported */ diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in index 34e8d0caa..de033a3fb 100644 --- a/src/libstrongswan/plugins/pkcs11/Makefile.in +++ b/src/libstrongswan/plugins/pkcs11/Makefile.in @@ -231,6 +231,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c index 36cc284bf..c0033bd8e 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c @@ -47,7 +47,7 @@ struct private_pkcs11_dh_t { /** * Diffie Hellman group number. */ - u_int16_t group; + diffie_hellman_group_t group; /** * Handle for own private value @@ -81,7 +81,7 @@ struct private_pkcs11_dh_t { * * If this succeeds the shared secret is stored in this->secret. */ -static void derive_secret(private_pkcs11_dh_t *this, chunk_t other) +static bool derive_secret(private_pkcs11_dh_t *this, chunk_t other) { CK_OBJECT_CLASS klass = CKO_SECRET_KEY; CK_KEY_TYPE type = CKK_GENERIC_SECRET; @@ -102,19 +102,25 @@ static void derive_secret(private_pkcs11_dh_t *this, chunk_t other) if (rv != CKR_OK) { DBG1(DBG_CFG, "C_DeriveKey() error: %N", ck_rv_names, rv); - return; + return FALSE; } if (!this->lib->get_ck_attribute(this->lib, this->session, secret, CKA_VALUE, &this->secret)) { chunk_free(&this->secret); - return; + return FALSE; } + return TRUE; } -METHOD(diffie_hellman_t, set_other_public_value, void, +METHOD(diffie_hellman_t, set_other_public_value, bool, private_pkcs11_dh_t *this, chunk_t value) { + if (!diffie_hellman_verify_value(this->group, value)) + { + return FALSE; + } + switch (this->group) { case ECP_192_BIT: @@ -137,7 +143,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void, if (!lib->settings->get_bool(lib->settings, "%s.ecp_x_coordinate_only", TRUE, lib->ns)) { /* we only get the x coordinate back */ - return; + return FALSE; } value = chunk_from_thing(params); break; @@ -145,24 +151,25 @@ METHOD(diffie_hellman_t, set_other_public_value, void, default: break; } - derive_secret(this, value); + return derive_secret(this, value); } -METHOD(diffie_hellman_t, get_my_public_value, void, +METHOD(diffie_hellman_t, get_my_public_value, bool, private_pkcs11_dh_t *this, chunk_t *value) { *value = chunk_clone(this->pub_key); + return TRUE; } -METHOD(diffie_hellman_t, get_shared_secret, status_t, +METHOD(diffie_hellman_t, get_shared_secret, bool, private_pkcs11_dh_t *this, chunk_t *secret) { if (!this->secret.ptr) { - return FAILED; + return FALSE; } *secret = chunk_clone(this->secret); - return SUCCESS; + return TRUE; } METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t, @@ -443,4 +450,3 @@ pkcs11_dh_t *pkcs11_dh_create(diffie_hellman_group_t group, } return NULL; } - diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c index 7661473b1..dc8a1f17a 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Tobias Brunner + * Copyright (C) 2011-2015 Tobias Brunner * Hochschule fuer Technik Rapperswil * * Copyright (C) 2010 Martin Willi @@ -21,6 +21,7 @@ #include #include +#include #include #include #include @@ -640,11 +641,38 @@ static void free_attrs(object_enumerator_t *this) } } +/** + * CKA_EC_POINT is encodeed as ASN.1 octet string, we can't handle that and + * some tokens actually return them even unwrapped. + * + * Because ASN1_OCTET_STRING is 0x04 and uncompressed EC_POINTs also begin with + * 0x04 (compressed ones with 0x02 or 0x03) there will be an attempt to parse + * unwrapped uncompressed EC_POINTs. This will fail in most cases as the length + * will not be correct, however, there is a small chance that the key's first + * byte denotes the correct length. Checking the first byte of the key should + * further reduce the risk of false positives, though. + * + * The original memory is freed if the value is unwrapped. + */ +static void unwrap_ec_point(chunk_t *data) +{ + chunk_t wrapped, unwrapped; + + wrapped = unwrapped = *data; + if (asn1_unwrap(&unwrapped, &unwrapped) == ASN1_OCTET_STRING && + unwrapped.len && unwrapped.ptr[0] >= 0x02 && unwrapped.ptr[0] <= 0x04) + { + *data = chunk_clone(unwrapped); + free(wrapped.ptr); + } +} + /** * Get attributes for a given object during enumeration */ static bool get_attributes(object_enumerator_t *this, CK_OBJECT_HANDLE object) { + chunk_t data; CK_RV rv; int i; @@ -677,6 +705,16 @@ static bool get_attributes(object_enumerator_t *this, CK_OBJECT_HANDLE object) DBG1(DBG_CFG, "C_GetAttributeValue() error: %N", ck_rv_names, rv); return FALSE; } + for (i = 0; i < this->count; i++) + { + if (this->attr[i].type == CKA_EC_POINT) + { + data = chunk_create(this->attr[i].pValue, this->attr[i].ulValueLen); + unwrap_ec_point(&data); + this->attr[i].pValue = data.ptr; + this->attr[i].ulValueLen = data.len; + } + } return TRUE; } @@ -887,6 +925,10 @@ METHOD(pkcs11_library_t, get_ck_attribute, bool, chunk_free(data); return FALSE; } + if (attr.type == CKA_EC_POINT) + { + unwrap_ec_point(data); + } return TRUE; } diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c index bb9cc7a21..bfc545972 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Tobias Brunner + * Copyright (C) 2011-2015 Tobias Brunner * Hochschule fuer Technik Rapperswil * * Copyright (C) 2010 Martin Willi @@ -23,6 +23,7 @@ #include "pkcs11_public_key.h" #include +#include typedef struct private_pkcs11_private_key_t private_pkcs11_private_key_t; @@ -288,7 +289,23 @@ METHOD(private_key_t, sign, bool, free(buf); return FALSE; } - *signature = chunk_create(buf, len); + switch (scheme) + { + case SIGN_ECDSA_WITH_SHA1_DER: + case SIGN_ECDSA_WITH_SHA256_DER: + case SIGN_ECDSA_WITH_SHA384_DER: + case SIGN_ECDSA_WITH_SHA512_DER: + /* return an ASN.1 encoded sequence of integers r and s */ + len /= 2; + *signature = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_integer("c", chunk_create(buf, len)), + asn1_integer("c", chunk_create(buf+len, len))); + free(buf); + break; + default: + *signature = chunk_create(buf, len); + break; + } return TRUE; } diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c index 0302c0edd..6d5211657 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Tobias Brunner + * Copyright (C) 2011-2015 Tobias Brunner * Hochschule fuer Technik Rapperswil * * Copyright (C) 2010 Martin Willi @@ -135,6 +135,7 @@ static const asn1Object_t pkinfoObjects[] = { /** * Extract the DER encoded Parameters and ECPoint from the given DER encoded * subjectPublicKeyInfo. + * Memory for ecpoint is allocated. */ static bool parse_ecdsa_public_key(chunk_t blob, chunk_t *ecparams, chunk_t *ecpoint, size_t *keylen) @@ -173,7 +174,9 @@ static bool parse_ecdsa_public_key(chunk_t blob, chunk_t *ecparams, { /* skip initial bit string octet defining 0 unused bits */ object = chunk_skip(object, 1); } - *ecpoint = object; + /* the correct way to encode an EC_POINT in PKCS#11 is as + * ASN.1 octet string */ + *ecpoint = asn1_wrap(ASN1_OCTET_STRING, "c", object); break; } } @@ -205,7 +208,8 @@ METHOD(public_key_t, verify, bool, CK_SESSION_HANDLE session; CK_RV rv; hash_algorithm_t hash_alg; - chunk_t hash = chunk_empty; + chunk_t hash = chunk_empty, parse, r, s; + size_t len; mechanism = pkcs11_signature_scheme_to_mech(scheme, this->type, this->k, &hash_alg); @@ -215,9 +219,37 @@ METHOD(public_key_t, verify, bool, signature_scheme_names, scheme); return FALSE; } - if (sig.len && sig.ptr[0] == 0) - { /* trim leading zero byte in sig */ - sig = chunk_skip(sig, 1); + switch (scheme) + { + case SIGN_ECDSA_WITH_SHA1_DER: + case SIGN_ECDSA_WITH_SHA256_DER: + case SIGN_ECDSA_WITH_SHA384_DER: + case SIGN_ECDSA_WITH_SHA512_DER: + /* PKCS#11 expects the ECDSA signatures as simple concatenation of + * r and s, so unwrap the ASN.1 encoded sequence */ + parse = sig; + if (asn1_unwrap(&parse, &parse) != ASN1_SEQUENCE || + asn1_unwrap(&parse, &r) != ASN1_INTEGER || + asn1_unwrap(&parse, &s) != ASN1_INTEGER) + { + return FALSE; + } + r = chunk_skip_zero(r); + s = chunk_skip_zero(s); + len = (get_keysize(this) + 7) / 8; + if (r.len > len || s.len > len) + { + return FALSE; + } + /* concatenate r and s (forced to the defined length) */ + sig = chunk_alloca(2*len); + memset(sig.ptr, 0, sig.len); + memcpy(sig.ptr + (len - r.len), r.ptr, r.len); + memcpy(sig.ptr + len + (len - s.len), s.ptr, s.len); + break; + default: + sig = chunk_skip_zero(sig); + break; } rv = this->lib->f->C_OpenSession(this->slot, CKF_SERIAL_SESSION, NULL, NULL, &session); @@ -776,11 +808,11 @@ pkcs11_public_key_t *pkcs11_public_key_load(key_type_t type, va_list args) if (parse_ecdsa_public_key(blob, &ecparams, &ecpoint, &keylen)) { this = find_ecdsa_key(ecparams, ecpoint, keylen); - if (this) + if (!this) { - return &this->public; + this = create_ecdsa_key(ecparams, ecpoint, keylen); } - this = create_ecdsa_key(ecparams, ecpoint, keylen); + chunk_free(&ecpoint); if (this) { return &this->public; diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.in b/src/libstrongswan/plugins/pkcs12/Makefile.in index d90cd3532..3fa0a3890 100644 --- a/src/libstrongswan/plugins/pkcs12/Makefile.in +++ b/src/libstrongswan/plugins/pkcs12/Makefile.in @@ -228,6 +228,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in index f6534f087..3266e5d5f 100644 --- a/src/libstrongswan/plugins/pkcs7/Makefile.in +++ b/src/libstrongswan/plugins/pkcs7/Makefile.in @@ -230,6 +230,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in index 0756db856..2130c9c93 100644 --- a/src/libstrongswan/plugins/pkcs8/Makefile.in +++ b/src/libstrongswan/plugins/pkcs8/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c index 1fec1b3ea..f7ac347d2 100644 --- a/src/libstrongswan/plugins/plugin_loader.c +++ b/src/libstrongswan/plugins/plugin_loader.c @@ -380,7 +380,15 @@ static plugin_entry_t *load_plugin(private_plugin_loader_t *this, char *name, return NULL; } } - handle = dlopen(file, RTLD_LAZY); + handle = dlopen(file, RTLD_LAZY +#ifdef RTLD_NODELETE + /* if supported, do not unload library when unloading a plugin. It really + * doesn't matter in productive systems, but causes many (dependency) + * library reloads during unit tests. Some libraries can't handle that, + * GnuTLS leaks file descriptors in its library load/unload functions. */ + | RTLD_NODELETE +#endif + ); if (handle == NULL) { DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror()); @@ -1283,9 +1291,9 @@ METHOD(plugin_loader_t, status, void, if (this->stats.failed) { - dbg(DBG_LIB, level, "unable to load %d plugin feature%s (%d due to " - "unmet dependencies)", this->stats.failed, - this->stats.failed == 1 ? "" : "s", this->stats.depends); + DBG2(DBG_LIB, "unable to load %d plugin feature%s (%d due to unmet " + "dependencies)", this->stats.failed, + this->stats.failed == 1 ? "" : "s", this->stats.depends); } } } diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in index fcdbe9450..a9f3dd14c 100644 --- a/src/libstrongswan/plugins/pubkey/Makefile.in +++ b/src/libstrongswan/plugins/pubkey/Makefile.in @@ -228,6 +228,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in index fb6c9ae43..11a13463b 100644 --- a/src/libstrongswan/plugins/random/Makefile.in +++ b/src/libstrongswan/plugins/random/Makefile.in @@ -228,6 +228,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/rc2/Makefile.in b/src/libstrongswan/plugins/rc2/Makefile.in index d84b1ba17..b81acef55 100644 --- a/src/libstrongswan/plugins/rc2/Makefile.in +++ b/src/libstrongswan/plugins/rc2/Makefile.in @@ -226,6 +226,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in index 967e8625d..028464bf3 100644 --- a/src/libstrongswan/plugins/rdrand/Makefile.in +++ b/src/libstrongswan/plugins/rdrand/Makefile.in @@ -228,6 +228,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in index 127482635..342c544d9 100644 --- a/src/libstrongswan/plugins/revocation/Makefile.in +++ b/src/libstrongswan/plugins/revocation/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in index 70a98b006..18771e4f9 100644 --- a/src/libstrongswan/plugins/sha1/Makefile.in +++ b/src/libstrongswan/plugins/sha1/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in index f7d11beb1..6aaa06b20 100644 --- a/src/libstrongswan/plugins/sha2/Makefile.in +++ b/src/libstrongswan/plugins/sha2/Makefile.in @@ -226,6 +226,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in index ee96f08c2..02290b4a2 100644 --- a/src/libstrongswan/plugins/soup/Makefile.in +++ b/src/libstrongswan/plugins/soup/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in index b9f949bcf..3e234f1ca 100644 --- a/src/libstrongswan/plugins/sqlite/Makefile.in +++ b/src/libstrongswan/plugins/sqlite/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/sshkey/Makefile.in b/src/libstrongswan/plugins/sshkey/Makefile.in index b66302e1a..a8d5a1020 100644 --- a/src/libstrongswan/plugins/sshkey/Makefile.in +++ b/src/libstrongswan/plugins/sshkey/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index 8d7c667d8..8980ec46c 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -243,6 +243,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -303,10 +304,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -380,6 +383,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in index 02f4ccd8a..c84717bdc 100644 --- a/src/libstrongswan/plugins/unbound/Makefile.in +++ b/src/libstrongswan/plugins/unbound/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/winhttp/Makefile.in b/src/libstrongswan/plugins/winhttp/Makefile.in index fb87917a2..f8db1ffac 100644 --- a/src/libstrongswan/plugins/winhttp/Makefile.in +++ b/src/libstrongswan/plugins/winhttp/Makefile.in @@ -229,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in index 23a6b3ba3..b31bfbed1 100644 --- a/src/libstrongswan/plugins/x509/Makefile.in +++ b/src/libstrongswan/plugins/x509/Makefile.in @@ -228,6 +228,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c index ed58377a6..bfc200421 100644 --- a/src/libstrongswan/plugins/x509/x509_ac.c +++ b/src/libstrongswan/plugins/x509/x509_ac.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler * Copyright (C) 2003 Martin Berner, Lukas Suter - * Copyright (C) 2002-2009 Andreas Steffen + * Copyright (C) 2002-2014 Andreas Steffen * Copyright (C) 2009 Martin Willi * * HSR Hochschule fuer Technik Rapperswil @@ -557,7 +557,7 @@ static bool parse_certificate(private_x509_ac_t *this) } break; case AC_OBJ_SIGNATURE: - this->signature = object; + this->signature = chunk_skip(object, 1); break; default: break; diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index bdc8234c9..96280a033 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -1465,7 +1465,7 @@ static bool parse_certificate(private_x509_cert_t *this) } break; case X509_OBJ_SIGNATURE: - this->signature = object; + this->signature = chunk_skip(object, 1); break; default: break; diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index d6057c30f..4d7e7bd10 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -347,7 +347,7 @@ static bool parse(private_x509_crl_t *this) break; } case CRL_OBJ_SIGNATURE: - this->signature = object; + this->signature = chunk_skip(object, 1); break; default: break; @@ -451,6 +451,7 @@ METHOD(certificate_t, issued_by, bool, signature_scheme_t scheme; bool valid; x509_t *x509 = (x509_t*)issuer; + chunk_t keyid = chunk_empty; /* check if issuer is an X.509 CA certificate */ if (issuer->get_type(issuer) != CERT_X509) @@ -462,21 +463,16 @@ METHOD(certificate_t, issued_by, bool, return FALSE; } - /* get the public key of the issuer */ - key = issuer->get_public_key(issuer); - /* compare keyIdentifiers if available, otherwise use DNs */ - if (this->authKeyIdentifier.ptr && key) + if (this->authKeyIdentifier.ptr) { - chunk_t fingerprint; - - if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) || - !chunk_equals(fingerprint, this->authKeyIdentifier)) + keyid = x509->get_subjectKeyIdentifier(x509); + if (keyid.len && !chunk_equals(keyid, this->authKeyIdentifier)) { return FALSE; } } - else + if (!keyid.len) { if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer))) { @@ -484,10 +480,13 @@ METHOD(certificate_t, issued_by, bool, } } - /* determine signature scheme */ scheme = signature_scheme_from_oid(this->algorithm); - - if (scheme == SIGN_UNKNOWN || key == NULL) + if (scheme == SIGN_UNKNOWN) + { + return FALSE; + } + key = issuer->get_public_key(issuer); + if (!key) { return FALSE; } diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c index ff0f0231f..eb5b01986 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2008-2009 Martin Willi - * Copyright (C) 2007 Andreas Steffen + * Copyright (C) 2007-2014 Andreas Steffen * Hochschule fuer Technik Rapperswil * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen * @@ -265,6 +265,10 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this, oid = OID_ECDSA_WITH_SHA1; scheme = SIGN_ECDSA_WITH_SHA1_DER; break; + case KEY_BLISS: + oid = OID_BLISS_WITH_SHA512; + scheme = SIGN_BLISS_WITH_SHA512; + break; default: DBG1(DBG_LIB, "unable to sign OCSP request, %N signature not " "supported", key_type_names, this->key->get_type(this->key)); diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c index ad04c7dea..60133fc7f 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c @@ -1,6 +1,6 @@ /** * Copyright (C) 2008-2009 Martin Willi - * Copyright (C) 2007 Andreas Steffen + * Copyright (C) 2007-2014 Andreas Steffen * Hochschule fuer Technik Rapperswil * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen * @@ -537,7 +537,7 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this, parser->get_level(parser)+1, NULL); break; case BASIC_RESPONSE_SIGNATURE: - this->signature = object; + this->signature = chunk_skip(object, 1); break; case BASIC_RESPONSE_CERTIFICATE: { diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c index 024b4dba5..20561f7e2 100644 --- a/src/libstrongswan/plugins/x509/x509_pkcs10.c +++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c @@ -435,7 +435,7 @@ static bool parse_certificate_request(private_x509_pkcs10_t *this) this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL); break; case PKCS10_SIGNATURE: - this->signature = object; + this->signature = chunk_skip(object, 1); break; default: break; diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in index ffcee547c..6c9901e6c 100644 --- a/src/libstrongswan/plugins/xcbc/Makefile.in +++ b/src/libstrongswan/plugins/xcbc/Makefile.in @@ -226,6 +226,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libstrongswan/plugins/xcbc/xcbc.c b/src/libstrongswan/plugins/xcbc/xcbc.c index 802c8a39f..d852a2932 100644 --- a/src/libstrongswan/plugins/xcbc/xcbc.c +++ b/src/libstrongswan/plugins/xcbc/xcbc.c @@ -219,6 +219,10 @@ METHOD(mac_t, set_key, bool, { chunk_t iv, k1, lengthened; + memset(this->e, 0, this->b); + this->remaining_bytes = 0; + this->zero = TRUE; + /* we support variable keys from RFC4434 */ if (key.len == this->b) { diff --git a/src/libstrongswan/processing/processor.h b/src/libstrongswan/processing/processor.h index f96530e54..ee08870fb 100644 --- a/src/libstrongswan/processing/processor.h +++ b/src/libstrongswan/processing/processor.h @@ -23,6 +23,8 @@ #ifndef PROCESSOR_H_ #define PROCESSOR_H_ +#include + typedef struct processor_t processor_t; #include diff --git a/src/libstrongswan/processing/scheduler.c b/src/libstrongswan/processing/scheduler.c index 3f1598fc4..d90852561 100644 --- a/src/libstrongswan/processing/scheduler.c +++ b/src/libstrongswan/processing/scheduler.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2015 Tobias Brunner * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -300,16 +300,26 @@ METHOD(scheduler_t, schedule_job_ms, void, schedule_job_tv(this, job, tv); } -METHOD(scheduler_t, destroy, void, +METHOD(scheduler_t, flush, void, private_scheduler_t *this) { event_t *event; - this->condvar->destroy(this->condvar); - this->mutex->destroy(this->mutex); + + this->mutex->lock(this->mutex); while ((event = remove_event(this)) != NULL) { event_destroy(event); } + this->condvar->signal(this->condvar); + this->mutex->unlock(this->mutex); +} + +METHOD(scheduler_t, destroy, void, + private_scheduler_t *this) +{ + flush(this); + this->condvar->destroy(this->condvar); + this->mutex->destroy(this->mutex); free(this->heap); free(this); } @@ -328,6 +338,7 @@ scheduler_t * scheduler_create() .schedule_job = _schedule_job, .schedule_job_ms = _schedule_job_ms, .schedule_job_tv = _schedule_job_tv, + .flush = _flush, .destroy = _destroy, }, .heap_size = HEAP_SIZE_DEFAULT, diff --git a/src/libstrongswan/processing/scheduler.h b/src/libstrongswan/processing/scheduler.h index abbf74e2c..7f91fcc59 100644 --- a/src/libstrongswan/processing/scheduler.h +++ b/src/libstrongswan/processing/scheduler.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009 Tobias Brunner + * Copyright (C) 2009-2015 Tobias Brunner * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -114,6 +114,11 @@ struct scheduler_t { */ u_int (*get_job_load) (scheduler_t *this); + /** + * Remove all scheduled jobs. + */ + void (*flush)(scheduler_t *this); + /** * Destroys a scheduler object. */ diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c index d4de2a907..5b94208bf 100644 --- a/src/libstrongswan/processing/watcher.c +++ b/src/libstrongswan/processing/watcher.c @@ -24,9 +24,6 @@ #include #include -#ifndef WIN32 -#include -#endif #include typedef struct private_watcher_t private_watcher_t; @@ -121,11 +118,7 @@ static void update(private_watcher_t *this) this->pending = TRUE; if (this->notify[1] != -1) { -#ifdef WIN32 - if (send(this->notify[1], buf, sizeof(buf), 0) == -1) -#else if (write(this->notify[1], buf, sizeof(buf)) == -1) -#endif { DBG1(DBG_JOB, "notifying watcher failed: %s", strerror(errno)); } @@ -244,6 +237,43 @@ static void activate_all(private_watcher_t *this) this->mutex->unlock(this->mutex); } +/** + * Find flagged revents in a pollfd set by fd + */ +static int find_revents(struct pollfd *pfd, int count, int fd) +{ + int i; + + for (i = 0; i < count; i++) + { + if (pfd[i].fd == fd) + { + return pfd[i].revents; + } + } + return 0; +} + +/** + * Check if entry is waiting for a specific event, and if it got signaled + */ +static bool entry_ready(entry_t *entry, watcher_event_t event, int revents) +{ + if (entry->events & event) + { + switch (event) + { + case WATCHER_READ: + return (revents & (POLLIN | POLLHUP | POLLNVAL)) != 0; + case WATCHER_WRITE: + return (revents & (POLLOUT | POLLHUP | POLLNVAL)) != 0; + case WATCHER_EXCEPT: + return (revents & (POLLERR | POLLHUP | POLLNVAL)) != 0; + } + } + return FALSE; +} + /** * Dispatching function */ @@ -251,17 +281,14 @@ static job_requeue_t watch(private_watcher_t *this) { enumerator_t *enumerator; entry_t *entry; - fd_set rd, wr, ex; - int maxfd = 0, res; + struct pollfd *pfd; + int count = 0, res; bool rebuild = FALSE; - FD_ZERO(&rd); - FD_ZERO(&wr); - FD_ZERO(&ex); - this->mutex->lock(this->mutex); - if (this->fds->get_count(this->fds) == 0) + count = this->fds->get_count(this->fds); + if (count == 0) { this->state = WATCHER_STOPPED; this->mutex->unlock(this->mutex); @@ -272,33 +299,34 @@ static job_requeue_t watch(private_watcher_t *this) this->state = WATCHER_RUNNING; } - if (this->notify[0] != -1) - { - FD_SET(this->notify[0], &rd); - maxfd = this->notify[0]; - } + pfd = alloca(sizeof(*pfd) * (count + 1)); + pfd[0].fd = this->notify[0]; + pfd[0].events = POLLIN; + count = 1; enumerator = this->fds->create_enumerator(this->fds); while (enumerator->enumerate(enumerator, &entry)) { if (!entry->in_callback) { + pfd[count].fd = entry->fd; + pfd[count].events = 0; if (entry->events & WATCHER_READ) { DBG3(DBG_JOB, " watching %d for reading", entry->fd); - FD_SET(entry->fd, &rd); + pfd[count].events |= POLLIN; } if (entry->events & WATCHER_WRITE) { DBG3(DBG_JOB, " watching %d for writing", entry->fd); - FD_SET(entry->fd, &wr); + pfd[count].events |= POLLOUT; } if (entry->events & WATCHER_EXCEPT) { DBG3(DBG_JOB, " watching %d for exceptions", entry->fd); - FD_SET(entry->fd, &ex); + pfd[count].events |= POLLERR; } - maxfd = max(maxfd, entry->fd); + count++; } } enumerator->destroy(enumerator); @@ -306,30 +334,27 @@ static job_requeue_t watch(private_watcher_t *this) while (!rebuild) { + int revents; char buf[1]; bool old; ssize_t len; job_t *job; - DBG2(DBG_JOB, "watcher going to select()"); + DBG2(DBG_JOB, "watcher going to poll() %d fds", count); thread_cleanup_push((void*)activate_all, this); old = thread_cancelability(TRUE); - res = select(maxfd + 1, &rd, &wr, &ex, NULL); + res = poll(pfd, count, -1); thread_cancelability(old); thread_cleanup_pop(FALSE); if (res > 0) { - if (this->notify[0] != -1 && FD_ISSET(this->notify[0], &rd)) + if (pfd[0].revents & POLLIN) { while (TRUE) { -#ifdef WIN32 - len = recv(this->notify[0], buf, sizeof(buf), 0); -#else len = read(this->notify[0], buf, sizeof(buf)); -#endif if (len == -1) { if (errno != EAGAIN && errno != EWOULDBLOCK) @@ -354,21 +379,25 @@ static job_requeue_t watch(private_watcher_t *this) rebuild = TRUE; break; } - if (FD_ISSET(entry->fd, &rd) && (entry->events & WATCHER_READ)) - { - DBG2(DBG_JOB, "watched FD %d ready to read", entry->fd); - notify(this, entry, WATCHER_READ); - } - if (FD_ISSET(entry->fd, &wr) && (entry->events & WATCHER_WRITE)) - { - DBG2(DBG_JOB, "watched FD %d ready to write", entry->fd); - notify(this, entry, WATCHER_WRITE); - } - if (FD_ISSET(entry->fd, &ex) && (entry->events & WATCHER_EXCEPT)) + revents = find_revents(pfd, count, entry->fd); + if (entry_ready(entry, WATCHER_EXCEPT, revents)) { DBG2(DBG_JOB, "watched FD %d has exception", entry->fd); notify(this, entry, WATCHER_EXCEPT); } + else + { + if (entry_ready(entry, WATCHER_READ, revents)) + { + DBG2(DBG_JOB, "watched FD %d ready to read", entry->fd); + notify(this, entry, WATCHER_READ); + } + if (entry_ready(entry, WATCHER_WRITE, revents)) + { + DBG2(DBG_JOB, "watched FD %d ready to write", entry->fd); + notify(this, entry, WATCHER_WRITE); + } + } } enumerator->destroy(enumerator); this->mutex->unlock(this->mutex); @@ -388,7 +417,7 @@ static job_requeue_t watch(private_watcher_t *this) { if (!this->pending && errno != EINTR) { /* complain only if no pending updates */ - DBG1(DBG_JOB, "watcher select() error: %s", strerror(errno)); + DBG1(DBG_JOB, "watcher poll() error: %s", strerror(errno)); } return JOB_REQUEUE_DIRECT; } diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c index 94b77467a..3b7f8c5a0 100644 --- a/src/libstrongswan/selectors/traffic_selector.c +++ b/src/libstrongswan/selectors/traffic_selector.c @@ -449,41 +449,9 @@ METHOD(traffic_selector_t, get_subset, traffic_selector_t*, } METHOD(traffic_selector_t, equals, bool, - private_traffic_selector_t *this, traffic_selector_t *other_public) + private_traffic_selector_t *this, traffic_selector_t *other) { - private_traffic_selector_t *other; - - other = (private_traffic_selector_t*)other_public; - if (this->type != other->type) - { - return FALSE; - } - if (!(this->from_port == other->from_port && - this->to_port == other->to_port && - this->protocol == other->protocol)) - { - return FALSE; - } - switch (this->type) - { - case TS_IPV4_ADDR_RANGE: - if (memeq(this->from4, other->from4, sizeof(this->from4)) && - memeq(this->to4, other->to4, sizeof(this->to4))) - { - return TRUE; - } - break; - case TS_IPV6_ADDR_RANGE: - if (memeq(this->from6, other->from6, sizeof(this->from6)) && - memeq(this->to6, other->to6, sizeof(this->to6))) - { - return TRUE; - } - break; - default: - break; - } - return FALSE; + return traffic_selector_cmp(&this->public, other, NULL) == 0; } METHOD(traffic_selector_t, get_from_address, chunk_t, @@ -717,12 +685,96 @@ METHOD(traffic_selector_t, clone_, traffic_selector_t*, } } +METHOD(traffic_selector_t, hash, u_int, + private_traffic_selector_t *this, u_int hash) +{ + return chunk_hash_inc(get_from_address(this), + chunk_hash_inc(get_to_address(this), + chunk_hash_inc(chunk_from_thing(this->from_port), + chunk_hash_inc(chunk_from_thing(this->to_port), + chunk_hash_inc(chunk_from_thing(this->protocol), + hash))))); +} + METHOD(traffic_selector_t, destroy, void, private_traffic_selector_t *this) { free(this); } +/** + * Compare two integers + */ +static int compare_int(int a, int b) +{ + return a - b; +} + +/* + * See header + */ +int traffic_selector_cmp(traffic_selector_t *a_pub, traffic_selector_t *b_pub, + void *opts) +{ + private_traffic_selector_t *a, *b; + int res; + + a = (private_traffic_selector_t*)a_pub; + b = (private_traffic_selector_t*)b_pub; + + /* IPv4 before IPv6 */ + res = compare_int(a->type, b->type); + if (res) + { + return res; + } + switch (a->type) + { + case TS_IPV4_ADDR_RANGE: + /* lower starting subnets first */ + res = memcmp(a->from4, b->from4, sizeof(a->from4)); + if (res) + { + return res; + } + /* larger subnets first */ + res = memcmp(b->to4, a->to4, sizeof(a->to4)); + if (res) + { + return res; + } + break; + case TS_IPV6_ADDR_RANGE: + res = memcmp(a->from6, b->from6, sizeof(a->from6)); + if (res) + { + return res; + } + res = memcmp(b->to6, a->to6, sizeof(a->to6)); + if (res) + { + return res; + } + break; + default: + return 1; + } + /* lower protocols first */ + res = compare_int(a->protocol, b->protocol); + if (res) + { + return res; + } + /* lower starting ports first */ + res = compare_int(a->from_port, b->from_port); + if (res) + { + return res; + } + /* larger port ranges first */ + return compare_int(b->to_port, a->to_port); +} + /* * see header */ @@ -933,6 +985,7 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, .set_address = _set_address, .to_subnet = _to_subnet, .clone = _clone_, + .hash = _hash, .destroy = _destroy, }, .from_port = from_port, diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h index ab6813acc..cf9a2861b 100644 --- a/src/libstrongswan/selectors/traffic_selector.h +++ b/src/libstrongswan/selectors/traffic_selector.h @@ -220,6 +220,14 @@ struct traffic_selector_t { */ bool (*to_subnet) (traffic_selector_t *this, host_t **net, u_int8_t *mask); + /** + * Create a hash value for the traffic selector. + * + * @param inc optional value for incremental hashing + * @return calculated hash value for the traffic selector + */ + u_int (*hash)(traffic_selector_t *this, u_int inc); + /** * Destroys the ts object */ @@ -248,6 +256,17 @@ static inline u_int8_t traffic_selector_icmp_code(u_int16_t port) return port & 0xff; } +/** + * Compare two traffic selectors, usable as sort function + * + * @param a first selector to compare + * @param b second selector to compare + * @param opts optional sort options, currently unused + * @return > 0 if a > b, 0 if a == b, < 0 if a < b + */ +int traffic_selector_cmp(traffic_selector_t *a, traffic_selector_t *b, + void *opts); + /** * Create a new traffic selector using human readable params. * diff --git a/src/libstrongswan/settings/settings_lexer.c b/src/libstrongswan/settings/settings_lexer.c index 76433012a..0d71a1d01 100644 --- a/src/libstrongswan/settings/settings_lexer.c +++ b/src/libstrongswan/settings/settings_lexer.c @@ -456,8 +456,8 @@ static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner ); yyg->yy_c_buf_p = yy_cp; /* %% [4.0] data tables for the DFA and the user's section 1 definitions go here */ -#define YY_NUM_RULES 25 -#define YY_END_OF_BUFFER 26 +#define YY_NUM_RULES 26 +#define YY_END_OF_BUFFER 27 /* This struct is not used in this scanner, but its presence is necessary. */ struct yy_trans_info @@ -465,31 +465,32 @@ struct yy_trans_info flex_int32_t yy_verify; flex_int32_t yy_nxt; }; -static yyconst flex_int16_t yy_accept[50] = +static yyconst flex_int16_t yy_accept[52] = { 0, - 0, 0, 0, 0, 0, 0, 26, 9, 2, 3, + 0, 0, 0, 0, 0, 0, 27, 9, 2, 3, 8, 1, 6, 9, 4, 5, 14, 10, 11, 12, - 24, 16, 15, 17, 9, 2, 1, 1, 3, 9, - 14, 13, 24, 23, 21, 22, 18, 19, 20, 1, - 9, 9, 9, 9, 9, 0, 7, 7, 0 + 25, 16, 15, 17, 9, 2, 1, 1, 3, 9, + 14, 13, 25, 24, 23, 24, 21, 22, 18, 19, + 20, 1, 9, 9, 9, 9, 9, 0, 7, 7, + 0 } ; static yyconst flex_int32_t yy_ec[256] = { 0, 1, 1, 1, 1, 1, 1, 1, 1, 2, 3, + 1, 1, 4, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 5, 1, 6, 7, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 4, 1, 5, 6, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 8, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 7, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 8, 1, 1, 1, 1, 1, 9, 10, 11, + 1, 9, 1, 1, 1, 1, 1, 10, 11, 12, - 12, 13, 1, 1, 14, 1, 1, 15, 1, 16, - 1, 1, 1, 17, 1, 18, 19, 1, 1, 1, - 1, 1, 20, 1, 21, 1, 1, 1, 1, 1, + 13, 14, 1, 1, 15, 1, 1, 16, 1, 17, + 1, 1, 1, 18, 1, 19, 20, 1, 1, 1, + 1, 1, 21, 1, 22, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, @@ -506,88 +507,92 @@ static yyconst flex_int32_t yy_ec[256] = 1, 1, 1, 1, 1 } ; -static yyconst flex_int32_t yy_meta[22] = +static yyconst flex_int32_t yy_meta[23] = { 0, - 1, 2, 3, 4, 5, 4, 6, 7, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 8, - 4 + 1, 2, 3, 1, 4, 5, 4, 6, 7, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 8, 4 } ; -static yyconst flex_int16_t yy_base[60] = +static yyconst flex_int16_t yy_base[62] = { 0, - 0, 0, 20, 40, 24, 28, 63, 0, 33, 145, - 145, 57, 145, 43, 145, 145, 0, 145, 145, 0, - 0, 145, 145, 53, 0, 45, 0, 55, 145, 47, - 0, 145, 0, 145, 145, 145, 145, 145, 145, 0, - 41, 35, 23, 18, 36, 48, 145, 51, 145, 71, - 79, 87, 94, 102, 107, 112, 120, 128, 136 + 0, 0, 21, 42, 26, 28, 63, 0, 31, 155, + 155, 59, 155, 44, 155, 155, 0, 155, 155, 0, + 0, 155, 155, 62, 0, 48, 0, 57, 155, 47, + 0, 155, 0, 155, 155, 49, 155, 155, 155, 155, + 155, 0, 30, 21, 28, 12, 37, 52, 155, 54, + 155, 81, 89, 97, 104, 112, 117, 122, 130, 138, + 146 } ; -static yyconst flex_int16_t yy_def[60] = +static yyconst flex_int16_t yy_def[62] = { 0, - 49, 1, 50, 50, 51, 51, 49, 52, 49, 49, - 49, 53, 49, 52, 49, 49, 54, 49, 49, 55, - 56, 49, 49, 57, 52, 49, 58, 53, 49, 52, - 54, 49, 56, 49, 49, 49, 49, 49, 49, 58, - 52, 52, 52, 52, 52, 59, 49, 59, 0, 49, - 49, 49, 49, 49, 49, 49, 49, 49, 49 + 51, 1, 52, 52, 53, 53, 51, 54, 51, 51, + 51, 55, 51, 54, 51, 51, 56, 51, 51, 57, + 58, 51, 51, 59, 54, 51, 60, 55, 51, 54, + 56, 51, 58, 51, 51, 51, 51, 51, 51, 51, + 51, 60, 54, 54, 54, 54, 54, 61, 51, 61, + 0, 51, 51, 51, 51, 51, 51, 51, 51, 51, + 51 } ; -static yyconst flex_int16_t yy_nxt[167] = +static yyconst flex_int16_t yy_nxt[178] = { 0, - 8, 9, 10, 9, 11, 12, 13, 8, 8, 8, - 8, 8, 8, 14, 8, 8, 8, 8, 8, 15, - 16, 18, 18, 18, 19, 18, 22, 20, 23, 45, - 22, 24, 23, 44, 26, 24, 26, 46, 27, 46, - 18, 18, 18, 18, 19, 18, 26, 20, 26, 48, - 27, 48, 48, 43, 48, 42, 41, 29, 30, 29, - 18, 35, 49, 49, 49, 36, 49, 49, 37, 38, - 39, 17, 17, 17, 17, 17, 17, 17, 17, 21, - 21, 21, 21, 21, 21, 21, 21, 25, 49, 49, - 49, 49, 49, 25, 28, 28, 28, 28, 28, 28, - - 28, 28, 31, 49, 49, 49, 49, 31, 49, 31, - 32, 32, 33, 33, 49, 33, 49, 33, 49, 33, - 34, 34, 34, 34, 34, 34, 34, 34, 40, 40, - 49, 40, 40, 40, 40, 40, 47, 47, 47, 47, - 47, 49, 47, 47, 7, 49, 49, 49, 49, 49, - 49, 49, 49, 49, 49, 49, 49, 49, 49, 49, - 49, 49, 49, 49, 49, 49 + 8, 9, 10, 8, 9, 11, 12, 13, 8, 8, + 8, 8, 8, 8, 14, 8, 8, 8, 8, 8, + 15, 16, 18, 18, 47, 18, 19, 18, 22, 20, + 22, 23, 26, 23, 24, 26, 24, 27, 48, 46, + 45, 48, 18, 18, 18, 44, 18, 19, 18, 26, + 20, 35, 26, 50, 27, 50, 50, 43, 50, 29, + 30, 29, 51, 18, 35, 36, 51, 51, 51, 51, + 51, 37, 51, 51, 51, 38, 51, 51, 39, 40, + 41, 17, 17, 17, 17, 17, 17, 17, 17, 21, + 21, 21, 21, 21, 21, 21, 21, 25, 51, 51, + + 51, 51, 51, 25, 28, 28, 28, 28, 28, 28, + 28, 28, 31, 51, 51, 51, 51, 31, 51, 31, + 32, 32, 33, 33, 51, 33, 51, 33, 51, 33, + 34, 34, 34, 34, 34, 34, 34, 34, 42, 42, + 51, 42, 42, 42, 42, 42, 49, 49, 49, 49, + 49, 51, 49, 49, 7, 51, 51, 51, 51, 51, + 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, + 51, 51, 51, 51, 51, 51, 51 } ; -static yyconst flex_int16_t yy_chk[167] = +static yyconst flex_int16_t yy_chk[178] = { 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 3, 3, 3, 3, 3, 5, 3, 5, 44, - 6, 5, 6, 43, 9, 6, 9, 45, 9, 45, - 3, 4, 4, 4, 4, 4, 26, 4, 26, 46, - 26, 46, 48, 42, 48, 41, 30, 28, 14, 12, - 4, 24, 7, 0, 0, 24, 0, 0, 24, 24, - 24, 50, 50, 50, 50, 50, 50, 50, 50, 51, - 51, 51, 51, 51, 51, 51, 51, 52, 0, 0, - 0, 0, 0, 52, 53, 53, 53, 53, 53, 53, - - 53, 53, 54, 0, 0, 0, 0, 54, 0, 54, - 55, 55, 56, 56, 0, 56, 0, 56, 0, 56, - 57, 57, 57, 57, 57, 57, 57, 57, 58, 58, - 0, 58, 58, 58, 58, 58, 59, 59, 59, 59, - 59, 0, 59, 59, 49, 49, 49, 49, 49, 49, - 49, 49, 49, 49, 49, 49, 49, 49, 49, 49, - 49, 49, 49, 49, 49, 49 + 1, 1, 3, 3, 46, 3, 3, 3, 5, 3, + 6, 5, 9, 6, 5, 9, 6, 9, 47, 45, + 44, 47, 3, 4, 4, 43, 4, 4, 4, 26, + 4, 36, 26, 48, 26, 50, 48, 30, 50, 28, + 14, 12, 7, 4, 24, 24, 0, 0, 0, 0, + 0, 24, 0, 0, 0, 24, 0, 0, 24, 24, + 24, 52, 52, 52, 52, 52, 52, 52, 52, 53, + 53, 53, 53, 53, 53, 53, 53, 54, 0, 0, + + 0, 0, 0, 54, 55, 55, 55, 55, 55, 55, + 55, 55, 56, 0, 0, 0, 0, 56, 0, 56, + 57, 57, 58, 58, 0, 58, 0, 58, 0, 58, + 59, 59, 59, 59, 59, 59, 59, 59, 60, 60, + 0, 60, 60, 60, 60, 60, 61, 61, 61, 61, + 61, 0, 61, 61, 51, 51, 51, 51, 51, 51, + 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, + 51, 51, 51, 51, 51, 51, 51 } ; /* Table of booleans, true if rule could match eol. */ -static yyconst flex_int32_t yy_rule_can_match_eol[26] = +static yyconst flex_int32_t yy_rule_can_match_eol[27] = { 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, - 0, 0, 0, 1, 0, 0, }; + 0, 0, 0, 1, 0, 0, 0, }; -static yyconst flex_int16_t yy_rule_linenum[25] = +static yyconst flex_int16_t yy_rule_linenum[26] = { 0, 59, 60, 61, 63, 64, 65, 67, 72, 77, 85, 105, 108, 111, 114, 120, 122, 123, 146, 147, 148, - 149, 150, 151, 154 + 149, 150, 151, 152, 153 } ; /* The intent behind this definition is that it'll catch @@ -635,7 +640,7 @@ static void include_files(parser_helper_t *ctx); /* state used to scan quoted strings */ -#line 639 "settings/settings_lexer.c" +#line 644 "settings/settings_lexer.c" #define INITIAL 0 #define inc 1 @@ -947,7 +952,7 @@ YY_DECL #line 57 "settings/settings_lexer.l" -#line 951 "settings/settings_lexer.c" +#line 956 "settings/settings_lexer.c" yylval = yylval_param; @@ -1012,13 +1017,13 @@ yy_match: while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { yy_current_state = (int) yy_def[yy_current_state]; - if ( yy_current_state >= 50 ) + if ( yy_current_state >= 52 ) yy_c = yy_meta[(unsigned int) yy_c]; } yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; ++yy_cp; } - while ( yy_base[yy_current_state] != 145 ); + while ( yy_base[yy_current_state] != 155 ); yy_find_action: /* %% [10.0] code to find the action number goes here */ @@ -1053,13 +1058,13 @@ do_action: /* This label is used only to access EOF actions. */ { if ( yy_act == 0 ) fprintf( stderr, "--scanner backing up\n" ); - else if ( yy_act < 25 ) + else if ( yy_act < 26 ) fprintf( stderr, "--accepting rule at line %ld (\"%s\")\n", (long)yy_rule_linenum[yy_act], yytext ); - else if ( yy_act == 25 ) + else if ( yy_act == 26 ) fprintf( stderr, "--accepting default rule (\"%s\")\n", yytext ); - else if ( yy_act == 26 ) + else if ( yy_act == 27 ) fprintf( stderr, "--(end of buffer or a NUL)\n" ); else fprintf( stderr, "--EOF (start condition %d)\n", YY_START ); @@ -1251,20 +1256,23 @@ case 23: /* rule 23 can match eol */ YY_RULE_SETUP #line 151 "settings/settings_lexer.l" -{ - yyextra->string_add(yyextra, yytext+1); - } +/* merge lines that end with EOL characters */ YY_BREAK case 24: YY_RULE_SETUP -#line 154 "settings/settings_lexer.l" +#line 152 "settings/settings_lexer.l" +yyextra->string_add(yyextra, yytext+1); + YY_BREAK +case 25: +YY_RULE_SETUP +#line 153 "settings/settings_lexer.l" { yyextra->string_add(yyextra, yytext); } YY_BREAK case YY_STATE_EOF(INITIAL): -#line 159 "settings/settings_lexer.l" +#line 158 "settings/settings_lexer.l" { settings_parser_pop_buffer_state(yyscanner); if (!settings_parser_open_next_file(yyextra) && !YY_CURRENT_BUFFER) @@ -1273,12 +1281,12 @@ case YY_STATE_EOF(INITIAL): } } YY_BREAK -case 25: +case 26: YY_RULE_SETUP -#line 167 "settings/settings_lexer.l" +#line 166 "settings/settings_lexer.l" YY_FATAL_ERROR( "flex scanner jammed" ); YY_BREAK -#line 1282 "settings/settings_lexer.c" +#line 1290 "settings/settings_lexer.c" case YY_END_OF_BUFFER: { @@ -1591,7 +1599,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { yy_current_state = (int) yy_def[yy_current_state]; - if ( yy_current_state >= 50 ) + if ( yy_current_state >= 52 ) yy_c = yy_meta[(unsigned int) yy_c]; } yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; @@ -1625,11 +1633,11 @@ static int yy_get_next_buffer (yyscan_t yyscanner) while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { yy_current_state = (int) yy_def[yy_current_state]; - if ( yy_current_state >= 50 ) + if ( yy_current_state >= 52 ) yy_c = yy_meta[(unsigned int) yy_c]; } yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; - yy_is_jam = (yy_current_state == 49); + yy_is_jam = (yy_current_state == 51); return yy_is_jam ? 0 : yy_current_state; } @@ -2646,7 +2654,7 @@ void settings_parser_free (void * ptr , yyscan_t yyscanner) /* %ok-for-header */ -#line 167 "settings/settings_lexer.l" +#line 166 "settings/settings_lexer.l" diff --git a/src/libstrongswan/settings/settings_lexer.l b/src/libstrongswan/settings/settings_lexer.l index c6546f464..176387f1f 100644 --- a/src/libstrongswan/settings/settings_lexer.l +++ b/src/libstrongswan/settings/settings_lexer.l @@ -148,9 +148,8 @@ static void include_files(parser_helper_t *ctx); \\t yyextra->string_add(yyextra, "\t"); \\b yyextra->string_add(yyextra, "\b"); \\f yyextra->string_add(yyextra, "\f"); - \\(.|\n) { - yyextra->string_add(yyextra, yytext+1); - } + \\\r?\n /* merge lines that end with EOL characters */ + \\. yyextra->string_add(yyextra, yytext+1); [^\\\n"]+ { yyextra->string_add(yyextra, yytext); } diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am index 7ecba19da..8c081c673 100644 --- a/src/libstrongswan/tests/Makefile.am +++ b/src/libstrongswan/tests/Makefile.am @@ -29,6 +29,7 @@ tests_SOURCES = tests.h tests.c \ suites/test_enum.c \ suites/test_hashtable.c \ suites/test_identification.c \ + suites/test_traffic_selector.c \ suites/test_threading.c \ suites/test_process.c \ suites/test_watcher.c \ @@ -40,6 +41,8 @@ tests_SOURCES = tests.h tests.c \ suites/test_array.c \ suites/test_ecdsa.c \ suites/test_rsa.c \ + suites/test_certpolicy.c \ + suites/test_certnames.c \ suites/test_host.c \ suites/test_hasher.c \ suites/test_crypter.c \ @@ -49,6 +52,7 @@ tests_SOURCES = tests.h tests.c \ suites/test_asn1_parser.c \ suites/test_printf.c \ suites/test_test_rng.c \ + suites/test_mgf1.c \ suites/test_ntru.c tests_CFLAGS = \ diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in index 3268b5488..97e24bdb7 100644 --- a/src/libstrongswan/tests/Makefile.in +++ b/src/libstrongswan/tests/Makefile.in @@ -125,6 +125,7 @@ am_tests_OBJECTS = tests-tests.$(OBJEXT) \ suites/tests-test_enum.$(OBJEXT) \ suites/tests-test_hashtable.$(OBJEXT) \ suites/tests-test_identification.$(OBJEXT) \ + suites/tests-test_traffic_selector.$(OBJEXT) \ suites/tests-test_threading.$(OBJEXT) \ suites/tests-test_process.$(OBJEXT) \ suites/tests-test_watcher.$(OBJEXT) \ @@ -136,6 +137,8 @@ am_tests_OBJECTS = tests-tests.$(OBJEXT) \ suites/tests-test_array.$(OBJEXT) \ suites/tests-test_ecdsa.$(OBJEXT) \ suites/tests-test_rsa.$(OBJEXT) \ + suites/tests-test_certpolicy.$(OBJEXT) \ + suites/tests-test_certnames.$(OBJEXT) \ suites/tests-test_host.$(OBJEXT) \ suites/tests-test_hasher.$(OBJEXT) \ suites/tests-test_crypter.$(OBJEXT) \ @@ -145,6 +148,7 @@ am_tests_OBJECTS = tests-tests.$(OBJEXT) \ suites/tests-test_asn1_parser.$(OBJEXT) \ suites/tests-test_printf.$(OBJEXT) \ suites/tests-test_test_rng.$(OBJEXT) \ + suites/tests-test_mgf1.$(OBJEXT) \ suites/tests-test_ntru.$(OBJEXT) tests_OBJECTS = $(am_tests_OBJECTS) tests_DEPENDENCIES = \ @@ -260,6 +264,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -320,10 +325,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -397,6 +404,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -480,6 +489,7 @@ tests_SOURCES = tests.h tests.c \ suites/test_enum.c \ suites/test_hashtable.c \ suites/test_identification.c \ + suites/test_traffic_selector.c \ suites/test_threading.c \ suites/test_process.c \ suites/test_watcher.c \ @@ -491,6 +501,8 @@ tests_SOURCES = tests.h tests.c \ suites/test_array.c \ suites/test_ecdsa.c \ suites/test_rsa.c \ + suites/test_certpolicy.c \ + suites/test_certnames.c \ suites/test_host.c \ suites/test_hasher.c \ suites/test_crypter.c \ @@ -500,6 +512,7 @@ tests_SOURCES = tests.h tests.c \ suites/test_asn1_parser.c \ suites/test_printf.c \ suites/test_test_rng.c \ + suites/test_mgf1.c \ suites/test_ntru.c tests_CFLAGS = \ @@ -603,6 +616,8 @@ suites/tests-test_hashtable.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) suites/tests-test_identification.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) +suites/tests-test_traffic_selector.$(OBJEXT): suites/$(am__dirstamp) \ + suites/$(DEPDIR)/$(am__dirstamp) suites/tests-test_threading.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) suites/tests-test_process.$(OBJEXT): suites/$(am__dirstamp) \ @@ -625,6 +640,10 @@ suites/tests-test_ecdsa.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) suites/tests-test_rsa.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) +suites/tests-test_certpolicy.$(OBJEXT): suites/$(am__dirstamp) \ + suites/$(DEPDIR)/$(am__dirstamp) +suites/tests-test_certnames.$(OBJEXT): suites/$(am__dirstamp) \ + suites/$(DEPDIR)/$(am__dirstamp) suites/tests-test_host.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) suites/tests-test_hasher.$(OBJEXT): suites/$(am__dirstamp) \ @@ -643,6 +662,8 @@ suites/tests-test_printf.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) suites/tests-test_test_rng.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) +suites/tests-test_mgf1.$(OBJEXT): suites/$(am__dirstamp) \ + suites/$(DEPDIR)/$(am__dirstamp) suites/tests-test_ntru.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) @@ -667,6 +688,8 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_asn1_parser.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_reader.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_writer.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_certnames.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_certpolicy.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_chunk.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_crypter.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_crypto_factory.Po@am__quote@ @@ -680,6 +703,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_identification.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list_enumerator.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_mgf1.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_ntru.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_pen.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_printf.Po@am__quote@ @@ -689,6 +713,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_stream.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_test_rng.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_threading.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_traffic_selector.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_utils.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_vectors.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_watcher.Po@am__quote@ @@ -879,6 +904,20 @@ suites/tests-test_identification.obj: suites/test_identification.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_identification.obj `if test -f 'suites/test_identification.c'; then $(CYGPATH_W) 'suites/test_identification.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_identification.c'; fi` +suites/tests-test_traffic_selector.o: suites/test_traffic_selector.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_traffic_selector.o -MD -MP -MF suites/$(DEPDIR)/tests-test_traffic_selector.Tpo -c -o suites/tests-test_traffic_selector.o `test -f 'suites/test_traffic_selector.c' || echo '$(srcdir)/'`suites/test_traffic_selector.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_traffic_selector.Tpo suites/$(DEPDIR)/tests-test_traffic_selector.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_traffic_selector.c' object='suites/tests-test_traffic_selector.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_traffic_selector.o `test -f 'suites/test_traffic_selector.c' || echo '$(srcdir)/'`suites/test_traffic_selector.c + +suites/tests-test_traffic_selector.obj: suites/test_traffic_selector.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_traffic_selector.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_traffic_selector.Tpo -c -o suites/tests-test_traffic_selector.obj `if test -f 'suites/test_traffic_selector.c'; then $(CYGPATH_W) 'suites/test_traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_traffic_selector.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_traffic_selector.Tpo suites/$(DEPDIR)/tests-test_traffic_selector.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_traffic_selector.c' object='suites/tests-test_traffic_selector.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_traffic_selector.obj `if test -f 'suites/test_traffic_selector.c'; then $(CYGPATH_W) 'suites/test_traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_traffic_selector.c'; fi` + suites/tests-test_threading.o: suites/test_threading.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_threading.o -MD -MP -MF suites/$(DEPDIR)/tests-test_threading.Tpo -c -o suites/tests-test_threading.o `test -f 'suites/test_threading.c' || echo '$(srcdir)/'`suites/test_threading.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_threading.Tpo suites/$(DEPDIR)/tests-test_threading.Po @@ -1033,6 +1072,34 @@ suites/tests-test_rsa.obj: suites/test_rsa.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_rsa.obj `if test -f 'suites/test_rsa.c'; then $(CYGPATH_W) 'suites/test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_rsa.c'; fi` +suites/tests-test_certpolicy.o: suites/test_certpolicy.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certpolicy.o -MD -MP -MF suites/$(DEPDIR)/tests-test_certpolicy.Tpo -c -o suites/tests-test_certpolicy.o `test -f 'suites/test_certpolicy.c' || echo '$(srcdir)/'`suites/test_certpolicy.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certpolicy.Tpo suites/$(DEPDIR)/tests-test_certpolicy.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certpolicy.c' object='suites/tests-test_certpolicy.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certpolicy.o `test -f 'suites/test_certpolicy.c' || echo '$(srcdir)/'`suites/test_certpolicy.c + +suites/tests-test_certpolicy.obj: suites/test_certpolicy.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certpolicy.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_certpolicy.Tpo -c -o suites/tests-test_certpolicy.obj `if test -f 'suites/test_certpolicy.c'; then $(CYGPATH_W) 'suites/test_certpolicy.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certpolicy.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certpolicy.Tpo suites/$(DEPDIR)/tests-test_certpolicy.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certpolicy.c' object='suites/tests-test_certpolicy.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certpolicy.obj `if test -f 'suites/test_certpolicy.c'; then $(CYGPATH_W) 'suites/test_certpolicy.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certpolicy.c'; fi` + +suites/tests-test_certnames.o: suites/test_certnames.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certnames.o -MD -MP -MF suites/$(DEPDIR)/tests-test_certnames.Tpo -c -o suites/tests-test_certnames.o `test -f 'suites/test_certnames.c' || echo '$(srcdir)/'`suites/test_certnames.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certnames.Tpo suites/$(DEPDIR)/tests-test_certnames.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certnames.c' object='suites/tests-test_certnames.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certnames.o `test -f 'suites/test_certnames.c' || echo '$(srcdir)/'`suites/test_certnames.c + +suites/tests-test_certnames.obj: suites/test_certnames.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certnames.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_certnames.Tpo -c -o suites/tests-test_certnames.obj `if test -f 'suites/test_certnames.c'; then $(CYGPATH_W) 'suites/test_certnames.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certnames.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certnames.Tpo suites/$(DEPDIR)/tests-test_certnames.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certnames.c' object='suites/tests-test_certnames.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certnames.obj `if test -f 'suites/test_certnames.c'; then $(CYGPATH_W) 'suites/test_certnames.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certnames.c'; fi` + suites/tests-test_host.o: suites/test_host.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_host.o -MD -MP -MF suites/$(DEPDIR)/tests-test_host.Tpo -c -o suites/tests-test_host.o `test -f 'suites/test_host.c' || echo '$(srcdir)/'`suites/test_host.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_host.Tpo suites/$(DEPDIR)/tests-test_host.Po @@ -1159,6 +1226,20 @@ suites/tests-test_test_rng.obj: suites/test_test_rng.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_test_rng.obj `if test -f 'suites/test_test_rng.c'; then $(CYGPATH_W) 'suites/test_test_rng.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_test_rng.c'; fi` +suites/tests-test_mgf1.o: suites/test_mgf1.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_mgf1.o -MD -MP -MF suites/$(DEPDIR)/tests-test_mgf1.Tpo -c -o suites/tests-test_mgf1.o `test -f 'suites/test_mgf1.c' || echo '$(srcdir)/'`suites/test_mgf1.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_mgf1.Tpo suites/$(DEPDIR)/tests-test_mgf1.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_mgf1.c' object='suites/tests-test_mgf1.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_mgf1.o `test -f 'suites/test_mgf1.c' || echo '$(srcdir)/'`suites/test_mgf1.c + +suites/tests-test_mgf1.obj: suites/test_mgf1.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_mgf1.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_mgf1.Tpo -c -o suites/tests-test_mgf1.obj `if test -f 'suites/test_mgf1.c'; then $(CYGPATH_W) 'suites/test_mgf1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mgf1.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_mgf1.Tpo suites/$(DEPDIR)/tests-test_mgf1.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_mgf1.c' object='suites/tests-test_mgf1.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_mgf1.obj `if test -f 'suites/test_mgf1.c'; then $(CYGPATH_W) 'suites/test_mgf1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mgf1.c'; fi` + suites/tests-test_ntru.o: suites/test_ntru.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ntru.o -MD -MP -MF suites/$(DEPDIR)/tests-test_ntru.Tpo -c -o suites/tests-test_ntru.o `test -f 'suites/test_ntru.c' || echo '$(srcdir)/'`suites/test_ntru.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ntru.Tpo suites/$(DEPDIR)/tests-test_ntru.Po diff --git a/src/libstrongswan/tests/suites/test_certnames.c b/src/libstrongswan/tests/suites/test_certnames.c new file mode 100644 index 000000000..e30702864 --- /dev/null +++ b/src/libstrongswan/tests/suites/test_certnames.c @@ -0,0 +1,398 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include +#include +#include + +/** + * RSA private key, so we don't have to generate one + */ +static char keydata[] = { + 0x30,0x82,0x02,0x5e,0x02,0x01,0x00,0x02,0x81,0x81,0x00,0xb1,0x9b,0xd4,0x51,0x24, + 0xfc,0x56,0x1d,0x3d,0xfb,0xa2,0xea,0x37,0x02,0x70,0x72,0x87,0x84,0x2f,0x3b,0x2d, + 0x6e,0x22,0xef,0x3f,0x37,0x04,0xb2,0x6f,0xb7,0xe7,0xd8,0x58,0x05,0xde,0x34,0xbf, + 0x99,0xe6,0x40,0x7a,0x56,0xa7,0x73,0xf5,0x98,0xcb,0xb0,0x37,0x90,0x5e,0xd1,0x3f, + 0xf4,0x73,0x50,0x7f,0x53,0x8e,0xf1,0x04,0x25,0xb4,0x77,0x22,0x4e,0x8a,0x9d,0x27, + 0x8f,0x6f,0xaf,0x59,0xbd,0xb0,0x0f,0xf0,0xaa,0x11,0x94,0x66,0x16,0x10,0x58,0xad, + 0x77,0xa1,0xac,0x58,0xb4,0xd0,0x0d,0xbc,0x11,0xe0,0xc0,0xe9,0x29,0xdc,0x42,0x63, + 0x01,0x23,0x4f,0x28,0x41,0x6d,0x34,0x9e,0x0c,0x4a,0xc8,0x62,0x83,0xb5,0x71,0x71, + 0x0b,0x51,0xc0,0x4c,0x37,0xd4,0x68,0x19,0x52,0x9a,0x8b,0x02,0x03,0x01,0x00,0x01, + 0x02,0x81,0x81,0x00,0x82,0xca,0x33,0x16,0xb2,0x3a,0xd4,0x1b,0x62,0x9a,0x9c,0xc5, + 0x07,0x4f,0x57,0x89,0x2f,0x7c,0x4a,0xdf,0xb4,0x3b,0xc7,0xa4,0x11,0x14,0x2d,0xf4, + 0x4c,0xca,0xcc,0x03,0x88,0x06,0x82,0x34,0xab,0xe7,0xe4,0x24,0x15,0x33,0x1c,0xcb, + 0x0a,0xcf,0xc3,0x27,0x78,0x33,0x6b,0x6f,0x82,0x3e,0x3c,0x70,0xc9,0xe2,0xb9,0x7f, + 0x88,0xc3,0x4f,0x59,0xb5,0x8e,0xa3,0x81,0xd9,0x88,0x1f,0xc0,0x38,0xbc,0xc8,0x93, + 0x40,0x0f,0x43,0xd8,0x72,0x12,0xb4,0xcc,0x6d,0x76,0x0a,0x6f,0x01,0x05,0xa8,0x88, + 0xf4,0x57,0x44,0xd2,0x05,0xc4,0x77,0xf5,0xfb,0x1b,0xf3,0xb2,0x0d,0x90,0xb8,0xb4, + 0x63,0x62,0x70,0x2c,0xe4,0x28,0xd8,0x20,0x10,0x85,0x4a,0x5e,0x63,0xa9,0xb0,0xdd, + 0xba,0xd0,0x32,0x49,0x02,0x41,0x00,0xdb,0x77,0xf1,0xdd,0x1a,0x12,0xc5,0xfb,0x2b, + 0x5b,0xb2,0xcd,0xb6,0xd0,0x4c,0xc4,0xe5,0x93,0xd6,0xf8,0x88,0xfc,0x18,0x40,0x21, + 0x9c,0xf7,0x2d,0x60,0x6f,0x91,0xf5,0x73,0x3c,0xf7,0x7f,0x67,0x1d,0x5b,0xb5,0xee, + 0x29,0xc1,0xd4,0xc6,0xdb,0x44,0x4c,0x40,0x05,0x63,0xaa,0x71,0x95,0x18,0x14,0xa7, + 0x23,0x9f,0x7a,0xee,0x7f,0xb5,0xc7,0x02,0x41,0x00,0xcf,0x2c,0x24,0x50,0x65,0xf4, + 0x94,0x7b,0xe9,0xf3,0x13,0x77,0xea,0x27,0x3c,0x6f,0x03,0x84,0xa7,0x7d,0xa2,0x54, + 0x40,0x97,0x82,0x0e,0xd9,0x09,0x9f,0x4a,0xa6,0x75,0xe5,0x66,0xe4,0x9c,0x59,0xd9, + 0x3a,0xe6,0xf7,0xd8,0x8b,0x68,0xb0,0x21,0x52,0x31,0xb3,0x4a,0xa0,0x2c,0x41,0xd7, + 0x1f,0x7b,0xe2,0x0f,0x15,0xc9,0x6e,0xc0,0xe5,0x1d,0x02,0x41,0x00,0x9c,0x1a,0x61, + 0x9f,0x89,0xc7,0x26,0xa9,0x33,0xba,0xe2,0xa0,0x6d,0xd3,0x15,0x77,0xcb,0x6f,0xef, + 0xad,0x12,0x0a,0x75,0xd9,0x4f,0xcf,0x4d,0x05,0x2a,0x9d,0xd1,0x2c,0xcb,0xcd,0xe6, + 0xa0,0xe9,0x20,0x39,0xb6,0x5a,0xf3,0xba,0x99,0xf4,0xe3,0xcb,0x5d,0x8d,0x00,0x08, + 0x57,0x18,0xb9,0x1a,0xca,0xbd,0xe3,0x99,0xb1,0x1f,0xe9,0x18,0xcb,0x02,0x40,0x65, + 0x35,0x1b,0x48,0x6b,0x86,0x60,0x43,0x68,0xb6,0xe6,0xfb,0xdd,0xd7,0xed,0x1e,0x0e, + 0x89,0xef,0x88,0xe0,0x94,0x68,0x39,0x9b,0xbf,0xc5,0x27,0x7e,0x39,0xe9,0xb8,0x0e, + 0xa9,0x85,0x65,0x1c,0x3f,0x93,0x16,0xe2,0x5d,0x57,0x3d,0x7d,0x4d,0xc9,0xe9,0x9d, + 0xbd,0x07,0x22,0x97,0xc7,0x90,0x09,0xe5,0x15,0x99,0x7f,0x1e,0x2b,0xfd,0xc1,0x02, + 0x41,0x00,0x92,0x78,0xfe,0x04,0xa0,0x53,0xed,0x36,0x97,0xbd,0x16,0xce,0x91,0x9b, + 0xbe,0x1f,0x8e,0x40,0x00,0x99,0x0c,0x49,0x15,0xca,0x59,0xd3,0xe3,0xd4,0xeb,0x71, + 0xcf,0xda,0xd7,0xc8,0x99,0x74,0xfc,0x6b,0xe8,0xfd,0xe5,0xe0,0x49,0x61,0xcb,0xda, + 0xe3,0xe7,0x8b,0x72,0xb5,0x69,0x73,0x2b,0x8b,0x54,0xcb,0xd9,0x48,0x6d,0x61,0x02, + 0x49,0xe8, +}; + +/** + * Issue a certificate with permitted/excluded name constraints + */ +static certificate_t* create_cert(certificate_t *ca, char *subject, char *san, + x509_flag_t flags, identification_t *permitted, + identification_t *excluded) +{ + private_key_t *privkey; + public_key_t *pubkey; + certificate_t *cert; + identification_t *id; + linked_list_t *plist, *elist, *sans; + + privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + BUILD_BLOB_ASN1_DER, chunk_from_thing(keydata), + BUILD_END); + ck_assert(privkey); + pubkey = privkey->get_public_key(privkey); + ck_assert(pubkey); + plist = linked_list_create(); + if (permitted) + { + plist->insert_last(plist, permitted); + } + elist = linked_list_create(); + if (excluded) + { + elist->insert_last(elist, excluded); + } + sans = linked_list_create(); + if (san) + { + id = identification_create_from_string(san); + sans->insert_last(sans, id); + } + id = identification_create_from_string(subject); + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_SIGNING_KEY, privkey, + BUILD_PUBLIC_KEY, pubkey, + BUILD_SUBJECT, id, + BUILD_X509_FLAG, flags, + BUILD_SIGNING_CERT, ca, + BUILD_SUBJECT_ALTNAMES, sans, + BUILD_PERMITTED_NAME_CONSTRAINTS, plist, + BUILD_EXCLUDED_NAME_CONSTRAINTS, elist, + BUILD_END); + ck_assert(cert); + id->destroy(id); + sans->destroy_offset(sans, offsetof(identification_t, destroy)); + plist->destroy_offset(plist, offsetof(identification_t, destroy)); + elist->destroy_offset(elist, offsetof(identification_t, destroy)); + privkey->destroy(privkey); + pubkey->destroy(pubkey); + + return cert; +} + +/** + * Check if a certificate with given subject has a valid trustchain + */ +static bool check_trust(identification_t *subject) +{ + enumerator_t *certs; + certificate_t *cert; + bool trusted; + + certs = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY, + subject, FALSE); + trusted = certs->enumerate(certs, &cert, NULL); + certs->destroy(certs); + + return trusted; +} + +static mem_cred_t *creds; + +START_SETUP(setup) +{ + creds = mem_cred_create(); + lib->credmgr->add_set(lib->credmgr, &creds->set); +} +END_SETUP + +START_TEARDOWN(teardown) +{ + lib->credmgr->remove_set(lib->credmgr, &creds->set); + creds->destroy(creds); + lib->credmgr->flush_cache(lib->credmgr, CERT_ANY); +} +END_TEARDOWN + +static struct { + char *constraint; + char *subject; + bool good; +} permitted_dn[] = { + { "C=CH, O=strongSwan", "C=CH, O=strongSwan, CN=tester", TRUE }, + { "C=CH, O=strongSwan", "C=CH, O=strong", FALSE }, + { "C=CH, O=strongSwan", "C=CH, O=strong, CN=tester", FALSE }, + { "C=CH, O=strongSwan", "C=CH, O=another, CN=tester", FALSE }, + { "C=CH, O=strongSwan", "C=CH, CN=tester, O=strongSwan", FALSE }, +}; + +START_TEST(test_permitted_dn) +{ + certificate_t *ca, *im, *sj; + identification_t *id; + + id = identification_create_from_string(permitted_dn[_i].constraint); + ca = create_cert(NULL, "C=CH, O=strongSwan, CN=CA", NULL, X509_CA, id, NULL); + id = identification_create_from_string(permitted_dn[_i].constraint); + im = create_cert(ca, "C=CH, O=strongSwan, CN=IM", NULL, X509_CA, id, NULL); + sj = create_cert(im, permitted_dn[_i].subject, NULL, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(check_trust(sj->get_subject(sj)) == permitted_dn[_i].good); +} +END_TEST + +static struct { + id_type_t ctype; + char *cdata; + char *subject; + bool good; +} permitted_san[] = { + { ID_FQDN, ".strongswan.org", "test.strongswan.org", TRUE }, + { ID_FQDN, "strongswan.org", "test.strongswan.org", TRUE }, + { ID_FQDN, "a.b.c.strongswan.org", "d.a.b.c.strongswan.org", TRUE }, + { ID_FQDN, "a.b.c.strongswan.org", "a.b.c.d.strongswan.org", FALSE }, + { ID_FQDN, "strongswan.org", "strongswan.org.com", FALSE }, + { ID_FQDN, ".strongswan.org", "strongswan.org", FALSE }, + { ID_FQDN, "strongswan.org", "nostrongswan.org", FALSE }, + { ID_FQDN, "strongswan.org", "swan.org", FALSE }, + { ID_FQDN, "strongswan.org", "swan.org", FALSE }, + { ID_RFC822_ADDR, "tester@strongswan.org", "tester@strongswan.org", TRUE }, + { ID_RFC822_ADDR, "tester@strongswan.org", "atester@strongswan.org", FALSE }, + { ID_RFC822_ADDR, "strongswan.org", "tester@strongswan.org", TRUE }, + { ID_RFC822_ADDR, "strongswan.org", "tester@test.strongswan.org", FALSE }, + { ID_RFC822_ADDR, ".strongswan.org", "tester@test.strongswan.org", TRUE }, + { ID_RFC822_ADDR, ".strongswan.org", "tester@strongswan.org", FALSE }, +}; + +START_TEST(test_permitted_san) +{ + certificate_t *ca, *sj; + identification_t *id; + + id = identification_create_from_encoding(permitted_san[_i].ctype, + chunk_from_str(permitted_san[_i].cdata)); + ca = create_cert(NULL, "CN=CA", NULL, X509_CA, id, NULL); + sj = create_cert(ca, "CN=SJ", permitted_san[_i].subject, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, sj); + + ck_assert(check_trust(sj->get_subject(sj)) == permitted_san[_i].good); +} +END_TEST + +static struct { + char *constraint; + char *subject; + bool good; +} excluded_dn[] = { + { "C=CH, O=another", "C=CH, O=strongSwan, CN=tester", TRUE }, + { "C=CH, O=another", "C=CH, O=anot", TRUE }, + { "C=CH, O=another", "C=CH, O=anot, CN=tester", TRUE }, + { "C=CH, O=another", "C=CH, O=another, CN=tester", FALSE }, + { "C=CH, O=another", "C=CH, CN=tester, O=another", TRUE }, +}; + +START_TEST(test_excluded_dn) +{ + certificate_t *ca, *im, *sj; + identification_t *id; + + id = identification_create_from_string(excluded_dn[_i].constraint); + ca = create_cert(NULL, "C=CH, O=strongSwan, CN=CA", NULL, X509_CA, NULL, id); + id = identification_create_from_string(excluded_dn[_i].constraint); + im = create_cert(ca, "C=CH, O=strongSwan, CN=IM", NULL, X509_CA, NULL, id); + sj = create_cert(im, excluded_dn[_i].subject, NULL, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(check_trust(sj->get_subject(sj)) == excluded_dn[_i].good); +} +END_TEST + +static struct { + id_type_t ctype; + char *cdata; + char *subject; + bool good; +} excluded_san[] = { + { ID_FQDN, ".strongswan.org", "test.strongswan.org", FALSE }, + { ID_FQDN, "strongswan.org", "test.strongswan.org", FALSE }, + { ID_FQDN, "a.b.c.strongswan.org", "d.a.b.c.strongswan.org", FALSE }, + { ID_FQDN, "a.b.c.strongswan.org", "a.b.c.d.strongswan.org", TRUE }, + { ID_FQDN, "strongswan.org", "strongswan.org.com", TRUE }, + { ID_FQDN, ".strongswan.org", "strongswan.org", TRUE }, + { ID_FQDN, "strongswan.org", "nostrongswan.org", TRUE }, + { ID_FQDN, "strongswan.org", "swan.org", TRUE }, + { ID_FQDN, "strongswan.org", "swan.org", TRUE }, + { ID_RFC822_ADDR, "tester@strongswan.org", "tester@strongswan.org", FALSE }, + { ID_RFC822_ADDR, "tester@strongswan.org", "atester@strongswan.org", TRUE }, + { ID_RFC822_ADDR, "strongswan.org", "tester@strongswan.org", FALSE }, + { ID_RFC822_ADDR, "strongswan.org", "tester@test.strongswan.org", TRUE }, + { ID_RFC822_ADDR, ".strongswan.org", "tester@test.strongswan.org", FALSE }, + { ID_RFC822_ADDR, ".strongswan.org", "tester@strongswan.org", TRUE }, +}; + +START_TEST(test_excluded_san) +{ + certificate_t *ca, *sj; + identification_t *id; + + id = identification_create_from_encoding(excluded_san[_i].ctype, + chunk_from_str(excluded_san[_i].cdata)); + ca = create_cert(NULL, "CN=CA", NULL, X509_CA, NULL, id); + sj = create_cert(ca, "CN=SJ", excluded_san[_i].subject, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, sj); + + ck_assert(check_trust(sj->get_subject(sj)) == excluded_san[_i].good); +} +END_TEST + +static struct { + char *caconst; + char *imconst; + char *subject; + bool good; +} permitted_dninh[] = { + { "C=CH", "C=CH, O=strongSwan", "C=CH, O=strongSwan, CN=tester", TRUE }, + { "C=CH", "C=DE, O=strongSwan", "C=CH, O=strongSwan, CN=tester", FALSE }, + { "C=CH, O=strongSwan", "C=CH", "C=CH", FALSE }, +}; + +START_TEST(test_permitted_dninh) +{ + certificate_t *ca, *im, *sj; + identification_t *id; + + id = identification_create_from_string(permitted_dninh[_i].caconst); + ca = create_cert(NULL, "C=CH, O=strongSwan, CN=CA", NULL, X509_CA, id, NULL); + id = identification_create_from_string(permitted_dninh[_i].imconst); + im = create_cert(ca, "C=CH, O=strongSwan, CN=IM", NULL, X509_CA, id, NULL); + sj = create_cert(im, permitted_dninh[_i].subject, NULL, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(check_trust(sj->get_subject(sj)) == permitted_dninh[_i].good); +} +END_TEST + +static struct { + char *caconst; + char *imconst; + char *subject; + bool good; +} excluded_dninh[] = { + { "C=CH, O=strongSwan", "C=CH", "C=DE", TRUE }, + { "C=CH, O=strongSwan", "C=DE", "C=CH", FALSE }, + { "C=CH", "C=CH, O=strongSwan", "C=CH, O=strongSwan, CN=tester", FALSE }, +}; + +START_TEST(test_excluded_dninh) +{ + certificate_t *ca, *im, *sj; + identification_t *id; + + id = identification_create_from_string(excluded_dninh[_i].caconst); + ca = create_cert(NULL, "C=CH, O=strongSwan, CN=CA", NULL, X509_CA, NULL, id); + id = identification_create_from_string(excluded_dninh[_i].imconst); + im = create_cert(ca, "C=DE, CN=IM", NULL, X509_CA, NULL, id); + sj = create_cert(im, excluded_dninh[_i].subject, NULL, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(check_trust(sj->get_subject(sj)) == excluded_dninh[_i].good); +} +END_TEST + +Suite *certnames_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("certnames"); + + tc = tcase_create("permitted DN name constraints"); + tcase_add_checked_fixture(tc, setup, teardown); + tcase_add_loop_test(tc, test_permitted_dn, 0, countof(permitted_dn)); + suite_add_tcase(s, tc); + + tc = tcase_create("permitted subjectAltName constraints"); + tcase_add_checked_fixture(tc, setup, teardown); + tcase_add_loop_test(tc, test_permitted_san, 0, countof(permitted_san)); + suite_add_tcase(s, tc); + + tc = tcase_create("excluded DN constraints"); + tcase_add_checked_fixture(tc, setup, teardown); + tcase_add_loop_test(tc, test_excluded_dn, 0, countof(excluded_dn)); + suite_add_tcase(s, tc); + + tc = tcase_create("excluded subjectAltName constraints"); + tcase_add_checked_fixture(tc, setup, teardown); + tcase_add_loop_test(tc, test_excluded_san, 0, countof(excluded_san)); + suite_add_tcase(s, tc); + + tc = tcase_create("permitted DN name constraint inherit"); + tcase_add_checked_fixture(tc, setup, teardown); + tcase_add_loop_test(tc, test_permitted_dninh, 0, countof(permitted_dninh)); + suite_add_tcase(s, tc); + + tc = tcase_create("excluded DN name constraint inherit"); + tcase_add_checked_fixture(tc, setup, teardown); + tcase_add_loop_test(tc, test_excluded_dninh, 0, countof(excluded_dninh)); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libstrongswan/tests/suites/test_certpolicy.c b/src/libstrongswan/tests/suites/test_certpolicy.c new file mode 100644 index 000000000..7501e1a8b --- /dev/null +++ b/src/libstrongswan/tests/suites/test_certpolicy.c @@ -0,0 +1,637 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include +#include +#include + +/** + * RSA private key, so we don't have to generate one + */ +static char keydata[] = { + 0x30,0x82,0x02,0x5e,0x02,0x01,0x00,0x02,0x81,0x81,0x00,0xb1,0x9b,0xd4,0x51,0x24, + 0xfc,0x56,0x1d,0x3d,0xfb,0xa2,0xea,0x37,0x02,0x70,0x72,0x87,0x84,0x2f,0x3b,0x2d, + 0x6e,0x22,0xef,0x3f,0x37,0x04,0xb2,0x6f,0xb7,0xe7,0xd8,0x58,0x05,0xde,0x34,0xbf, + 0x99,0xe6,0x40,0x7a,0x56,0xa7,0x73,0xf5,0x98,0xcb,0xb0,0x37,0x90,0x5e,0xd1,0x3f, + 0xf4,0x73,0x50,0x7f,0x53,0x8e,0xf1,0x04,0x25,0xb4,0x77,0x22,0x4e,0x8a,0x9d,0x27, + 0x8f,0x6f,0xaf,0x59,0xbd,0xb0,0x0f,0xf0,0xaa,0x11,0x94,0x66,0x16,0x10,0x58,0xad, + 0x77,0xa1,0xac,0x58,0xb4,0xd0,0x0d,0xbc,0x11,0xe0,0xc0,0xe9,0x29,0xdc,0x42,0x63, + 0x01,0x23,0x4f,0x28,0x41,0x6d,0x34,0x9e,0x0c,0x4a,0xc8,0x62,0x83,0xb5,0x71,0x71, + 0x0b,0x51,0xc0,0x4c,0x37,0xd4,0x68,0x19,0x52,0x9a,0x8b,0x02,0x03,0x01,0x00,0x01, + 0x02,0x81,0x81,0x00,0x82,0xca,0x33,0x16,0xb2,0x3a,0xd4,0x1b,0x62,0x9a,0x9c,0xc5, + 0x07,0x4f,0x57,0x89,0x2f,0x7c,0x4a,0xdf,0xb4,0x3b,0xc7,0xa4,0x11,0x14,0x2d,0xf4, + 0x4c,0xca,0xcc,0x03,0x88,0x06,0x82,0x34,0xab,0xe7,0xe4,0x24,0x15,0x33,0x1c,0xcb, + 0x0a,0xcf,0xc3,0x27,0x78,0x33,0x6b,0x6f,0x82,0x3e,0x3c,0x70,0xc9,0xe2,0xb9,0x7f, + 0x88,0xc3,0x4f,0x59,0xb5,0x8e,0xa3,0x81,0xd9,0x88,0x1f,0xc0,0x38,0xbc,0xc8,0x93, + 0x40,0x0f,0x43,0xd8,0x72,0x12,0xb4,0xcc,0x6d,0x76,0x0a,0x6f,0x01,0x05,0xa8,0x88, + 0xf4,0x57,0x44,0xd2,0x05,0xc4,0x77,0xf5,0xfb,0x1b,0xf3,0xb2,0x0d,0x90,0xb8,0xb4, + 0x63,0x62,0x70,0x2c,0xe4,0x28,0xd8,0x20,0x10,0x85,0x4a,0x5e,0x63,0xa9,0xb0,0xdd, + 0xba,0xd0,0x32,0x49,0x02,0x41,0x00,0xdb,0x77,0xf1,0xdd,0x1a,0x12,0xc5,0xfb,0x2b, + 0x5b,0xb2,0xcd,0xb6,0xd0,0x4c,0xc4,0xe5,0x93,0xd6,0xf8,0x88,0xfc,0x18,0x40,0x21, + 0x9c,0xf7,0x2d,0x60,0x6f,0x91,0xf5,0x73,0x3c,0xf7,0x7f,0x67,0x1d,0x5b,0xb5,0xee, + 0x29,0xc1,0xd4,0xc6,0xdb,0x44,0x4c,0x40,0x05,0x63,0xaa,0x71,0x95,0x18,0x14,0xa7, + 0x23,0x9f,0x7a,0xee,0x7f,0xb5,0xc7,0x02,0x41,0x00,0xcf,0x2c,0x24,0x50,0x65,0xf4, + 0x94,0x7b,0xe9,0xf3,0x13,0x77,0xea,0x27,0x3c,0x6f,0x03,0x84,0xa7,0x7d,0xa2,0x54, + 0x40,0x97,0x82,0x0e,0xd9,0x09,0x9f,0x4a,0xa6,0x75,0xe5,0x66,0xe4,0x9c,0x59,0xd9, + 0x3a,0xe6,0xf7,0xd8,0x8b,0x68,0xb0,0x21,0x52,0x31,0xb3,0x4a,0xa0,0x2c,0x41,0xd7, + 0x1f,0x7b,0xe2,0x0f,0x15,0xc9,0x6e,0xc0,0xe5,0x1d,0x02,0x41,0x00,0x9c,0x1a,0x61, + 0x9f,0x89,0xc7,0x26,0xa9,0x33,0xba,0xe2,0xa0,0x6d,0xd3,0x15,0x77,0xcb,0x6f,0xef, + 0xad,0x12,0x0a,0x75,0xd9,0x4f,0xcf,0x4d,0x05,0x2a,0x9d,0xd1,0x2c,0xcb,0xcd,0xe6, + 0xa0,0xe9,0x20,0x39,0xb6,0x5a,0xf3,0xba,0x99,0xf4,0xe3,0xcb,0x5d,0x8d,0x00,0x08, + 0x57,0x18,0xb9,0x1a,0xca,0xbd,0xe3,0x99,0xb1,0x1f,0xe9,0x18,0xcb,0x02,0x40,0x65, + 0x35,0x1b,0x48,0x6b,0x86,0x60,0x43,0x68,0xb6,0xe6,0xfb,0xdd,0xd7,0xed,0x1e,0x0e, + 0x89,0xef,0x88,0xe0,0x94,0x68,0x39,0x9b,0xbf,0xc5,0x27,0x7e,0x39,0xe9,0xb8,0x0e, + 0xa9,0x85,0x65,0x1c,0x3f,0x93,0x16,0xe2,0x5d,0x57,0x3d,0x7d,0x4d,0xc9,0xe9,0x9d, + 0xbd,0x07,0x22,0x97,0xc7,0x90,0x09,0xe5,0x15,0x99,0x7f,0x1e,0x2b,0xfd,0xc1,0x02, + 0x41,0x00,0x92,0x78,0xfe,0x04,0xa0,0x53,0xed,0x36,0x97,0xbd,0x16,0xce,0x91,0x9b, + 0xbe,0x1f,0x8e,0x40,0x00,0x99,0x0c,0x49,0x15,0xca,0x59,0xd3,0xe3,0xd4,0xeb,0x71, + 0xcf,0xda,0xd7,0xc8,0x99,0x74,0xfc,0x6b,0xe8,0xfd,0xe5,0xe0,0x49,0x61,0xcb,0xda, + 0xe3,0xe7,0x8b,0x72,0xb5,0x69,0x73,0x2b,0x8b,0x54,0xcb,0xd9,0x48,0x6d,0x61,0x02, + 0x49,0xe8, +}; + +/** + * Issue a certificate fr given policy, including extended flags + */ +static certificate_t* create_cert_ext(certificate_t *ca, char *subject, + char *oid, x509_flag_t flags, + char *map_s, char *map_i, + u_int require_explicit, + u_int inhibit_mapping, + u_int inhibit_any) +{ + private_key_t *privkey; + public_key_t *pubkey; + certificate_t *cert; + identification_t *id; + linked_list_t *policies, *maps; + x509_cert_policy_t policy = {}; + x509_policy_mapping_t map = {}; + + privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + BUILD_BLOB_ASN1_DER, chunk_from_thing(keydata), + BUILD_END); + ck_assert(privkey); + pubkey = privkey->get_public_key(privkey); + ck_assert(pubkey); + policies = linked_list_create(); + if (oid) + { + policy.oid = asn1_oid_from_string(oid); + ck_assert(policy.oid.ptr); + policies->insert_last(policies, &policy); + } + maps = linked_list_create(); + if (map_s && map_i) + { + map.subject = asn1_oid_from_string(map_s); + ck_assert(map.subject.ptr); + map.issuer = asn1_oid_from_string(map_i); + ck_assert(map.issuer.ptr); + maps->insert_last(maps, &map); + } + id = identification_create_from_string(subject); + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_SIGNING_KEY, privkey, + BUILD_PUBLIC_KEY, pubkey, + BUILD_SUBJECT, id, + BUILD_X509_FLAG, flags, + BUILD_CERTIFICATE_POLICIES, policies, + BUILD_POLICY_MAPPINGS, maps, + BUILD_SIGNING_CERT, ca, + BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit, + BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping, + BUILD_POLICY_INHIBIT_ANY, inhibit_any, + BUILD_END); + ck_assert(cert); + id->destroy(id); + policies->destroy(policies); + maps->destroy(maps); + privkey->destroy(privkey); + pubkey->destroy(pubkey); + free(policy.oid.ptr); + free(map.subject.ptr); + free(map.issuer.ptr); + + return cert; +} + +/** + * Issue a certificate with given certificate policy and flags + */ +static certificate_t* create_cert(certificate_t *ca, char *subject, + char *oid, x509_flag_t flags, + char *map_s, char *map_i) +{ + return create_cert_ext(ca, subject, oid, flags, map_s, map_i, + X509_NO_CONSTRAINT, X509_NO_CONSTRAINT, + X509_NO_CONSTRAINT); +} + +/** + * Check if a certificate with given subject has an oid + */ +static bool check_oid(identification_t *subject, char *oid) +{ + enumerator_t *certs, *auths; + certificate_t *cert; + auth_cfg_t *auth; + bool found = FALSE; + auth_rule_t type; + char *current; + + certs = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY, + subject, FALSE); + if (!certs->enumerate(certs, &cert, &auth)) + { + certs->destroy(certs); + ck_assert_msg(FALSE, "no trusted certificate found for %Y", subject); + } + auths = auth->create_enumerator(auth); + while (auths->enumerate(auths, &type, ¤t)) + { + if (type == AUTH_RULE_CERT_POLICY) + { + if (streq(current, oid)) + { + found = TRUE; + break; + } + } + } + auths->destroy(auths); + certs->destroy(certs); + + return found; +} + +/** + * Check if a certificate with given subject has a valid trustchain + */ +static bool check_trust(identification_t *subject) +{ + enumerator_t *certs; + certificate_t *cert; + bool trusted; + + certs = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY, + subject, FALSE); + trusted = certs->enumerate(certs, &cert, NULL); + certs->destroy(certs); + + return trusted; +} + +static mem_cred_t *creds; + +static char *anyPolicy = "2.5.29.32.0"; +static char *extended = "2.23.140.1.1"; +static char *baseline = "2.23.140.1.2"; + +START_SETUP(setup) +{ + creds = mem_cred_create(); + lib->credmgr->add_set(lib->credmgr, &creds->set); +} +END_SETUP + +START_TEARDOWN(teardown) +{ + lib->credmgr->remove_set(lib->credmgr, &creds->set); + creds->destroy(creds); + lib->credmgr->flush_cache(lib->credmgr, CERT_ANY); +} +END_TEARDOWN + +START_TEST(test_valid_fixed) +{ + certificate_t *ca, *im, *sj; + + ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL); + im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL); + sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(check_oid(sj->get_subject(sj), baseline)); +} +END_TEST + +START_TEST(test_valid_any1) +{ + certificate_t *ca, *im, *sj; + + ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL); + im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL); + sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(check_oid(sj->get_subject(sj), baseline)); +} +END_TEST + +START_TEST(test_valid_any2) +{ + certificate_t *ca, *im, *sj; + + ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL); + im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL); + sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(check_oid(sj->get_subject(sj), baseline)); +} +END_TEST + +START_TEST(test_invalid_missing) +{ + certificate_t *ca, *im, *sj; + + ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL); + im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL); + sj = create_cert(im, "CN=SJ", NULL, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(!check_oid(sj->get_subject(sj), baseline)); +} +END_TEST + +START_TEST(test_invalid_wrong) +{ + certificate_t *ca, *im, *sj; + + ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL); + im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL); + sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(!check_oid(sj->get_subject(sj), extended)); +} +END_TEST + +START_TEST(test_invalid_any1) +{ + certificate_t *ca, *im, *sj; + + ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL); + im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL); + sj = create_cert(im, "CN=SJ", NULL, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(!check_oid(sj->get_subject(sj), baseline)); +} +END_TEST + +START_TEST(test_invalid_any2) +{ + certificate_t *ca, *im, *sj; + + ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL); + im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL); + sj = create_cert(im, "CN=SJ", anyPolicy, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(!check_oid(sj->get_subject(sj), baseline)); +} +END_TEST + +START_TEST(test_badchain_wrong) +{ + certificate_t *ca, *im, *sj; + + ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL); + im = create_cert(ca, "CN=IM", extended, X509_CA, NULL, NULL); + sj = create_cert(im, "CN=SJ", extended, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(!check_oid(sj->get_subject(sj), baseline)); + ck_assert(!check_oid(sj->get_subject(sj), extended)); +} +END_TEST + +START_TEST(test_badchain_gap) +{ + certificate_t *ca, *im, *sj; + + ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL); + im = create_cert(ca, "CN=IM", NULL, X509_CA, NULL, NULL); + sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(!check_oid(sj->get_subject(sj), baseline)); +} +END_TEST + +START_TEST(test_badchain_any) +{ + certificate_t *ca, *im, *sj; + + ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL); + im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL); + sj = create_cert(im, "CN=SJ", extended, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(!check_oid(sj->get_subject(sj), extended)); +} +END_TEST + +START_TEST(test_valid_mapping) +{ + certificate_t *ca, *im, *sj; + + ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL); + im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended); + sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(check_oid(sj->get_subject(sj), baseline)); +} +END_TEST + +START_TEST(test_valid_mapping_twice) +{ + certificate_t *ca, *im, *sj; + + ca = create_cert(NULL, "CN=CA", "2.23.140.1.3", X509_CA, + extended, "2.23.140.1.3"); + im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended); + sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(check_oid(sj->get_subject(sj), baseline)); +} +END_TEST + +START_TEST(test_invalid_mapping_loop) +{ + certificate_t *ca, *im, *sj; + + ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL); + im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, baseline); + sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(!check_oid(sj->get_subject(sj), baseline)); +} +END_TEST + +START_TEST(test_invalid_mapping_notallowed) +{ + certificate_t *ca, *im, *sj; + + ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL); + im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended); + sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(!check_oid(sj->get_subject(sj), baseline)); +} +END_TEST + +START_TEST(test_invalid_mapping_nopolicy) +{ + certificate_t *ca, *im, *sj; + + ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL); + im = create_cert(ca, "CN=IM", "2.23.140.1.3", X509_CA, baseline, extended); + sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(!check_oid(sj->get_subject(sj), baseline)); +} +END_TEST + +START_TEST(test_inhibit_mapping_good) +{ + certificate_t *ca, *im, *sj; + + ca = create_cert_ext(NULL, "CN=CA", extended, X509_CA, NULL, NULL, + X509_NO_CONSTRAINT, 1, X509_NO_CONSTRAINT); + im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended); + sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(check_oid(sj->get_subject(sj), baseline)); +} +END_TEST + +START_TEST(test_inhibit_mapping_bad) +{ + certificate_t *ca, *i1, *i2, *sj; + + ca = create_cert_ext(NULL, "CN=CA", extended, X509_CA, NULL, NULL, + X509_NO_CONSTRAINT, 1, X509_NO_CONSTRAINT); + i1 = create_cert(ca, "CN=IM1", extended, X509_CA, NULL, NULL); + i2 = create_cert(i1, "CN=IM2", extended, X509_CA, baseline, extended); + sj = create_cert(i2, "CN=SJ", baseline, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, i1); + creds->add_cert(creds, FALSE, i2); + creds->add_cert(creds, FALSE, sj); + + /* TODO: we currently reject the certificate completely, but should + * actually just invalidate the policy not mapped properly */ + ck_assert(!check_trust(sj->get_subject(sj))); +} +END_TEST + +START_TEST(test_inhibit_any_good) +{ + certificate_t *ca, *im, *sj; + + ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL, + X509_NO_CONSTRAINT, X509_NO_CONSTRAINT, 1); + im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL); + sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(check_oid(sj->get_subject(sj), baseline)); +} +END_TEST + +START_TEST(test_inhibit_any_bad) +{ + certificate_t *ca, *i1, *i2, *sj; + + ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL, + X509_NO_CONSTRAINT, X509_NO_CONSTRAINT, 1); + i1 = create_cert(ca, "CN=IM1", anyPolicy, X509_CA, NULL, NULL); + i2 = create_cert(i1, "CN=IM2", anyPolicy, X509_CA, NULL, NULL); + sj = create_cert(i2, "CN=SJ", baseline, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, i1); + creds->add_cert(creds, FALSE, i2); + creds->add_cert(creds, FALSE, sj); + + /* TODO: we currently reject the certificate completely, but should + * actually just invalidate the policy relying on inhibited anyPolicy */ + ck_assert(!check_trust(sj->get_subject(sj))); +} +END_TEST + +START_TEST(test_require_explicit_good) +{ + certificate_t *ca, *im, *sj; + + ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL, + 1, X509_NO_CONSTRAINT, X509_NO_CONSTRAINT); + im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL); + sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, im); + creds->add_cert(creds, FALSE, sj); + + ck_assert(check_oid(sj->get_subject(sj), baseline)); +} +END_TEST + +START_TEST(test_require_explicit_bad) +{ + certificate_t *ca, *i1, *i2, *sj; + + ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL, + 1, X509_NO_CONSTRAINT, X509_NO_CONSTRAINT); + i1 = create_cert(ca, "CN=IM1", extended, X509_CA, NULL, NULL); + i2 = create_cert(i1, "CN=IM2", extended, X509_CA, NULL, NULL); + sj = create_cert(i2, "CN=SJ", baseline, 0, NULL, NULL); + + creds->add_cert(creds, TRUE, ca); + creds->add_cert(creds, FALSE, i1); + creds->add_cert(creds, FALSE, i2); + creds->add_cert(creds, FALSE, sj); + + /* TODO: we currently reject the certificate completely, but should + * actually just invalidate the policy violating requireExplicit */ + ck_assert(!check_trust(sj->get_subject(sj))); +} +END_TEST + +Suite *certpolicy_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("certpolicy"); + + tc = tcase_create("policy valid"); + tcase_add_checked_fixture(tc, setup, teardown); + tcase_add_test(tc, test_valid_fixed); + tcase_add_test(tc, test_valid_any1); + tcase_add_test(tc, test_valid_any2); + suite_add_tcase(s, tc); + + tc = tcase_create("policy invalid"); + tcase_add_checked_fixture(tc, setup, teardown); + tcase_add_test(tc, test_invalid_missing); + tcase_add_test(tc, test_invalid_wrong); + tcase_add_test(tc, test_invalid_any1); + tcase_add_test(tc, test_invalid_any2); + suite_add_tcase(s, tc); + + tc = tcase_create("policy badchain"); + tcase_add_checked_fixture(tc, setup, teardown); + tcase_add_test(tc, test_badchain_wrong); + tcase_add_test(tc, test_badchain_gap); + tcase_add_test(tc, test_badchain_any); + suite_add_tcase(s, tc); + + tc = tcase_create("policy valid mapping"); + tcase_add_checked_fixture(tc, setup, teardown); + tcase_add_test(tc, test_valid_mapping); + tcase_add_test(tc, test_valid_mapping_twice); + suite_add_tcase(s, tc); + + tc = tcase_create("policy invalid mapping"); + tcase_add_checked_fixture(tc, setup, teardown); + tcase_add_test(tc, test_invalid_mapping_loop); + tcase_add_test(tc, test_invalid_mapping_notallowed); + tcase_add_test(tc, test_invalid_mapping_nopolicy); + suite_add_tcase(s, tc); + + tc = tcase_create("inhibit policy mapping"); + tcase_add_checked_fixture(tc, setup, teardown); + tcase_add_test(tc, test_inhibit_mapping_good); + tcase_add_test(tc, test_inhibit_mapping_bad); + suite_add_tcase(s, tc); + + tc = tcase_create("inhibit any policy"); + tcase_add_checked_fixture(tc, setup, teardown); + tcase_add_test(tc, test_inhibit_any_good); + tcase_add_test(tc, test_inhibit_any_bad); + suite_add_tcase(s, tc); + + tc = tcase_create("require explicit policy"); + tcase_add_checked_fixture(tc, setup, teardown); + tcase_add_test(tc, test_require_explicit_good); + tcase_add_test(tc, test_require_explicit_bad); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libstrongswan/tests/suites/test_chunk.c b/src/libstrongswan/tests/suites/test_chunk.c index d71e010a2..b5d23658d 100644 --- a/src/libstrongswan/tests/suites/test_chunk.c +++ b/src/libstrongswan/tests/suites/test_chunk.c @@ -787,6 +787,11 @@ END_TEST * test for chunk_internet_checksum[_inc]() */ +static inline u_int16_t compensate_alignment(u_int16_t val) +{ + return ((val & 0xff) << 8) | (val >> 8); +} + START_TEST(test_chunk_internet_checksum) { chunk_t chunk; @@ -804,9 +809,9 @@ START_TEST(test_chunk_internet_checksum) /* need to compensate for even/odd alignment */ sum = chunk_internet_checksum(chunk_create(chunk.ptr, 9)); - sum = ntohs(sum); + sum = compensate_alignment(sum); sum = chunk_internet_checksum_inc(chunk_create(chunk.ptr+9, 11), sum); - sum = ntohs(sum); + sum = compensate_alignment(sum); ck_assert_int_eq(0x442e, ntohs(sum)); chunk = chunk_from_chars(0x45,0x00,0x00,0x30,0x44,0x22,0x40,0x00,0x80,0x06, @@ -821,9 +826,9 @@ START_TEST(test_chunk_internet_checksum) /* need to compensate for even/odd alignment */ sum = chunk_internet_checksum(chunk_create(chunk.ptr, 9)); - sum = ntohs(sum); + sum = compensate_alignment(sum); sum = chunk_internet_checksum_inc(chunk_create(chunk.ptr+9, 10), sum); - sum = ntohs(sum); + sum = compensate_alignment(sum); ck_assert_int_eq(0x4459, ntohs(sum)); } END_TEST diff --git a/src/libstrongswan/tests/suites/test_enum.c b/src/libstrongswan/tests/suites/test_enum.c index b48b51c0e..53ebd2931 100644 --- a/src/libstrongswan/tests/suites/test_enum.c +++ b/src/libstrongswan/tests/suites/test_enum.c @@ -57,6 +57,39 @@ ENUM_NEXT(test_enum_split_names, SPLIT5, SPLIT5, SPLIT4, "SPLIT5"); ENUM_END(test_enum_split_names, SPLIT5); +/******************************************************************************* + * enum flags + */ +enum { + FLAG1 = (1 << 0), + FLAG2 = (1 << 1), + FLAG3 = (1 << 2), + FLAG4 = (1 << 3), + FLAG5 = (1 << 4), + FLAG6 = (1 << 5), + FLAG7 = (1 << 6), + FLAG8 = (1 << 7), + FLAG9 = (1 << 8), + FLAG10 = (1 << 9), + FLAG11 = (1 << 10), + FLAG12 = (1 << 11), +} test_enum_flags; + +ENUM_FLAGS(test_enum_flags_names, FLAG1, FLAG5, + "FLAG1", "FLAG2", "FLAG3", "FLAG4", "FLAG5"); + +ENUM_FLAGS(test_enum_flags_incomplete_names, FLAG3, FLAG4, + "FLAG3", "FLAG4"); + +ENUM_FLAGS(test_enum_flags_null_names, FLAG1, FLAG4, + "FLAG1", NULL, "FLAG3", NULL); + +ENUM_FLAGS(test_enum_flags_overflow_names, FLAG1, FLAG12, + "OVERFLOWFLAGLONGNAME1", "OVERFLOWFLAGLONGNAME2", "OVERFLOWFLAGLONGNAME3", + "OVERFLOWFLAGLONGNAME4", "OVERFLOWFLAGLONGNAME5", "OVERFLOWFLAGLONGNAME6", + "OVERFLOWFLAGLONGNAME7", "OVERFLOWFLAGLONGNAME8", "OVERFLOWFLAGLONGNAME9", + "OVERFLOWFLAGLONGNAME10", "OVERFLOWFLAGLONGNAME11", "OVERFLOWFLAGLONGNAME12"); + /******************************************************************************* * enum_to_name */ @@ -198,11 +231,52 @@ static struct { {256, "(256)"}, }; +/******************************************************************************* + * flag_to_name + */ + +static struct { + int val; + char *str; +} printf_tests_flags[] = { + {0, "(unset)"}, + {FLAG1, "FLAG1"}, + {FLAG2, "FLAG2"}, + {FLAG3, "FLAG3"}, + {FLAG4, "FLAG4"}, + {FLAG5, "FLAG5"}, + {FLAG1 | FLAG3, "FLAG1 | FLAG3"}, + {FLAG1 | FLAG3 | 32, "FLAG1 | FLAG3 | (0x20)"}, + {FLAG1 | FLAG3 | 32 | 64, "FLAG1 | FLAG3 | (0x20) | (0x40)"}, + {0x20, "(0x20)"}, + {0x80000000, "(0x80000000)"}, + {0xFFFFF, "FLAG1 | FLAG2 | FLAG3 | FLAG4 | " + "FLAG5 | (0x20) | (0x40) | (0x80) | " + "(0x100) | (0x200) | (0x400) | (0x800) | " + "(0x1000) | (0x2000) | (0x4000) | (0x8000) | " + "(0x10000) | (0x20000) | (0x40000) | (0x80000)"}, +}, printf_tests_flags_incomplete[] = { + {FLAG1, "(0x1)"}, + {FLAG1 | FLAG2 | FLAG3, "(0x1) | (0x2) | FLAG3"}, + {FLAG3 | FLAG4 | FLAG5, "FLAG3 | FLAG4 | (0x10)"}, +}, printf_tests_flags_null[] = { + {FLAG1 | FLAG2 | FLAG3 | FLAG4, "FLAG1 | FLAG3"}, +}, printf_tests_flags_overflow[] = { + {0xFFFFFFFF, "(0xFFFFFFFF)"}, +}, printf_tests_flags_noflagenum[] = { + {-1, "(-1)"}, + {6435, "(6435)"}, +}, enum_flags_to_string_tests[] = { + {-1, NULL}, + {6435, NULL}, +}; + START_TEST(test_enum_printf_hook_cont) { char buf[128]; - snprintf(buf, sizeof(buf), "%N", test_enum_cont_names, printf_tests_cont[_i].val); + snprintf(buf, sizeof(buf), "%N", + test_enum_cont_names, printf_tests_cont[_i].val); ck_assert_str_eq(printf_tests_cont[_i].str, buf); } END_TEST @@ -211,11 +285,89 @@ START_TEST(test_enum_printf_hook_split) { char buf[128]; - snprintf(buf, sizeof(buf), "%N", test_enum_split_names, printf_tests_split[_i].val); + snprintf(buf, sizeof(buf), "%N", + test_enum_split_names, printf_tests_split[_i].val); ck_assert_str_eq(printf_tests_split[_i].str, buf); } END_TEST +START_TEST(test_enum_printf_hook_flags) +{ + char buf[1024]; + + snprintf(buf, sizeof(buf), "%N", test_enum_flags_names, + printf_tests_flags[_i].val); + ck_assert_str_eq(printf_tests_flags[_i].str, buf); +} +END_TEST + +START_TEST(test_enum_printf_hook_flags_incomplete) +{ + char buf[1024]; + + snprintf(buf, sizeof(buf), "%N", test_enum_flags_incomplete_names, + printf_tests_flags_incomplete[_i].val); + ck_assert_str_eq(printf_tests_flags_incomplete[_i].str, buf); +} +END_TEST + +START_TEST(test_enum_printf_hook_flags_null) +{ + char buf[1024]; + + snprintf(buf, sizeof(buf), "%N", test_enum_flags_null_names, + printf_tests_flags_null[_i].val); + ck_assert_str_eq(printf_tests_flags_null[_i].str, buf); +} +END_TEST + +START_TEST(test_enum_printf_hook_flags_overflow) +{ + char buf[1024]; + + snprintf(buf, sizeof(buf), "%N", test_enum_flags_overflow_names, + printf_tests_flags_overflow[_i].val); + ck_assert_str_eq(printf_tests_flags_overflow[_i].str, buf); +} +END_TEST + +START_TEST(test_enum_printf_hook_flags_noflagenum) +{ + char buf[1024]; + + snprintf(buf, sizeof(buf), "%N", test_enum_cont_names, + printf_tests_flags_noflagenum[_i].val); + ck_assert_str_eq(printf_tests_flags_noflagenum[_i].str, buf); +} +END_TEST + +START_TEST(test_enum_flags_to_string) +{ + char buf[1], *str; + + str = enum_flags_to_string(test_enum_flags_names, + enum_flags_to_string_tests[_i].val, buf, sizeof(buf)); + if (str) + { + ck_assert_str_eq(enum_flags_to_string_tests[_i].str, str); + } + else + { + ck_assert(str == enum_flags_to_string_tests[_i].str); + } +} +END_TEST + +START_TEST(test_enum_flags_to_string_noflagenum) +{ + char buf[1024]; + + enum_flags_to_string(test_enum_cont_names, + printf_tests_flags_noflagenum[_i].val, buf, sizeof(buf)); + ck_assert_str_eq(printf_tests_flags_noflagenum[_i].str, buf); +} +END_TEST + START_TEST(test_enum_printf_hook_width) { char buf[128]; @@ -246,9 +398,19 @@ Suite *enum_suite_create() tcase_add_loop_test(tc, test_enum_from_name_split, 0, countof(enum_tests_split)); suite_add_tcase(s, tc); + tc = tcase_create("enum_flags_to_string"); + tcase_add_loop_test(tc, test_enum_flags_to_string, 0, countof(enum_flags_to_string_tests)); + tcase_add_loop_test(tc, test_enum_flags_to_string_noflagenum, 0, countof(printf_tests_flags_noflagenum)); + suite_add_tcase(s, tc); + tc = tcase_create("enum_printf_hook"); tcase_add_loop_test(tc, test_enum_printf_hook_cont, 0, countof(printf_tests_cont)); tcase_add_loop_test(tc, test_enum_printf_hook_split, 0, countof(printf_tests_split)); + tcase_add_loop_test(tc, test_enum_printf_hook_flags, 0, countof(printf_tests_flags)); + tcase_add_loop_test(tc, test_enum_printf_hook_flags_incomplete, 0, countof(printf_tests_flags_incomplete)); + tcase_add_loop_test(tc, test_enum_printf_hook_flags_null, 0, countof(printf_tests_flags_null)); + tcase_add_loop_test(tc, test_enum_printf_hook_flags_overflow, 0, countof(printf_tests_flags_overflow)); + tcase_add_loop_test(tc, test_enum_printf_hook_flags_noflagenum, 0, countof(printf_tests_flags_noflagenum)); tcase_add_test(tc, test_enum_printf_hook_width); suite_add_tcase(s, tc); diff --git a/src/libstrongswan/tests/suites/test_hasher.c b/src/libstrongswan/tests/suites/test_hasher.c index 41a9d64ef..14cc32122 100644 --- a/src/libstrongswan/tests/suites/test_hasher.c +++ b/src/libstrongswan/tests/suites/test_hasher.c @@ -48,6 +48,9 @@ static hasher_oid_t oids[] = { { OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA }, { OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA }, { OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA }, + { OID_BLISS_WITH_SHA256, HASH_SHA256, KEY_BLISS }, + { OID_BLISS_WITH_SHA384, HASH_SHA384, KEY_BLISS }, + { OID_BLISS_WITH_SHA512, HASH_SHA512, KEY_BLISS }, { OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA } }; diff --git a/src/libstrongswan/tests/suites/test_host.c b/src/libstrongswan/tests/suites/test_host.c index 63442083a..7161b2c5b 100644 --- a/src/libstrongswan/tests/suites/test_host.c +++ b/src/libstrongswan/tests/suites/test_host.c @@ -236,6 +236,48 @@ START_TEST(test_create_from_string_and_family_other) } END_TEST +/******************************************************************************* + * host_create_from_dns + */ + +static void test_create_from_dns(int family, chunk_t addr) +{ + host_t *host; + + host = host_create_from_dns("localhost", family, 500); + if (family != AF_INET6) + { + ck_assert(host != NULL); + } + if (host) + { + if (family != AF_UNSPEC) + { + verify_address(host, addr, family, 500); + } + host->destroy(host); + } +} + +START_TEST(test_create_from_dns_any) +{ + test_create_from_dns(AF_UNSPEC, chunk_empty); +} +END_TEST + +START_TEST(test_create_from_dns_v4) +{ + test_create_from_dns(AF_INET, chunk_from_chars(127,0,0,1)); +} +END_TEST + +START_TEST(test_create_from_dns_v6) +{ + test_create_from_dns(AF_INET6, + chunk_from_chars(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1)); +} +END_TEST + /******************************************************************************* * host_create_from_sockaddr */ @@ -399,6 +441,90 @@ START_TEST(test_create_from_subnet_v6) } END_TEST +/******************************************************************************* + * host_create_from_range + */ + +static const chunk_t addr_v4_to = chunk_from_chars(0xc0, 0xa8, 0x00, 0x05); +static const chunk_t addr_v6_to = chunk_from_chars(0xfe, 0xc1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05); + +static void verify_range(char *str, int family, chunk_t from_addr, + chunk_t to_addr) +{ + host_t *from, *to; + + if (!family) + { + ck_assert(!host_create_from_range(str, &from, &to)); + } + else + { + ck_assert(host_create_from_range(str, &from, &to)); + verify_address(from, from_addr, family, 0); + verify_address(to, to_addr, family, 0); + from->destroy(from); + to->destroy(to); + } +} + +START_TEST(test_create_from_range_v4) +{ + host_t *from, *to; + + ck_assert(host_create_from_range("0.0.0.0-0.0.0.0", &from, &to)); + verify_any(from, AF_INET, 0); + verify_any(to, AF_INET, 0); + from->destroy(from); + to->destroy(to); + + verify_range("192.168.0.1-192.168.0.1", AF_INET, addr_v4, addr_v4); + verify_range("192.168.0.1-192.168.0.5", AF_INET, addr_v4, addr_v4_to); + verify_range("192.168.0.1- 192.168.0.5", AF_INET, addr_v4, addr_v4_to); + verify_range("192.168.0.1 -192.168.0.5", AF_INET, addr_v4, addr_v4_to); + verify_range("192.168.0.1 - 192.168.0.5", AF_INET, addr_v4, addr_v4_to); + verify_range("192.168.0.5-192.168.0.1", AF_INET, addr_v4_to, addr_v4); + + verify_range("192.168.0.1", 0, chunk_empty, chunk_empty); + verify_range("192.168.0.1-", 0, chunk_empty, chunk_empty); + verify_range("-192.168.0.1", 0, chunk_empty, chunk_empty); + verify_range("192.168.0.1-192", 0, chunk_empty, chunk_empty); + verify_range("192.168.0.1-192.168", 0, chunk_empty, chunk_empty); + verify_range("192.168.0.1-192.168.0", 0, chunk_empty, chunk_empty); + verify_range("foo.b.a.r", 0, chunk_empty, chunk_empty); + verify_range("foo.b.a.r-b.a.r.f", 0, chunk_empty, chunk_empty); +} +END_TEST + +START_TEST(test_create_from_range_v6) +{ + host_t *from, *to; + + ck_assert(host_create_from_range("::-::", &from, &to)); + verify_any(from, AF_INET6, 0); + verify_any(to, AF_INET6, 0); + from->destroy(from); + to->destroy(to); + + verify_range("fec1::1-fec1::1", AF_INET6, addr_v6, addr_v6); + verify_range("fec1::1-fec1::5", AF_INET6, addr_v6, addr_v6_to); + verify_range("fec1::1- fec1::5", AF_INET6, addr_v6, addr_v6_to); + verify_range("fec1::1 -fec1::5", AF_INET6, addr_v6, addr_v6_to); + verify_range("fec1::1 - fec1::5", AF_INET6, addr_v6, addr_v6_to); + verify_range("fec1::5-fec1::1", AF_INET6, addr_v6_to, addr_v6); + + verify_range("fec1::1", 0, chunk_empty, chunk_empty); + verify_range("fec1::1-", 0, chunk_empty, chunk_empty); + verify_range("-fec1::1", 0, chunk_empty, chunk_empty); + verify_range("fec1::1-fec1", 0, chunk_empty, chunk_empty); + verify_range("foo::bar", 0, chunk_empty, chunk_empty); + verify_range("foo::bar-bar::foo", 0, chunk_empty, chunk_empty); + + verify_range("fec1::1-192.168.0.1", 0, chunk_empty, chunk_empty); + verify_range("192.168.0.1-fec1::1", 0, chunk_empty, chunk_empty); +} +END_TEST + /******************************************************************************* * host_create_netmask */ @@ -610,6 +736,12 @@ Suite *host_suite_create() tcase_add_test(tc, test_create_from_string_and_family_other); suite_add_tcase(s, tc); + tc = tcase_create("host_create_from_dns"); + tcase_add_test(tc, test_create_from_dns_any); + tcase_add_test(tc, test_create_from_dns_v4); + tcase_add_test(tc, test_create_from_dns_v6); + suite_add_tcase(s, tc); + tc = tcase_create("host_create_from_sockaddr"); tcase_add_test(tc, test_create_from_sockaddr_v4); tcase_add_test(tc, test_create_from_sockaddr_v6); @@ -627,6 +759,11 @@ Suite *host_suite_create() tcase_add_test(tc, test_create_from_subnet_v6); suite_add_tcase(s, tc); + tc = tcase_create("host_create_from_range"); + tcase_add_test(tc, test_create_from_range_v4); + tcase_add_test(tc, test_create_from_range_v6); + suite_add_tcase(s, tc); + tc = tcase_create("host_create_netmask"); tcase_add_test(tc, test_create_netmask_v4); tcase_add_test(tc, test_create_netmask_v6); diff --git a/src/libstrongswan/tests/suites/test_identification.c b/src/libstrongswan/tests/suites/test_identification.c index 5de785710..de00e4afd 100644 --- a/src/libstrongswan/tests/suites/test_identification.c +++ b/src/libstrongswan/tests/suites/test_identification.c @@ -122,58 +122,68 @@ static struct { } data; } result; } string_data[] = { - {NULL, ID_ANY, { .type = ENC_CHUNK }}, - {"", ID_ANY, { .type = ENC_CHUNK }}, - {"%any", ID_ANY, { .type = ENC_CHUNK }}, - {"%any6", ID_ANY, { .type = ENC_CHUNK }}, - {"0.0.0.0", ID_ANY, { .type = ENC_CHUNK }}, - {"0::0", ID_ANY, { .type = ENC_CHUNK }}, - {"::", ID_ANY, { .type = ENC_CHUNK }}, - {"*", ID_ANY, { .type = ENC_CHUNK }}, - {"any", ID_FQDN, { .type = ENC_SIMPLE }}, - {"any6", ID_FQDN, { .type = ENC_SIMPLE }}, - {"0", ID_FQDN, { .type = ENC_SIMPLE }}, - {"**", ID_FQDN, { .type = ENC_SIMPLE }}, - {"192.168.1.1", ID_IPV4_ADDR, { .type = ENC_CHUNK, - .data.c = chunk_from_chars(0xc0, 0xa8, 0x01, 0x01) }}, - {"192.168.",ID_FQDN, { .type = ENC_SIMPLE }}, - {".", ID_FQDN, { .type = ENC_SIMPLE }}, - {"fec0::1", ID_IPV6_ADDR, { .type = ENC_CHUNK, - .data.c = chunk_from_chars(0xfe, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01) }}, - {"fec0::", ID_IPV6_ADDR, { .type = ENC_CHUNK, - .data.c = chunk_from_chars(0xfe, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00) }}, - {"fec0:", ID_KEY_ID, { .type = ENC_SIMPLE }}, - {":", ID_KEY_ID, { .type = ENC_SIMPLE }}, - {"alice@strongswan.org", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, - {"alice@strongswan", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, - {"alice@", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, - {"alice", ID_FQDN, { .type = ENC_SIMPLE }}, - {"@", ID_FQDN, { .type = ENC_CHUNK }}, - {" @", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, - {"@strongswan.org", ID_FQDN, { .type = ENC_STRING, - .data.s = "strongswan.org" }}, - {"@#deadbeef", ID_KEY_ID, { .type = ENC_CHUNK, - .data.c = chunk_from_chars(0xde, 0xad, 0xbe, 0xef) }}, - {"@#deadbee", ID_KEY_ID, { .type = ENC_CHUNK, - .data.c = chunk_from_chars(0x0d, 0xea, 0xdb, 0xee) }}, - {"foo=bar", ID_KEY_ID, { .type = ENC_SIMPLE }}, - {"foo=", ID_KEY_ID, { .type = ENC_SIMPLE }}, - {"=bar", ID_KEY_ID, { .type = ENC_SIMPLE }}, - {"C=", ID_DER_ASN1_DN, { .type = ENC_CHUNK, - .data.c = chunk_from_chars(0x30, 0x0b, 0x31, 0x09, 0x30, 0x07, 0x06, - 0x03, 0x55, 0x04, 0x06, 0x13, 0x00)}}, - {"C=CH", ID_DER_ASN1_DN, { .type = ENC_CHUNK, - .data.c = chunk_from_chars(0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06, - 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48)}}, - {"C=CH,", ID_DER_ASN1_DN, { .type = ENC_CHUNK, - .data.c = chunk_from_chars(0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06, - 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48)}}, - {"C=CH, ", ID_DER_ASN1_DN, { .type = ENC_CHUNK, - .data.c = chunk_from_chars(0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06, - 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48)}}, - {"C=CH, O", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {NULL, ID_ANY, { .type = ENC_CHUNK }}, + {"", ID_ANY, { .type = ENC_CHUNK }}, + {"%any", ID_ANY, { .type = ENC_CHUNK }}, + {"%any6", ID_ANY, { .type = ENC_CHUNK }}, + {"0.0.0.0", ID_ANY, { .type = ENC_CHUNK }}, + {"0::0", ID_ANY, { .type = ENC_CHUNK }}, + {"::", ID_ANY, { .type = ENC_CHUNK }}, + {"*", ID_ANY, { .type = ENC_CHUNK }}, + {"any", ID_FQDN, { .type = ENC_SIMPLE }}, + {"any6", ID_FQDN, { .type = ENC_SIMPLE }}, + {"0", ID_FQDN, { .type = ENC_SIMPLE }}, + {"**", ID_FQDN, { .type = ENC_SIMPLE }}, + {"192.168.1.1", ID_IPV4_ADDR, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }}, + {"192.168.", ID_FQDN, { .type = ENC_SIMPLE }}, + {".", ID_FQDN, { .type = ENC_SIMPLE }}, + {"fec0::1", ID_IPV6_ADDR, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01) }}, + {"fec0::", ID_IPV6_ADDR, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00) }}, + {"fec0:", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {":", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"alice@strongswan.org", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, + {"alice@strongswan", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, + {"alice@", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, + {"alice", ID_FQDN, { .type = ENC_SIMPLE }}, + {"@", ID_FQDN, { .type = ENC_CHUNK }}, + {" @", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, + {"@strongswan.org", ID_FQDN, { .type = ENC_STRING, + .data.s = "strongswan.org" }}, + {"@#deadbeef", ID_KEY_ID, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xde,0xad,0xbe,0xef) }}, + {"@#deadbee", ID_KEY_ID, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0x0d,0xea,0xdb,0xee) }}, + {"foo=bar", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"foo=", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"=bar", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"C=", ID_DER_ASN1_DN, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0x30,0x0b,0x31,0x09,0x30,0x07,0x06, + 0x03,0x55,0x04,0x06,0x13,0x00) }}, + {"C=CH", ID_DER_ASN1_DN, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06, + 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }}, + {"C=CH,", ID_DER_ASN1_DN, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06, + 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }}, + {"C=CH, ", ID_DER_ASN1_DN, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06, + 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }}, + {"C=CH, O", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"IPv4:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }}, + { "email:tester", ID_RFC822_ADDR, { .type = ENC_STRING, + .data.s = "tester" }}, + { "{1}:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }}, + { "{0x02}:tester", ID_FQDN, { .type = ENC_STRING, + .data.s = "tester" }}, + { "{99}:somedata", 99, { .type = ENC_STRING, + .data.s = "somedata" }}, }; START_TEST(test_from_string) diff --git a/src/libstrongswan/tests/suites/test_mgf1.c b/src/libstrongswan/tests/suites/test_mgf1.c new file mode 100644 index 000000000..9388b95d4 --- /dev/null +++ b/src/libstrongswan/tests/suites/test_mgf1.c @@ -0,0 +1,268 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include +#include +#include +#include + +typedef struct { + hash_algorithm_t alg; + size_t hash_size; + size_t ml1, ml2, ml3, seed_len; + chunk_t seed; + chunk_t hashed_seed; + chunk_t mask; + uint32_t bits[22]; +} mgf1_test_t; + +/** + * MGF1 Mask Generation Function Test Vectors + */ +mgf1_test_t mgf1_tests[] = { + { HASH_SHA1, 20, 60, 20, 15, 24, + chunk_from_chars( + 0xED, 0xA5, 0xC3, 0xBC, 0xAF, 0xB3, 0x20, 0x7D, + 0x14, 0xA1, 0x54, 0xF7, 0x8B, 0x37, 0xF2, 0x8D, + 0x8C, 0x9B, 0xD5, 0x63, 0x57, 0x38, 0x11, 0xC2, + 0xB5, 0xCA, 0xBF, 0x06, 0x43, 0x45, 0x19, 0xD5, + 0xE7, 0x36, 0xD0, 0x29, 0x21, 0xDA, 0x02, 0x20, + 0x45, 0xF6, 0x5F, 0x0F, 0x10, 0x04, 0x2A, 0xE3, + 0x6A, 0x1D, 0xD5, 0x9F, 0x1D, 0x66, 0x44, 0x8F, + 0xFA, 0xC6, 0xCA, 0xA4, 0x6E, 0x3B, 0x00, 0x66, + 0xA6, 0xC9, 0x80, 0x5C, 0xF5, 0x2D, 0xD7, 0x72, + 0xC6, 0xD4, 0x4F, 0x30, 0x72, 0xA2, 0xAD, 0xE0, + 0x33, 0xE8, 0x55, 0xD5, 0xE6, 0xD6, 0x00, 0x1D, + 0xA8, 0x68, 0xFF, 0x97, 0x36, 0x8A, 0xF4, 0xD6, + 0xF1, 0xB6, 0x7E, 0x1F, 0x06, 0xCB, 0x57, 0xCB, + 0x35, 0x38, 0xF2, 0x2D, 0xF6, 0x20), + chunk_from_chars( + 0xF3, 0x9B, 0x0B, 0xB4, 0x97, 0x50, 0xB5, 0xA7, + 0xE6, 0xBD, 0xDA, 0xD0, 0x9A, 0x52, 0xBE, 0xA0, + 0x21, 0xC4, 0x90, 0xB6), + chunk_from_chars( + 0x10, 0x43, 0x76, 0x72, 0x6C, 0xDE, 0xA0, 0x0E, + 0x77, 0x51, 0xFB, 0x58, 0x39, 0x8A, 0x36, 0xE1, + 0x63, 0x2B, 0xC9, 0x17, 0x56, 0x0C, 0x4B, 0x46, + 0xA4, 0x07, 0xA4, 0x3B, 0x8E, 0x33, 0x4D, 0xD1, + 0x65, 0xF1, 0xAC, 0xC8, 0x59, 0x21, 0x32, 0x16, + 0x44, 0x2B, 0x7F, 0xB2, 0xA8, 0xA7, 0x26, 0x5D, + 0xE8, 0x02, 0xBE, 0x8E, 0xDC, 0x34, 0xEB, 0x10, + 0x76, 0x16, 0x8C, 0xDD, 0x90, 0x92, 0x3D, 0x29, + 0x90, 0x98, 0x46, 0x11, 0x73, 0x53, 0x47, 0xB1, + 0x2C, 0xD4, 0x83, 0x78, 0x9B, 0x93, 0x2F, 0x5B, + 0xFC, 0x26, 0xFF, 0x42, 0x08, 0x1F, 0x70, 0x66, + 0x40, 0x4B, 0xE7, 0x22, 0x3A, 0x56, 0x10, 0x6D, + 0x4D, 0x29, 0x0B, 0xCE, 0xA6, 0x21, 0xB5, 0x5C, + 0x71, 0x66, 0x2F, 0x70, 0x35, 0xD8, 0x8A, 0x92, + 0x33, 0xF0, 0x16, 0xD4, 0x0E, 0x43, 0x8A, 0x14), + { 0, 0, 0, 4, 1, 1, 46, 103, 38, 411, 848, 57, 3540, 4058, 12403, + 0x63, 0x2B, 0xC9, 0x17, 0x56, 669409, 0xA407A43B }, + }, + { HASH_SHA256, 32, 64, 32, 33, 40, + chunk_from_chars( + 0x52, 0xC5, 0xDD, 0x1E, 0xEF, 0x76, 0x1B, 0x53, + 0x08, 0xE4, 0x86, 0x3F, 0x91, 0x12, 0x98, 0x69, + 0xC5, 0x9D, 0xDE, 0xF6, 0xFC, 0xFA, 0x93, 0xCE, + 0x32, 0x52, 0x66, 0xF9, 0xC9, 0x97, 0xF6, 0x42, + 0x00, 0x2C, 0x64, 0xED, 0x1A, 0x6B, 0x14, 0x0A, + 0x4B, 0x04, 0xCF, 0x6D, 0x2D, 0x82, 0x0A, 0x07, + 0xA2, 0x3B, 0xDE, 0xCE, 0x19, 0x8A, 0x39, 0x43, + 0x16, 0x61, 0x29, 0x98, 0x68, 0xEA, 0xE5, 0xCC, + 0x0A, 0xF8, 0xE9, 0x71, 0x26, 0xF1, 0x07, 0x36, + 0x2C, 0x07, 0x1E, 0xEB, 0xE4, 0x28, 0xA2, 0xF4, + 0xA8, 0x12, 0xC0, 0xC8, 0x20, 0x37, 0xF8, 0xF2, + 0x6C, 0xAF, 0xDC, 0x6F, 0x2E, 0xD0, 0x62, 0x58, + 0xD2, 0x37, 0x03, 0x6D, 0xFA, 0x6E, 0x1A, 0xAC, + 0x9F, 0xCA, 0x56, 0xC6, 0xA4, 0x52, 0x41, 0xE8, + 0x0F, 0x1B, 0x0C, 0xB9, 0xE6, 0xBA, 0xDE, 0xE1, + 0x03, 0x5E, 0xC2, 0xE5, 0xF8, 0xF4, 0xF3, 0x46, + 0x3A, 0x12, 0xC0, 0x1F, 0x3A, 0x00, 0xD0, 0x91, + 0x18, 0xDD, 0x53, 0xE4, 0x22, 0xF5, 0x26, 0xA4, + 0x54, 0xEE, 0x20, 0xF0, 0x80), + chunk_from_chars( + 0x76, 0x89, 0x8B, 0x1B, 0x60, 0xEC, 0x10, 0x9D, + 0x8F, 0x13, 0xF2, 0xFE, 0xD9, 0x85, 0xC1, 0xAB, + 0x7E, 0xEE, 0xB1, 0x31, 0xDD, 0xF7, 0x7F, 0x0C, + 0x7D, 0xF9, 0x6B, 0x7B, 0x19, 0x80, 0xBD, 0x28), + chunk_from_chars( + 0xF1, 0x19, 0x02, 0x4F, 0xDA, 0x58, 0x05, 0x9A, + 0x07, 0xDF, 0x61, 0x81, 0x22, 0x0E, 0x15, 0x46, + 0xCB, 0x35, 0x3C, 0xDC, 0xAD, 0x20, 0xD9, 0x3F, + 0x0D, 0xD1, 0xAA, 0x64, 0x66, 0x5C, 0xFA, 0x4A, + 0xFE, 0xD6, 0x8F, 0x55, 0x57, 0x15, 0xB2, 0xA6, + 0xA0, 0xE6, 0xA8, 0xC6, 0xBD, 0x28, 0xB4, 0xD5, + 0x6E, 0x5B, 0x4B, 0xB0, 0x97, 0x09, 0xF5, 0xAC, + 0x57, 0x65, 0x13, 0x97, 0x71, 0x2C, 0x45, 0x13, + 0x3D, 0xEE, 0xFB, 0xBF, 0xFE, 0xAF, 0xBB, 0x4B, + 0x0D, 0x5C, 0x45, 0xD4, 0x2F, 0x17, 0x92, 0x07, + 0x66, 0x11, 0xF5, 0x46, 0xF8, 0x0C, 0x03, 0x92, + 0xF5, 0xF5, 0xFF, 0xA4, 0xF3, 0x52, 0xF4, 0x08, + 0x2C, 0x49, 0x32, 0x1A, 0x93, 0x51, 0x98, 0xB6, + 0x94, 0x83, 0x39, 0xCF, 0x6B, 0x1F, 0x2F, 0xFC, + 0x2B, 0xFF, 0x10, 0x71, 0x7D, 0x35, 0x6C, 0xEA, + 0xC5, 0x66, 0xC7, 0x26, 0x7D, 0x9E, 0xAC, 0xDD, + 0x35, 0xD7, 0x06, 0x3F, 0x40, 0x82, 0xDA, 0xC3, + 0x2B, 0x3C, 0x91, 0x3A, 0x32, 0xF8, 0xB2, 0xC6, + 0x44, 0x4D, 0xCD, 0xB6, 0x54, 0x5F, 0x81, 0x95, + 0x59, 0xA1, 0xE5, 0x4E, 0xA5, 0x0A, 0x4A, 0x42), + { 0, 1, 3, 4, 4, 12, 32, 36, 253, 331, 2, 1640, 503, 6924, 580, + 0xCB, 0x35, 0x3C, 0xDC, 0xAD, 922950, 0x0DD1AA64 } + } +}; + +START_TEST(mgf1_test_mgf1) +{ + mgf1_t *mgf1; + chunk_t mask, mask1, mask2, mask3; + + mask1 = mgf1_tests[_i].mask; + mask2 = chunk_skip(mask1, mgf1_tests[_i].ml1); + mask3 = chunk_skip(mask2, mgf1_tests[_i].ml2); + mask1.len = mgf1_tests[_i].ml1; + mask2.len = mgf1_tests[_i].ml2; + mask3.len = mgf1_tests[_i].ml3; + + mgf1 = mgf1_create(HASH_UNKNOWN, mgf1_tests[_i].seed, TRUE); + ck_assert(mgf1 == NULL); + + mgf1 = mgf1_create(mgf1_tests[_i].alg, chunk_empty, TRUE); + ck_assert(mgf1 == NULL); + + /* return mask in allocated chunk */ + mgf1 = mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE); + ck_assert(mgf1); + + /* check hash size */ + ck_assert(mgf1->get_hash_size(mgf1) == mgf1_tests[_i].hash_size); + + /* get zero number of octets */ + ck_assert(mgf1->allocate_mask(mgf1, 0, &mask)); + ck_assert(mask.len == 0 && mask.ptr == NULL); + + /* get non-zero number of octets */ + ck_assert(mgf1->allocate_mask(mgf1, mgf1_tests[_i].mask.len, &mask)); + ck_assert(chunk_equals(mask, mgf1_tests[_i].mask)); + mgf1->destroy(mgf1); + + /* copy mask to pre-allocated buffer */ + mgf1 = mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE); + ck_assert(mgf1); + ck_assert(mgf1->get_mask(mgf1, mgf1_tests[_i].mask.len, mask.ptr)); + ck_assert(chunk_equals(mask, mgf1_tests[_i].mask)); + mgf1->destroy(mgf1); + + /* get mask in batches without hashing the seed */ + mgf1 = mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].hashed_seed, FALSE); + ck_assert(mgf1); + + /* first batch */ + ck_assert(mgf1->get_mask(mgf1, mask1.len, mask.ptr)); + mask.len = mask1.len; + ck_assert(chunk_equals(mask, mask1)); + + /* second batch */ + ck_assert(mgf1->get_mask(mgf1, mask2.len, mask.ptr)); + mask.len = mask2.len; + ck_assert(chunk_equals(mask, mask2)); + + /* third batch */ + ck_assert(mgf1->get_mask(mgf1, mask3.len, mask.ptr)); + mask.len = mask3.len; + ck_assert(chunk_equals(mask, mask3)); + + mgf1->destroy(mgf1); + chunk_free(&mask); +} +END_TEST + +START_TEST(mgf1_test_bitspender) +{ + mgf1_bitspender_t *bitspender; + uint32_t bits; + uint8_t byte; + int j; + + bitspender = mgf1_bitspender_create(HASH_UNKNOWN, + mgf1_tests[_i].hashed_seed, FALSE); + ck_assert(bitspender == NULL); + + bitspender = mgf1_bitspender_create(mgf1_tests[_i].alg, + mgf1_tests[_i].hashed_seed, FALSE); + ck_assert(bitspender); + + for (j = 0; j < 15; j++) + { + ck_assert(bitspender->get_bits(bitspender, j, &bits)); + DBG1(DBG_LIB, "bits[%d] = %u, bits = %u", j, mgf1_tests[_i].bits[j], + bits); + ck_assert(bits == mgf1_tests[_i].bits[j]); + } + ck_assert(!bitspender->get_bits(bitspender, 33, &bits)); + + for (j = 15; j < 20; j++) + { + ck_assert(bitspender->get_byte(bitspender, &byte)); + DBG1(DBG_LIB, "bits[%d] = 0x%02x, byte = 0x%02x", j, + mgf1_tests[_i].bits[j], byte); + ck_assert(byte == mgf1_tests[_i].bits[j]); + } + + j = 20; /* 23 remaining bits */ + ck_assert(bitspender->get_bits(bitspender, 23, &bits)); + DBG1(DBG_LIB, "bits[%d] = %u, bits = %u", j, + mgf1_tests[_i].bits[j], bits); + ck_assert(bits == mgf1_tests[_i].bits[j]); + + j = 21; /* 32 aligned bits */ + ck_assert(bitspender->get_bits(bitspender, 32, &bits)); + DBG1(DBG_LIB, "bits[%d] = 0x%08x, bits = 0x%08x", j, + mgf1_tests[_i].bits[j], bits); + ck_assert(bits == mgf1_tests[_i].bits[j]); + + bitspender->destroy(bitspender); +} +END_TEST + + +Suite *mgf1_suite_create(char *name, int n) +{ + Suite *s; + TCase *tc; + + s = suite_create(name); + + tc = tcase_create("mgf1"); + tcase_add_loop_test(tc, mgf1_test_mgf1, n, n + 1); + suite_add_tcase(s, tc); + + tc = tcase_create("bitspender"); + tcase_add_loop_test(tc, mgf1_test_bitspender, n, n + 1); + suite_add_tcase(s, tc); + + return s; +} + +Suite *mgf1_sha1_suite_create() +{ + return mgf1_suite_create("mgf1-sha1", 0); +} + +Suite *mgf1_sha256_suite_create() +{ + return mgf1_suite_create("mgf1-sha256", 1); +} diff --git a/src/libstrongswan/tests/suites/test_ntru.c b/src/libstrongswan/tests/suites/test_ntru.c index 7c0cb81bf..d209fa2bc 100644 --- a/src/libstrongswan/tests/suites/test_ntru.c +++ b/src/libstrongswan/tests/suites/test_ntru.c @@ -16,20 +16,17 @@ #include "test_suite.h" #include +#include +#include #include -#include #include #include #include #include -#include IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_drbg_create, ntru_drbg_t*, u_int32_t strength, chunk_t pers_str, rng_t *entropy) -IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_mgf1_create, ntru_mgf1_t*, - hash_algorithm_t alg, chunk_t seed, bool hash_seed) - IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_trits_create, ntru_trits_t*, size_t len, hash_algorithm_t alg, chunk_t seed) @@ -334,13 +331,11 @@ typedef struct { typedef struct { hash_algorithm_t alg; size_t hash_size; - size_t ml1, ml2, ml3, seed_len; + size_t seed_len; chunk_t seed; - chunk_t hashed_seed; - chunk_t mask; chunk_t trits; poly_test_t poly_test[2]; -} mgf1_test_t; +} trits_test_t; uint16_t indices_ees439ep1[] = { 367, 413, 16, 214, 114, 128, 42, 268, 346, 329, 119, 303, 208, 287, 150, @@ -386,10 +381,10 @@ uint16_t indices_ees1171ep1[] = { }; /** - * MGF1 Mask Generation Function Test Vectors + * Trits and Polynomial Test Vectors */ -mgf1_test_t mgf1_tests[] = { - { HASH_SHA1, 20, 60, 20, 15, 24, +static trits_test_t trits_tests[] = { + { HASH_SHA1, 20, 24, chunk_from_chars( 0xED, 0xA5, 0xC3, 0xBC, 0xAF, 0xB3, 0x20, 0x7D, 0x14, 0xA1, 0x54, 0xF7, 0x8B, 0x37, 0xF2, 0x8D, @@ -405,26 +400,6 @@ mgf1_test_t mgf1_tests[] = { 0xA8, 0x68, 0xFF, 0x97, 0x36, 0x8A, 0xF4, 0xD6, 0xF1, 0xB6, 0x7E, 0x1F, 0x06, 0xCB, 0x57, 0xCB, 0x35, 0x38, 0xF2, 0x2D, 0xF6, 0x20), - chunk_from_chars( - 0xF3, 0x9B, 0x0B, 0xB4, 0x97, 0x50, 0xB5, 0xA7, - 0xE6, 0xBD, 0xDA, 0xD0, 0x9A, 0x52, 0xBE, 0xA0, - 0x21, 0xC4, 0x90, 0xB6), - chunk_from_chars( - 0x10, 0x43, 0x76, 0x72, 0x6C, 0xDE, 0xA0, 0x0E, - 0x77, 0x51, 0xFB, 0x58, 0x39, 0x8A, 0x36, 0xE1, - 0x63, 0x2B, 0xC9, 0x17, 0x56, 0x0C, 0x4B, 0x46, - 0xA4, 0x07, 0xA4, 0x3B, 0x8E, 0x33, 0x4D, 0xD1, - 0x65, 0xF1, 0xAC, 0xC8, 0x59, 0x21, 0x32, 0x16, - 0x44, 0x2B, 0x7F, 0xB2, 0xA8, 0xA7, 0x26, 0x5D, - 0xE8, 0x02, 0xBE, 0x8E, 0xDC, 0x34, 0xEB, 0x10, - 0x76, 0x16, 0x8C, 0xDD, 0x90, 0x92, 0x3D, 0x29, - 0x90, 0x98, 0x46, 0x11, 0x73, 0x53, 0x47, 0xB1, - 0x2C, 0xD4, 0x83, 0x78, 0x9B, 0x93, 0x2F, 0x5B, - 0xFC, 0x26, 0xFF, 0x42, 0x08, 0x1F, 0x70, 0x66, - 0x40, 0x4B, 0xE7, 0x22, 0x3A, 0x56, 0x10, 0x6D, - 0x4D, 0x29, 0x0B, 0xCE, 0xA6, 0x21, 0xB5, 0x5C, - 0x71, 0x66, 0x2F, 0x70, 0x35, 0xD8, 0x8A, 0x92, - 0x33, 0xF0, 0x16, 0xD4, 0x0E, 0x43, 0x8A, 0x14), chunk_from_chars( 1, 2, 1, 0, 0, 1, 1, 1, 2, 0, 1, 0, 1, 1, 1, 0, 2, 0, 1, 1, 0, 0, 0, 1, 1, 0, 2, 0, 2, 2, 1, 2, 2, 2, 1, 2, 1, 1, 0, 0, @@ -457,7 +432,7 @@ mgf1_test_t mgf1_tests[] = { } } }, - { HASH_SHA256, 32, 64, 32, 33, 40, + { HASH_SHA256, 32, 40, chunk_from_chars( 0x52, 0xC5, 0xDD, 0x1E, 0xEF, 0x76, 0x1B, 0x53, 0x08, 0xE4, 0x86, 0x3F, 0x91, 0x12, 0x98, 0x69, @@ -478,32 +453,6 @@ mgf1_test_t mgf1_tests[] = { 0x3A, 0x12, 0xC0, 0x1F, 0x3A, 0x00, 0xD0, 0x91, 0x18, 0xDD, 0x53, 0xE4, 0x22, 0xF5, 0x26, 0xA4, 0x54, 0xEE, 0x20, 0xF0, 0x80), - chunk_from_chars( - 0x76, 0x89, 0x8B, 0x1B, 0x60, 0xEC, 0x10, 0x9D, - 0x8F, 0x13, 0xF2, 0xFE, 0xD9, 0x85, 0xC1, 0xAB, - 0x7E, 0xEE, 0xB1, 0x31, 0xDD, 0xF7, 0x7F, 0x0C, - 0x7D, 0xF9, 0x6B, 0x7B, 0x19, 0x80, 0xBD, 0x28), - chunk_from_chars( - 0xF1, 0x19, 0x02, 0x4F, 0xDA, 0x58, 0x05, 0x9A, - 0x07, 0xDF, 0x61, 0x81, 0x22, 0x0E, 0x15, 0x46, - 0xCB, 0x35, 0x3C, 0xDC, 0xAD, 0x20, 0xD9, 0x3F, - 0x0D, 0xD1, 0xAA, 0x64, 0x66, 0x5C, 0xFA, 0x4A, - 0xFE, 0xD6, 0x8F, 0x55, 0x57, 0x15, 0xB2, 0xA6, - 0xA0, 0xE6, 0xA8, 0xC6, 0xBD, 0x28, 0xB4, 0xD5, - 0x6E, 0x5B, 0x4B, 0xB0, 0x97, 0x09, 0xF5, 0xAC, - 0x57, 0x65, 0x13, 0x97, 0x71, 0x2C, 0x45, 0x13, - 0x3D, 0xEE, 0xFB, 0xBF, 0xFE, 0xAF, 0xBB, 0x4B, - 0x0D, 0x5C, 0x45, 0xD4, 0x2F, 0x17, 0x92, 0x07, - 0x66, 0x11, 0xF5, 0x46, 0xF8, 0x0C, 0x03, 0x92, - 0xF5, 0xF5, 0xFF, 0xA4, 0xF3, 0x52, 0xF4, 0x08, - 0x2C, 0x49, 0x32, 0x1A, 0x93, 0x51, 0x98, 0xB6, - 0x94, 0x83, 0x39, 0xCF, 0x6B, 0x1F, 0x2F, 0xFC, - 0x2B, 0xFF, 0x10, 0x71, 0x7D, 0x35, 0x6C, 0xEA, - 0xC5, 0x66, 0xC7, 0x26, 0x7D, 0x9E, 0xAC, 0xDD, - 0x35, 0xD7, 0x06, 0x3F, 0x40, 0x82, 0xDA, 0xC3, - 0x2B, 0x3C, 0x91, 0x3A, 0x32, 0xF8, 0xB2, 0xC6, - 0x44, 0x4D, 0xCD, 0xB6, 0x54, 0x5F, 0x81, 0x95, - 0x59, 0xA1, 0xE5, 0x4E, 0xA5, 0x0A, 0x4A, 0x42), chunk_from_chars( 1, 2, 2, 2, 2, 1, 2, 2, 0, 0, 2, 0, 0, 0, 0, 1, 2, 2, 2, 0, 2, 0, 0, 2, 2, 1, 2, 0, 0, 1, 2, 1, 0, 0, 0, 1, 0, 2, 2, 1, @@ -546,104 +495,34 @@ mgf1_test_t mgf1_tests[] = { } }; -START_TEST(test_ntru_mgf1) -{ - ntru_mgf1_t *mgf1; - chunk_t mask, mask1, mask2, mask3; - - mask1 = mgf1_tests[_i].mask; - mask2 = chunk_skip(mask1, mgf1_tests[_i].ml1); - mask3 = chunk_skip(mask2, mgf1_tests[_i].ml2); - mask1.len = mgf1_tests[_i].ml1; - mask2.len = mgf1_tests[_i].ml2; - mask3.len = mgf1_tests[_i].ml3; - - mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, HASH_UNKNOWN, - mgf1_tests[_i].seed, TRUE); - ck_assert(mgf1 == NULL); - - mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg, - chunk_empty, TRUE); - ck_assert(mgf1 == NULL); - - /* return mask in allocated chunk */ - mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg, - mgf1_tests[_i].seed, TRUE); - ck_assert(mgf1); - - /* check hash size */ - ck_assert(mgf1->get_hash_size(mgf1) == mgf1_tests[_i].hash_size); - - /* get zero number of octets */ - ck_assert(mgf1->allocate_mask(mgf1, 0, &mask)); - ck_assert(mask.len == 0 && mask.ptr == NULL); - - /* get non-zero number of octets */ - ck_assert(mgf1->allocate_mask(mgf1, mgf1_tests[_i].mask.len, &mask)); - ck_assert(chunk_equals(mask, mgf1_tests[_i].mask)); - mgf1->destroy(mgf1); - - /* copy mask to pre-allocated buffer */ - mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg, - mgf1_tests[_i].seed, TRUE); - ck_assert(mgf1); - ck_assert(mgf1->get_mask(mgf1, mgf1_tests[_i].mask.len, mask.ptr)); - ck_assert(chunk_equals(mask, mgf1_tests[_i].mask)); - mgf1->destroy(mgf1); - - /* get mask in batches without hashing the seed */ - mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg, - mgf1_tests[_i].hashed_seed, FALSE); - ck_assert(mgf1); - - /* first batch */ - ck_assert(mgf1->get_mask(mgf1, mask1.len, mask.ptr)); - mask.len = mask1.len; - ck_assert(chunk_equals(mask, mask1)); - - /* second batch */ - ck_assert(mgf1->get_mask(mgf1, mask2.len, mask.ptr)); - mask.len = mask2.len; - ck_assert(chunk_equals(mask, mask2)); - - /* third batch */ - ck_assert(mgf1->get_mask(mgf1, mask3.len, mask.ptr)); - mask.len = mask3.len; - ck_assert(chunk_equals(mask, mask3)); - - mgf1->destroy(mgf1); - chunk_free(&mask); -} -END_TEST - START_TEST(test_ntru_trits) { ntru_trits_t *mask; chunk_t trits; - mask = TEST_FUNCTION(ntru, ntru_trits_create, mgf1_tests[_i].trits.len, - HASH_UNKNOWN, mgf1_tests[_i].seed); + mask = TEST_FUNCTION(ntru, ntru_trits_create, trits_tests[_i].trits.len, + HASH_UNKNOWN, trits_tests[_i].seed); ck_assert(mask == NULL); - mask = TEST_FUNCTION(ntru, ntru_trits_create, mgf1_tests[_i].trits.len, - mgf1_tests[_i].alg, chunk_empty); + mask = TEST_FUNCTION(ntru, ntru_trits_create, trits_tests[_i].trits.len, + trits_tests[_i].alg, chunk_empty); ck_assert(mask == NULL); - mask = TEST_FUNCTION(ntru, ntru_trits_create, mgf1_tests[_i].trits.len, - mgf1_tests[_i].alg, mgf1_tests[_i].seed); + mask = TEST_FUNCTION(ntru, ntru_trits_create, trits_tests[_i].trits.len, + trits_tests[_i].alg, trits_tests[_i].seed); ck_assert(mask); trits = chunk_create(mask->get_trits(mask), mask->get_size(mask)); - ck_assert(chunk_equals(trits, mgf1_tests[_i].trits)); + ck_assert(chunk_equals(trits, trits_tests[_i].trits)); mask->destroy(mask); /* generate a multiple of 5 trits */ - mask = TEST_FUNCTION(ntru, ntru_trits_create, 10, mgf1_tests[_i].alg, - mgf1_tests[_i].seed); + mask = TEST_FUNCTION(ntru, ntru_trits_create, 10, trits_tests[_i].alg, + trits_tests[_i].seed); ck_assert(mask); trits = chunk_create(mask->get_trits(mask), mask->get_size(mask)); - ck_assert(chunk_equals(trits, chunk_create(mgf1_tests[_i].trits.ptr, 10))); + ck_assert(chunk_equals(trits, chunk_create(trits_tests[_i].trits.ptr, 10))); mask->destroy(mask); } END_TEST @@ -656,10 +535,10 @@ START_TEST(test_ntru_poly) poly_test_t *p; int j, n; - seed = mgf1_tests[_i].seed; - seed.len = mgf1_tests[_i].seed_len; + seed = trits_tests[_i].seed; + seed.len = trits_tests[_i].seed_len; - p = &mgf1_tests[_i].poly_test[0]; + p = &trits_tests[_i].poly_test[0]; poly = TEST_FUNCTION(ntru, ntru_poly_create_from_seed, HASH_UNKNOWN, seed, p->c_bits, p->N, p->q, p->indices_len, p->indices_len, p->is_product_form); @@ -667,9 +546,9 @@ START_TEST(test_ntru_poly) for (n = 0; n < 2; n++) { - p = &mgf1_tests[_i].poly_test[n]; + p = &trits_tests[_i].poly_test[n]; poly = TEST_FUNCTION(ntru, ntru_poly_create_from_seed, - mgf1_tests[_i].alg, seed, p->c_bits, p->N, p->q, + trits_tests[_i].alg, seed, p->c_bits, p->N, p->q, p->indices_len, p->indices_len, p->is_product_form); ck_assert(poly != NULL && poly->get_size(poly) == p->indices_size); @@ -1182,7 +1061,6 @@ START_TEST(test_ntru_ke) diffie_hellman_t *i_ntru, *r_ntru; char buf[10]; int k, n, len; - status_t status; k = (_i) / countof(parameter_sets); n = (_i) % countof(parameter_sets); @@ -1199,23 +1077,21 @@ START_TEST(test_ntru_ke) ck_assert(i_ntru != NULL); ck_assert(i_ntru->get_dh_group(i_ntru) == params[k].group); - i_ntru->get_my_public_value(i_ntru, &pub_key); + ck_assert(i_ntru->get_my_public_value(i_ntru, &pub_key)); ck_assert(pub_key.len > 0); r_ntru = lib->crypto->create_dh(lib->crypto, params[k].group); ck_assert(r_ntru != NULL); - r_ntru->set_other_public_value(r_ntru, pub_key); - r_ntru->get_my_public_value(r_ntru, &cipher_text); + ck_assert(r_ntru->set_other_public_value(r_ntru, pub_key)); + ck_assert(r_ntru->get_my_public_value(r_ntru, &cipher_text)); ck_assert(cipher_text.len > 0); - status = r_ntru->get_shared_secret(r_ntru, &r_shared_secret); - ck_assert(status == SUCCESS); + ck_assert(r_ntru->get_shared_secret(r_ntru, &r_shared_secret)); ck_assert(r_shared_secret.len > 0); - i_ntru->set_other_public_value(i_ntru, cipher_text); - status = i_ntru->get_shared_secret(i_ntru, &i_shared_secret); - ck_assert(status == SUCCESS); + ck_assert(i_ntru->set_other_public_value(i_ntru, cipher_text)); + ck_assert(i_ntru->get_shared_secret(i_ntru, &i_shared_secret)); ck_assert(chunk_equals(i_shared_secret, r_shared_secret)); chunk_clear(&i_shared_secret); @@ -1233,8 +1109,8 @@ START_TEST(test_ntru_retransmission) chunk_t pub_key1, pub_key2; i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_256_BIT); - i_ntru->get_my_public_value(i_ntru, &pub_key1); - i_ntru->get_my_public_value(i_ntru, &pub_key2); + ck_assert(i_ntru->get_my_public_value(i_ntru, &pub_key1)); + ck_assert(i_ntru->get_my_public_value(i_ntru, &pub_key2)); ck_assert(chunk_equals(pub_key1, pub_key2)); chunk_free(&pub_key1); @@ -1260,8 +1136,8 @@ START_TEST(test_ntru_pubkey_oid) chunk_t cipher_text; r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT); - r_ntru->set_other_public_value(r_ntru, oid_tests[_i]); - r_ntru->get_my_public_value(r_ntru, &cipher_text); + ck_assert(!r_ntru->set_other_public_value(r_ntru, oid_tests[_i])); + ck_assert(r_ntru->get_my_public_value(r_ntru, &cipher_text)); ck_assert(cipher_text.len == 0); r_ntru->destroy(r_ntru); } @@ -1276,14 +1152,14 @@ START_TEST(test_ntru_wrong_set) "libstrongswan.plugins.ntru.parameter_set", "x9_98_bandwidth"); i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_112_BIT); - i_ntru->get_my_public_value(i_ntru, &pub_key); + ck_assert(i_ntru->get_my_public_value(i_ntru, &pub_key)); lib->settings->set_str(lib->settings, "libstrongswan.plugins.ntru.parameter_set", "optimum"); r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_112_BIT); - r_ntru->set_other_public_value(r_ntru, pub_key); - r_ntru->get_my_public_value(r_ntru, &cipher_text); + ck_assert(!r_ntru->set_other_public_value(r_ntru, pub_key)); + ck_assert(r_ntru->get_my_public_value(r_ntru, &cipher_text)); ck_assert(cipher_text.len == 0); chunk_free(&pub_key); @@ -1314,9 +1190,9 @@ START_TEST(test_ntru_ciphertext) for (i = 0; i < countof(test); i++) { i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT); - i_ntru->get_my_public_value(i_ntru, &pub_key); - i_ntru->set_other_public_value(i_ntru, test[i]); - ck_assert(i_ntru->get_shared_secret(i_ntru, &shared_secret) != SUCCESS); + ck_assert(i_ntru->get_my_public_value(i_ntru, &pub_key)); + ck_assert(!i_ntru->set_other_public_value(i_ntru, test[i])); + ck_assert(!i_ntru->get_shared_secret(i_ntru, &shared_secret)); ck_assert(shared_secret.len == 0); chunk_free(&pub_key); @@ -1334,12 +1210,12 @@ START_TEST(test_ntru_wrong_ciphertext) r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT); m_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT); - i_ntru->get_my_public_value(i_ntru, &pub_key_i); - m_ntru->get_my_public_value(m_ntru, &pub_key_m); - r_ntru->set_other_public_value(r_ntru, pub_key_m); - r_ntru->get_my_public_value(r_ntru, &cipher_text); - i_ntru->set_other_public_value(i_ntru, cipher_text); - ck_assert(i_ntru->get_shared_secret(i_ntru, &shared_secret) != SUCCESS); + ck_assert(i_ntru->get_my_public_value(i_ntru, &pub_key_i)); + ck_assert(m_ntru->get_my_public_value(m_ntru, &pub_key_m)); + ck_assert(r_ntru->set_other_public_value(r_ntru, pub_key_m)); + ck_assert(r_ntru->get_my_public_value(r_ntru, &cipher_text)); + ck_assert(!i_ntru->set_other_public_value(i_ntru, cipher_text)); + ck_assert(!i_ntru->get_shared_secret(i_ntru, &shared_secret)); ck_assert(shared_secret.len == 0); chunk_free(&pub_key_i); @@ -1370,16 +1246,12 @@ Suite *ntru_suite_create() tcase_add_test(tc, test_ntru_drbg_reseed); suite_add_tcase(s, tc); - tc = tcase_create("mgf1"); - tcase_add_loop_test(tc, test_ntru_mgf1, 0, countof(mgf1_tests)); - suite_add_tcase(s, tc); - tc = tcase_create("trits"); - tcase_add_loop_test(tc, test_ntru_trits, 0, countof(mgf1_tests)); + tcase_add_loop_test(tc, test_ntru_trits, 0, countof(trits_tests)); suite_add_tcase(s, tc); tc = tcase_create("poly"); - tcase_add_loop_test(tc, test_ntru_poly, 0, countof(mgf1_tests)); + tcase_add_loop_test(tc, test_ntru_poly, 0, countof(trits_tests)); suite_add_tcase(s, tc); tc = tcase_create("ring_mult"); diff --git a/src/libstrongswan/tests/suites/test_settings.c b/src/libstrongswan/tests/suites/test_settings.c index b9d429a24..9601a34a9 100644 --- a/src/libstrongswan/tests/suites/test_settings.c +++ b/src/libstrongswan/tests/suites/test_settings.c @@ -908,7 +908,7 @@ START_SETUP(setup_string_config) "special = \"all { special } characters # can be used.\"\n" "unterminated = \"is fine\n" "but = produces a warning\n" - "newlines = \"can either be encoded\\nor\\\n" + "newlines = \"can either be encoded\\nor \\\n" "escaped\"\n" "quotes = \"\\\"and\\\" slashes \\\\ can \\\\ be\" # escaped too\n" "multiple = \"strings\" are \"combined\"\n" @@ -922,7 +922,7 @@ START_TEST(test_strings) verify_string("all { special } characters # can be used.", "special"); verify_string("is fine", "unterminated"); verify_string("produces a warning", "but"); - verify_string("can either be encoded\nor\nescaped", "newlines"); + verify_string("can either be encoded\nor escaped", "newlines"); verify_string("\"and\" slashes \\ can \\ be", "quotes"); verify_string("strings are combined", "multiple"); } diff --git a/src/libstrongswan/tests/suites/test_threading.c b/src/libstrongswan/tests/suites/test_threading.c index 47e448484..55a4cd797 100644 --- a/src/libstrongswan/tests/suites/test_threading.c +++ b/src/libstrongswan/tests/suites/test_threading.c @@ -553,6 +553,49 @@ START_TEST(test_rwlock) } END_TEST +static void *rwlock_try_run(void *param) +{ + if (rwlock->try_write_lock(rwlock)) + { + rwlock->unlock(rwlock); + return param; + } + return NULL; +} + +START_TEST(test_rwlock_try) +{ + uintptr_t magic = 0xcafebabe; + thread_t *thread; + + rwlock = rwlock_create(RWLOCK_TYPE_DEFAULT); + + thread = thread_create(rwlock_try_run, (void*)magic); + ck_assert_int_eq((uintptr_t)thread->join(thread), magic); + + rwlock->read_lock(rwlock); + thread = thread_create(rwlock_try_run, (void*)magic); + ck_assert(thread->join(thread) == NULL); + rwlock->unlock(rwlock); + + rwlock->read_lock(rwlock); + rwlock->read_lock(rwlock); + rwlock->read_lock(rwlock); + thread = thread_create(rwlock_try_run, (void*)magic); + ck_assert(thread->join(thread) == NULL); + rwlock->unlock(rwlock); + rwlock->unlock(rwlock); + rwlock->unlock(rwlock); + + rwlock->write_lock(rwlock); + thread = thread_create(rwlock_try_run, (void*)magic); + ck_assert(thread->join(thread) == NULL); + rwlock->unlock(rwlock); + + rwlock->destroy(rwlock); +} +END_TEST + /** * Rwlock condvar */ @@ -1132,6 +1175,191 @@ START_TEST(test_cancel_point) } END_TEST +static void close_fd_ptr(void *fd) +{ + close(*(int*)fd); +} + +static void cancellation_recv() +{ + int sv[2]; + char buf[1]; + + ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == 0); + + thread_cleanup_push(close_fd_ptr, &sv[0]); + thread_cleanup_push(close_fd_ptr, &sv[1]); + + thread_cancelability(TRUE); + while (TRUE) + { + ck_assert(recv(sv[0], buf, sizeof(buf), 0) == 1); + } +} + +static void cancellation_read() +{ + int sv[2]; + char buf[1]; + + ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == 0); + + thread_cleanup_push(close_fd_ptr, &sv[0]); + thread_cleanup_push(close_fd_ptr, &sv[1]); + + thread_cancelability(TRUE); + while (TRUE) + { + ck_assert(read(sv[0], buf, sizeof(buf)) == 1); + } +} + +static void cancellation_select() +{ + int sv[2]; + fd_set set; + + ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == 0); + + thread_cleanup_push(close_fd_ptr, &sv[0]); + thread_cleanup_push(close_fd_ptr, &sv[1]); + + FD_ZERO(&set); + FD_SET(sv[0], &set); + thread_cancelability(TRUE); + while (TRUE) + { + ck_assert(select(sv[0] + 1, &set, NULL, NULL, NULL) == 1); + } +} + +static void cancellation_poll() +{ + int sv[2]; + struct pollfd pfd; + + ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == 0); + + thread_cleanup_push(close_fd_ptr, &sv[0]); + thread_cleanup_push(close_fd_ptr, &sv[1]); + + pfd.fd = sv[0]; + pfd.events = POLLIN; + thread_cancelability(TRUE); + while (TRUE) + { + ck_assert(poll(&pfd, 1, -1) == 1); + } +} + +static void cancellation_accept() +{ + host_t *host; + int fd, c; + + fd = socket(AF_INET, SOCK_STREAM, 0); + ck_assert(fd >= 0); + host = host_create_from_string("127.0.0.1", 0); + ck_assert_msg(bind(fd, host->get_sockaddr(host), + *host->get_sockaddr_len(host)) == 0, "%m"); + host->destroy(host); + ck_assert(listen(fd, 5) == 0); + + thread_cleanup_push(close_fd_ptr, &fd); + + thread_cancelability(TRUE); + while (TRUE) + { + c = accept(fd, NULL, NULL); + ck_assert(c >= 0); + close(c); + } +} + +static void cancellation_cond() +{ + mutex_t *mutex; + condvar_t *cond; + + mutex = mutex_create(MUTEX_TYPE_DEFAULT); + cond = condvar_create(CONDVAR_TYPE_DEFAULT); + mutex->lock(mutex); + + thread_cleanup_push((void*)mutex->destroy, mutex); + thread_cleanup_push((void*)cond->destroy, cond); + + thread_cancelability(TRUE); + while (TRUE) + { + cond->wait(cond, mutex); + } +} + +static void cancellation_rwcond() +{ + rwlock_t *lock; + rwlock_condvar_t *cond; + + lock = rwlock_create(RWLOCK_TYPE_DEFAULT); + cond = rwlock_condvar_create(); + lock->write_lock(lock); + + thread_cleanup_push((void*)lock->destroy, lock); + thread_cleanup_push((void*)cond->destroy, cond); + + thread_cancelability(TRUE); + while (TRUE) + { + cond->wait(cond, lock); + } +} + +static void (*cancellation_points[])() = { + cancellation_read, + cancellation_recv, + cancellation_select, + cancellation_poll, + cancellation_accept, + cancellation_cond, + cancellation_rwcond, +}; + +static void* run_cancellation_point(void (*fn)()) +{ + fn(); + return NULL; +} + +static void* run_cancellation_point_pre(void (*fn)()) +{ + usleep(5000); + fn(); + return NULL; +} + +START_TEST(test_cancellation_point) +{ + thread_t *thread; + + thread = thread_create((void*)run_cancellation_point, + cancellation_points[_i]); + usleep(5000); + thread->cancel(thread); + thread->join(thread); +} +END_TEST + +START_TEST(test_cancellation_point_pre) +{ + thread_t *thread; + + thread = thread_create((void*)run_cancellation_point_pre, + cancellation_points[_i]); + thread->cancel(thread); + thread->join(thread); +} +END_TEST + static void cleanup1(void *data) { uintptr_t *value = (uintptr_t*)data; @@ -1423,6 +1651,7 @@ Suite *threading_suite_create() tc = tcase_create("rwlock"); tcase_add_test(tc, test_rwlock); + tcase_add_test(tc, test_rwlock_try); suite_add_tcase(s, tc); tc = tcase_create("rwlock condvar"); @@ -1456,6 +1685,13 @@ Suite *threading_suite_create() tcase_add_test(tc, test_cancel_point); suite_add_tcase(s, tc); + tc = tcase_create("thread cancellation point"); + tcase_add_loop_test(tc, test_cancellation_point, + 0, countof(cancellation_points)); + tcase_add_loop_test(tc, test_cancellation_point_pre, + 0, countof(cancellation_points)); + suite_add_tcase(s, tc); + tc = tcase_create("thread cleanup"); tcase_add_test(tc, test_cleanup); tcase_add_test(tc, test_cleanup_exit); diff --git a/src/libstrongswan/tests/suites/test_traffic_selector.c b/src/libstrongswan/tests/suites/test_traffic_selector.c new file mode 100644 index 000000000..4312c6ce1 --- /dev/null +++ b/src/libstrongswan/tests/suites/test_traffic_selector.c @@ -0,0 +1,284 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include + + +static void verify(const char *str, const char *alt, traffic_selector_t *ts) +{ + char buf[512]; + + ck_assert(ts != NULL); + snprintf(buf, sizeof(buf), "%R", ts); + ts->destroy(ts); + if (!streq(buf, str) && !streq(buf, alt)) + { + fail("%s != %s or %s", buf, str, alt); + } +} + +START_TEST(test_create_from_string) +{ + verify("10.1.0.0/16[tcp/http]", "10.1.0.0/16[6/80]", + traffic_selector_create_from_string(IPPROTO_TCP, TS_IPV4_ADDR_RANGE, + "10.1.0.0", 80, "10.1.255.255", 80)); + verify("10.1.0.1..10.1.0.99[udp/1234-1235]", + "10.1.0.1..10.1.0.99[17/1234-1235]", + traffic_selector_create_from_string(IPPROTO_UDP, TS_IPV4_ADDR_RANGE, + "10.1.0.1", 1234, "10.1.0.99", 1235)); + verify("fec1::/64", NULL, + traffic_selector_create_from_string(0, TS_IPV6_ADDR_RANGE, + "fec1::", 0, "fec1::ffff:ffff:ffff:ffff", 65535)); +} +END_TEST + +START_TEST(test_create_from_cidr) +{ + verify("10.1.0.0/16", NULL, + traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535)); + verify("10.1.0.1/32[udp/1234-1235]", "10.1.0.1/32[17/1234-1235]", + traffic_selector_create_from_cidr("10.1.0.1/32", IPPROTO_UDP, + 1234, 1235)); +} +END_TEST + +START_TEST(test_create_from_bytes) +{ + verify("10.1.0.0/16", NULL, + traffic_selector_create_from_bytes(0, TS_IPV4_ADDR_RANGE, + chunk_from_chars(0x0a,0x01,0x00,0x00), 0, + chunk_from_chars(0x0a,0x01,0xff,0xff), 65535)); +} +END_TEST + +START_TEST(test_create_from_subnet) +{ + verify("10.1.0.0/16", NULL, + traffic_selector_create_from_subnet( + host_create_from_string("10.1.0.0", 0), 16, 0, 0, 65535)); +} +END_TEST + + +START_TEST(test_subset) +{ + traffic_selector_t *a, *b; + + a = traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535); + b = traffic_selector_create_from_cidr("10.1.5.0/24", 0, 0, 65535); + verify("10.1.5.0/24", NULL, a->get_subset(a, b)); + a->destroy(a); + b->destroy(b); +} +END_TEST + +START_TEST(test_subset_port) +{ + traffic_selector_t *a, *b; + + a = traffic_selector_create_from_cidr("10.0.0.0/8", IPPROTO_TCP, 55, 60); + b = traffic_selector_create_from_cidr("10.2.7.16/30", 0, 0, 65535); + verify("10.2.7.16/30[tcp/55-60]", "10.2.7.16/30[6/55-60]", + a->get_subset(a, b)); + a->destroy(a); + b->destroy(b); +} +END_TEST + +START_TEST(test_subset_equal) +{ + traffic_selector_t *a, *b; + + a = traffic_selector_create_from_cidr("10.1.0.0/16", IPPROTO_TCP, 80, 80); + b = traffic_selector_create_from_cidr("10.1.0.0/16", IPPROTO_TCP, 80, 80); + verify("10.1.0.0/16[tcp/http]", "10.1.0.0/16[6/80]", a->get_subset(a, b)); + a->destroy(a); + b->destroy(b); +} +END_TEST + +START_TEST(test_subset_nonet) +{ + traffic_selector_t *a, *b; + + a = traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535); + b = traffic_selector_create_from_cidr("10.2.0.0/16", 0, 0, 65535); + ck_assert(a->get_subset(a, b) == NULL); + a->destroy(a); + b->destroy(b); +} +END_TEST + +START_TEST(test_subset_noport) +{ + traffic_selector_t *a, *b; + + a = traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 9999); + b = traffic_selector_create_from_cidr("10.1.0.0/16", 0, 10000, 65535); + ck_assert(a->get_subset(a, b) == NULL); + a->destroy(a); + b->destroy(b); +} +END_TEST + +START_TEST(test_subset_noproto) +{ + traffic_selector_t *a, *b; + + a = traffic_selector_create_from_cidr("10.1.0.0/16", IPPROTO_TCP, 0, 65535); + b = traffic_selector_create_from_cidr("10.1.0.0/16", IPPROTO_UDP, 0, 65535); + ck_assert(a->get_subset(a, b) == NULL); + a->destroy(a); + b->destroy(b); +} +END_TEST + +START_TEST(test_subset_nofamily) +{ + traffic_selector_t *a, *b; + + a = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535); + b = traffic_selector_create_from_cidr("::/0", 0, 0, 65535); + ck_assert(a->get_subset(a, b) == NULL); + a->destroy(a); + b->destroy(b); +} +END_TEST + +struct { + char *net; + char *host; + bool inc; +} include_tests[] = { + { "0.0.0.0/0", "192.168.1.2", TRUE }, + { "::/0", "fec2::1", TRUE }, + { "fec2::/64", "fec2::afaf", TRUE }, + { "10.1.0.0/16", "10.1.0.1", TRUE }, + { "10.5.6.7/32", "10.5.6.7", TRUE }, + { "0.0.0.0/0", "fec2::1", FALSE }, + { "::/0", "1.2.3.4", FALSE }, + { "10.0.0.0/16", "10.1.0.0", FALSE }, + { "fec2::/64", "fec2:0:0:1::afaf", FALSE }, +}; + +START_TEST(test_includes) +{ + traffic_selector_t *ts; + host_t *h; + + ts = traffic_selector_create_from_cidr(include_tests[_i].net, 0, 0, 65535); + h = host_create_from_string(include_tests[_i].host, 0); + ck_assert(ts->includes(ts, h) == include_tests[_i].inc); + ts->destroy(ts); + h->destroy(h); +} +END_TEST + +struct { + int res; + struct { + char *net; + u_int8_t proto; + u_int16_t from_port; + u_int16_t to_port; + } a, b; +} cmp_tests[] = { + { 0, { "10.0.0.0/8", 0, 0, 65535 }, { "10.0.0.0/8", 0, 0, 65535 }, }, + { 0, { "10.0.0.0/8", 17, 123, 456 }, { "10.0.0.0/8", 17, 123, 456 }, }, + { 0, { "fec2::/64", 0, 0, 65535 }, { "fec2::/64", 0, 0, 65535 }, }, + { 0, { "fec2::/64", 4, 0, 65535 }, { "fec2::/64", 4, 0, 65535 }, }, + + { -1, { "1.0.0.0/8", 0, 0, 65535 }, { "2.0.0.0/8", 0, 0, 65535 }, }, + { 1, { "2.0.0.0/8", 0, 0, 65535 }, { "1.0.0.0/8", 0, 0, 65535 }, }, + { -1, { "1.0.0.0/8", 0, 0, 65535 }, { "1.0.0.0/16", 0, 0, 65535 }, }, + { 1, { "1.0.0.0/16", 0, 0, 65535 }, { "1.0.0.0/8", 0, 0, 65535 }, }, + + { -1, { "10.0.0.0/8", 0, 0, 65535 }, { "fec2::/64", 0, 0, 65535 }, }, + { 1, { "fec2::/64", 0, 0, 65535 }, { "10.0.0.0/8", 0, 0, 65535 }, }, + + { -1, { "10.0.0.0/8", 16, 123, 456 }, { "10.0.0.0/8", 17, 123, 456 }, }, + { 1, { "fec2::/64", 5, 0, 65535 }, { "fec2::/64", 4, 0, 65535 }, }, + + { -1, { "10.0.0.0/8", 17, 111, 456 }, { "10.0.0.0/8", 17, 222, 456 }, }, + { 1, { "fec2::/64", 17, 555, 65535 }, { "fec2::/64", 17, 444, 65535 },}, + + { -1, { "10.0.0.0/8", 17, 55, 65535 }, { "10.0.0.0/8", 17, 55, 666 }, }, + { 1, { "fec2::/64", 17, 55, 111 }, { "fec2::/64", 17, 55, 4567 }, }, + +}; + +START_TEST(test_cmp) +{ + traffic_selector_t *a, *b; + + a = traffic_selector_create_from_cidr( + cmp_tests[_i].a.net, cmp_tests[_i].a.proto, + cmp_tests[_i].a.from_port, cmp_tests[_i].a.to_port); + b = traffic_selector_create_from_cidr( + cmp_tests[_i].b.net, cmp_tests[_i].b.proto, + cmp_tests[_i].b.from_port, cmp_tests[_i].b.to_port); + switch (cmp_tests[_i].res) + { + case 0: + ck_assert(traffic_selector_cmp(a, b, NULL) == 0); + break; + case 1: + ck_assert(traffic_selector_cmp(a, b, NULL) > 0); + break; + case -1: + ck_assert(traffic_selector_cmp(a, b, NULL) < 0); + break; + } + a->destroy(a); + b->destroy(b); +} +END_TEST + +Suite *traffic_selector_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("traffic selector"); + + tc = tcase_create("create"); + tcase_add_test(tc, test_create_from_string); + tcase_add_test(tc, test_create_from_cidr); + tcase_add_test(tc, test_create_from_bytes); + tcase_add_test(tc, test_create_from_subnet); + suite_add_tcase(s, tc); + + tc = tcase_create("subset"); + tcase_add_test(tc, test_subset); + tcase_add_test(tc, test_subset_port); + tcase_add_test(tc, test_subset_equal); + tcase_add_test(tc, test_subset_nonet); + tcase_add_test(tc, test_subset_noport); + tcase_add_test(tc, test_subset_noproto); + tcase_add_test(tc, test_subset_nofamily); + suite_add_tcase(s, tc); + + tc = tcase_create("includes"); + tcase_add_loop_test(tc, test_includes, 0, countof(include_tests)); + suite_add_tcase(s, tc); + + tc = tcase_create("cmp"); + tcase_add_loop_test(tc, test_cmp, 0, countof(cmp_tests)); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libstrongswan/tests/suites/test_utils.c b/src/libstrongswan/tests/suites/test_utils.c index abca4620e..85a854456 100644 --- a/src/libstrongswan/tests/suites/test_utils.c +++ b/src/libstrongswan/tests/suites/test_utils.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Tobias Brunner + * Copyright (C) 2013-2015 Tobias Brunner * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -18,6 +18,7 @@ #include #include #include +#include #include @@ -695,6 +696,44 @@ START_TEST(test_mark_from_string) } END_TEST +/******************************************************************************* + * signature_schemes_for_key + */ + +static struct { + key_type_t type; + int size; + signature_scheme_t expected[4]; +} scheme_data[] = { + {KEY_RSA, 1024, { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_RSA_EMSA_PKCS1_SHA384, SIGN_RSA_EMSA_PKCS1_SHA512, SIGN_UNKNOWN }}, + {KEY_RSA, 2048, { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_RSA_EMSA_PKCS1_SHA384, SIGN_RSA_EMSA_PKCS1_SHA512, SIGN_UNKNOWN }}, + {KEY_RSA, 4096, { SIGN_RSA_EMSA_PKCS1_SHA384, SIGN_RSA_EMSA_PKCS1_SHA512, SIGN_UNKNOWN }}, + {KEY_RSA, 8192, { SIGN_RSA_EMSA_PKCS1_SHA512, SIGN_UNKNOWN }}, + {KEY_ECDSA, 256, { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }}, + {KEY_ECDSA, 384, { SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }}, + {KEY_ECDSA, 512, { SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }}, + {KEY_BLISS, 128, { SIGN_BLISS_WITH_SHA256, SIGN_BLISS_WITH_SHA384, SIGN_BLISS_WITH_SHA512, SIGN_UNKNOWN }}, + {KEY_BLISS, 192, { SIGN_BLISS_WITH_SHA384, SIGN_BLISS_WITH_SHA512, SIGN_UNKNOWN }}, + {KEY_BLISS, 256, { SIGN_BLISS_WITH_SHA512, SIGN_UNKNOWN }}, +}; + +START_TEST(test_signature_schemes_for_key) +{ + enumerator_t *enumerator; + signature_scheme_t scheme; + int i; + + enumerator = signature_schemes_for_key(scheme_data[_i].type, scheme_data[_i].size); + for (i = 0; scheme_data[_i].expected[i] != SIGN_UNKNOWN; i++) + { + ck_assert(enumerator->enumerate(enumerator, &scheme)); + ck_assert_int_eq(scheme_data[_i].expected[i], scheme); + } + ck_assert(!enumerator->enumerate(enumerator, &scheme)); + enumerator->destroy(enumerator); +} +END_TEST + Suite *utils_suite_create() { Suite *s; @@ -777,5 +816,9 @@ Suite *utils_suite_create() tcase_add_loop_test(tc, test_mark_from_string, 0, countof(mark_data)); suite_add_tcase(s, tc); + tc = tcase_create("signature_schemes_for_key"); + tcase_add_loop_test(tc, test_signature_schemes_for_key, 0, countof(scheme_data)); + suite_add_tcase(s, tc); + return s; } diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h index 586227800..e1d8ca4ba 100644 --- a/src/libstrongswan/tests/tests.h +++ b/src/libstrongswan/tests/tests.h @@ -23,6 +23,7 @@ TEST_SUITE(linked_list_enumerator_suite_create) TEST_SUITE(hashtable_suite_create) TEST_SUITE(array_suite_create) TEST_SUITE(identification_suite_create) +TEST_SUITE(traffic_selector_suite_create) TEST_SUITE(threading_suite_create) TEST_SUITE(process_suite_create) TEST_SUITE(watcher_suite_create) @@ -32,6 +33,8 @@ TEST_SUITE(settings_suite_create) TEST_SUITE(vectors_suite_create) TEST_SUITE_DEPEND(ecdsa_suite_create, PRIVKEY_GEN, KEY_ECDSA) TEST_SUITE_DEPEND(rsa_suite_create, PRIVKEY_GEN, KEY_RSA) +TEST_SUITE_DEPEND(certpolicy_suite_create, CERT_ENCODE, CERT_X509) +TEST_SUITE_DEPEND(certnames_suite_create, CERT_ENCODE, CERT_X509) TEST_SUITE(host_suite_create) TEST_SUITE(printf_suite_create) TEST_SUITE(hasher_suite_create) @@ -41,5 +44,7 @@ TEST_SUITE(pen_suite_create) TEST_SUITE(asn1_suite_create) TEST_SUITE(asn1_parser_suite_create) TEST_SUITE(test_rng_suite_create) +TEST_SUITE_DEPEND(mgf1_sha1_suite_create, HASHER, HASH_SHA1) +TEST_SUITE_DEPEND(mgf1_sha256_suite_create, HASHER, HASH_SHA256) TEST_SUITE_DEPEND(ntru_suite_create, DH, NTRU_112_BIT) TEST_SUITE_DEPEND(fetch_http_suite_create, FETCHER, "http://") diff --git a/src/libstrongswan/threading/semaphore.h b/src/libstrongswan/threading/semaphore.h index 34d814971..d3ab0f3d9 100644 --- a/src/libstrongswan/threading/semaphore.h +++ b/src/libstrongswan/threading/semaphore.h @@ -21,10 +21,7 @@ #ifndef THREADING_SEMAPHORE_H_ #define THREADING_SEMAPHORE_H_ -#ifdef __APPLE__ -/* Mach uses a semaphore_create() call, use a different name for ours */ -#define semaphore_create(x) strongswan_semaphore_create(x) -#endif /* __APPLE__ */ +#include typedef struct semaphore_t semaphore_t; @@ -87,4 +84,3 @@ struct semaphore_t { semaphore_t *semaphore_create(u_int value); #endif /** THREADING_SEMAPHORE_H_ @} */ - diff --git a/src/libstrongswan/threading/thread.h b/src/libstrongswan/threading/thread.h index 6abb83411..38275541e 100644 --- a/src/libstrongswan/threading/thread.h +++ b/src/libstrongswan/threading/thread.h @@ -21,40 +21,9 @@ #ifndef THREADING_THREAD_H_ #define THREADING_THREAD_H_ -typedef struct thread_t thread_t; - -#ifdef __APPLE__ -/* thread_create is a syscall used to create Mach kernel threads and although - * there are no errors or warnings during compilation or linkage the dynamic - * linker does not use our implementation, therefore we rename it here - */ -#define thread_create(main, arg) strongswan_thread_create(main, arg) +#include -/* on Mac OS X 10.5 several system calls we use are no cancellation points. - * fortunately, select isn't one of them, so we wrap some of the others with - * calls to select(2). - */ -#include -#include - -#define WRAP_WITH_SELECT(func, socket, ...)\ - fd_set rfds; FD_ZERO(&rfds); FD_SET(socket, &rfds);\ - if (select(socket + 1, &rfds, NULL, NULL, NULL) <= 0) { return -1; }\ - return func(socket, __VA_ARGS__) - -static inline int cancellable_accept(int socket, struct sockaddr *address, - socklen_t *address_len) -{ - WRAP_WITH_SELECT(accept, socket, address, address_len); -} -#define accept cancellable_accept -static inline int cancellable_recvfrom(int socket, void *buffer, size_t length, - int flags, struct sockaddr *address, socklen_t *address_len) -{ - WRAP_WITH_SELECT(recvfrom, socket, buffer, length, flags, address, address_len); -} -#define recvfrom cancellable_recvfrom -#endif /* __APPLE__ */ +typedef struct thread_t thread_t; /** * Main function of a thread. @@ -189,32 +158,4 @@ void threads_init(); */ void threads_deinit(); - -#ifdef __APPLE__ - -/* - * While select() is a cancellation point, it seems that OS X does not honor - * pending cancellation points when entering the function. We manually test for - * and honor pending cancellation requests, but this obviously can't prevent - * some race conditions where the the cancellation happens after the check, - * but before the select. - */ -static inline int precancellable_select(int nfds, fd_set *restrict readfds, - fd_set *restrict writefds, fd_set *restrict errorfds, - struct timeval *restrict timeout) -{ - if (thread_cancelability(TRUE)) - { - thread_cancellation_point(); - } - else - { - thread_cancelability(FALSE); - } - return select(nfds, readfds, writefds, errorfds, timeout); -} -#define select precancellable_select - -#endif /* __APPLE__ */ - #endif /** THREADING_THREAD_H_ @} */ diff --git a/src/libstrongswan/threading/windows/rwlock.c b/src/libstrongswan/threading/windows/rwlock.c index 0de57f713..fc0d6d864 100644 --- a/src/libstrongswan/threading/windows/rwlock.c +++ b/src/libstrongswan/threading/windows/rwlock.c @@ -85,8 +85,6 @@ METHOD(rwlock_t, write_lock, void, METHOD(rwlock_t, try_write_lock, bool, private_rwlock_t *this) { - /* TODO: causes random failures and segfaults. Bug? */ - return FALSE; return TryAcquireSRWLockExclusive(&this->srw); } diff --git a/src/libstrongswan/utils/chunk.c b/src/libstrongswan/utils/chunk.c index 4b24b37c2..c4471be70 100644 --- a/src/libstrongswan/utils/chunk.c +++ b/src/libstrongswan/utils/chunk.c @@ -992,7 +992,7 @@ u_int32_t chunk_hash_static(chunk_t chunk) */ u_int16_t chunk_internet_checksum_inc(chunk_t data, u_int16_t checksum) { - u_int32_t sum = ntohs(~checksum); + u_int32_t sum = ntohs((u_int16_t)~checksum); while (data.len > 1) { diff --git a/src/libstrongswan/utils/compat/apple.h b/src/libstrongswan/utils/compat/apple.h new file mode 100644 index 000000000..61afb9d9e --- /dev/null +++ b/src/libstrongswan/utils/compat/apple.h @@ -0,0 +1,119 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup apple apple + * @{ @ingroup compat + */ + +#ifndef APPLE_H_ +#define APPLE_H_ + +#include +#include +#include + +/* thread_create is a syscall used to create Mach kernel threads and although + * there are no errors or warnings during compilation or linkage the dynamic + * linker does not use our implementation, therefore we rename it here + */ +#define thread_create(main, arg) strongswan_thread_create(main, arg) + +/* Mach uses a semaphore_create() call, use a different name for ours */ +#define semaphore_create(x) strongswan_semaphore_create(x) + +/* Since OS X 10.10 XPC includes some additional conflicting Mach types */ +#define host_t strongswan_host_t +#define processor_t strongswan_processor_t +#define task_t strongswan_task_t +#define thread_t strongswan_thread_t + +/* forward declaration, see below */ +static inline int precancellable_poll(struct pollfd fds[], nfds_t nfds, + int timeout); + +/* on Mac OS X 10.5 several system calls we use are no cancellation points. + * fortunately, select isn't one of them, so we wrap some of the others with + * calls to select(2). + */ + +#define WRAP_WITH_POLL(func, socket, ...) \ + struct pollfd pfd = { \ + .fd = socket, \ + .events = POLLIN, \ + }; \ + if (precancellable_poll(&pfd, 1, -1) <= 0) \ + {\ + return -1; \ + }\ + return func(socket, __VA_ARGS__) + +static inline int cancellable_accept(int socket, struct sockaddr *address, + socklen_t *address_len) +{ + WRAP_WITH_POLL(accept, socket, address, address_len); +} +#define accept cancellable_accept +static inline int cancellable_recvfrom(int socket, void *buffer, size_t length, + int flags, struct sockaddr *address, socklen_t *address_len) +{ + WRAP_WITH_POLL(recvfrom, socket, buffer, length, flags, address, address_len); +} +#define recvfrom cancellable_recvfrom + +#include + +/* + * While select() is a cancellation point, it seems that OS X does not honor + * pending cancellation points when entering the function. We manually test for + * and honor pending cancellation requests, but this obviously can't prevent + * some race conditions where the the cancellation happens after the check, + * but before the select. + */ +static inline int precancellable_select(int nfds, fd_set *restrict readfds, + fd_set *restrict writefds, fd_set *restrict errorfds, + struct timeval *restrict timeout) +{ + if (thread_cancelability(TRUE)) + { + thread_cancellation_point(); + } + else + { + thread_cancelability(FALSE); + } + return select(nfds, readfds, writefds, errorfds, timeout); +} +#define select precancellable_select + +/* + * The same as to select(2) applies to poll(2) + */ +static inline int precancellable_poll(struct pollfd fds[], nfds_t nfds, + int timeout) +{ + if (thread_cancelability(TRUE)) + { + thread_cancellation_point(); + } + else + { + thread_cancelability(FALSE); + } + return poll(fds, nfds, timeout); +} +#define poll precancellable_poll + +#endif /** APPLE_H_ @}*/ diff --git a/src/libstrongswan/utils/compat/windows.c b/src/libstrongswan/utils/compat/windows.c new file mode 100644 index 000000000..1f22ffa02 --- /dev/null +++ b/src/libstrongswan/utils/compat/windows.c @@ -0,0 +1,684 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/* WSAPoll() */ +#define _WIN32_WINNT 0x0600 + +#include + +#include + +/** + * See header + */ +void windows_init() +{ + WSADATA wsad; + + /* initialize winsock2 */ + WSAStartup(MAKEWORD(2, 2), &wsad); +} + +/** + * See header + */ +void windows_deinit() +{ + WSACleanup(); +} + +/** + * See header + */ +int usleep(useconds_t usec) +{ + if (usec > 0 && usec < 1000) + { /* do not Sleep(0) for small values */ + usec = 1000; + } + SleepEx(usec / 1000, TRUE); + return 0; +} + +/** + * See header. + */ +char* strndup(const char *s, size_t n) +{ + char *dst; + + n = min(strnlen(s, n), n); + dst = malloc(n + 1); + memcpy(dst, s, n); + dst[n] = '\0'; + + return dst; +} + +/* + * See header. + */ +void *dlopen(const char *filename, int flag) +{ + return LoadLibrary(filename); +} + +/** + * Load a symbol from known default libs (monolithic build) + */ +static void* dlsym_default(const char *name) +{ + const char *dlls[] = { + "libstrongswan-0.dll", + "libhydra-0.dll", + "libcharon-0.dll", + "libtnccs-0.dll", + NULL /* .exe */ + }; + HANDLE handle; + void *sym = NULL; + int i; + + for (i = 0; i < countof(dlls); i++) + { + handle = GetModuleHandle(dlls[i]); + if (handle) + { + sym = GetProcAddress(handle, name); + if (sym) + { + break; + } + } + } + return sym; +} + +/** + * Emulate RTLD_NEXT for some known symbols + */ +static void* dlsym_next(const char *name) +{ + struct { + const char *dll; + const char *syms[4]; + } dlls[] = { + /* for leak detective */ + { "msvcrt", + { "malloc", "calloc", "realloc", "free" } + }, + }; + HANDLE handle = NULL; + int i, j; + + for (i = 0; i < countof(dlls); i++) + { + for (j = 0; j < countof(dlls[0].syms); j++) + { + if (dlls[i].syms[j] && streq(dlls[i].syms[j], name)) + { + handle = GetModuleHandle(dlls[i].dll); + break; + } + } + } + if (handle) + { + return GetProcAddress(handle, name); + } + return handle; +} + +/** + * See header. + */ +void* dlsym(void *handle, const char *symbol) +{ + if (handle == RTLD_DEFAULT) + { + return dlsym_default(symbol); + } + if (handle == RTLD_NEXT) + { + return dlsym_next(symbol); + } + return GetProcAddress((HMODULE)handle, symbol); +} + +/** + * See header. + */ +char* dlerror(void) +{ + static char buf[128]; + char *pos; + DWORD err; + + err = GetLastError(); + if (FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, + NULL, err, 0, buf, sizeof(buf), NULL) > 0) + { + pos = strchr(buf, '\n'); + if (pos) + { + *pos = '\0'; + } + } + else + { + snprintf(buf, sizeof(buf), "(%u)", err); + } + return buf; +} + +/** + * See header. + */ +int dlclose(void *handle) +{ + return FreeLibrary((HMODULE)handle); +} + +/** + * See header + */ +int socketpair(int domain, int type, int protocol, int sv[2]) +{ + struct sockaddr_in addr = { + .sin_family = AF_INET, + .sin_addr.s_addr = htonl(INADDR_LOOPBACK), + }; + socklen_t len = sizeof(addr); + int s, c, sc; + BOOL on; + + /* We don't check domain for AF_INET, as we use it as replacement for + * AF_UNIX. */ + if (type != SOCK_STREAM) + { + errno = EINVAL; + return -1; + } + if (protocol != 0 && protocol != IPPROTO_TCP) + { + errno = EINVAL; + return -1; + } + s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); + if (s == -1) + { + return -1; + } + c = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); + if (c == -1) + { + closesocket(s); + return -1; + } + if (bind(s, (struct sockaddr*)&addr, sizeof(addr)) == 0 && + getsockname(s,(struct sockaddr*)&addr, &len) == 0 && + listen(s, 0) == 0 && + connect(c, (struct sockaddr*)&addr, sizeof(addr)) == 0) + { + sc = accept(s, NULL, NULL); + if (sc >= 0) + { + closesocket(s); + s = sc; + if (setsockopt(s, IPPROTO_TCP, TCP_NODELAY, + (void*)&on, sizeof(on)) == 0 && + setsockopt(c, IPPROTO_TCP, TCP_NODELAY, + (void*)&on, sizeof(on)) == 0) + { + sv[0] = s; + sv[1] = c; + return 0; + } + } + } + closesocket(s); + closesocket(c); + return -1; +} + +/** + * See header + */ +char* getpass(const char *prompt) +{ + static char buf[64] = ""; + char *pos; + HANDLE in, out; + DWORD mode, written = 0, total, done; + + out = GetStdHandle(STD_OUTPUT_HANDLE); + in = GetStdHandle(STD_INPUT_HANDLE); + + if (out == INVALID_HANDLE_VALUE || in == INVALID_HANDLE_VALUE || + !GetConsoleMode(out, &mode) || !GetConsoleMode(in, &mode)) + { + return NULL; + } + + total = strlen(prompt); + while (written < total) + { + if (!WriteConsole(out, prompt + written, total - written, &done, NULL)) + { + return NULL; + } + written += done; + } + + if (!SetConsoleMode(in, mode & ~ENABLE_ECHO_INPUT)) + { + return NULL; + } + + while (TRUE) + { + if (!ReadConsole(in, buf, sizeof(buf), &done, NULL)) + { + SetConsoleMode(in, mode); + return NULL; + } + buf[sizeof(buf)-1] = '\0'; + + if (done) + { + pos = strchr(buf, '\r'); + if (pos) + { + *pos = '\0'; + } + break; + } + } + SetConsoleMode(in, mode); + + /* append a newline, as we have no echo during input */ + WriteConsole(out, "\r\n", 2, &done, NULL); + + return buf; +} + +/** + * See header. + */ +#undef strerror_s +int strerror_s_extended(char *buf, size_t buflen, int errnum) +{ + const char *errstr [] = { + /* EADDRINUSE */ "Address in use", + /* EADDRNOTAVAIL */ "Address not available", + /* EAFNOSUPPORT */ "Address family not supported", + /* EALREADY */ "Connection already in progress", + /* EBADMSG */ "Bad message", + /* ECANCELED */ "Operation canceled", + /* ECONNABORTED */ "Connection aborted", + /* ECONNREFUSED */ "Connection refused", + /* ECONNRESET */ "Connection reset", + /* EDESTADDRREQ */ "Destination address required", + /* EHOSTUNREACH */ "Host is unreachable", + /* EIDRM */ "Identifier removed", + /* EINPROGRESS */ "Operation in progress", + /* EISCONN */ "Socket is connected", + /* ELOOP */ "Too many levels of symbolic links", + /* EMSGSIZE */ "Message too large", + /* ENETDOWN */ "Network is down", + /* ENETRESET */ "Connection aborted by network", + /* ENETUNREACH */ "Network unreachable", + /* ENOBUFS */ "No buffer space available", + /* ENODATA */ "No message is available", + /* ENOLINK */ "No link", + /* ENOMSG */ "No message of the desired type", + /* ENOPROTOOPT */ "Protocol not available", + /* ENOSR */ "No stream resources", + /* ENOSTR */ "Not a stream", + /* ENOTCONN */ "The socket is not connected", + /* ENOTRECOVERABLE */ "State not recoverable", + /* ENOTSOCK */ "Not a socket", + /* ENOTSUP */ "Not supported", + /* EOPNOTSUPP */ "Operation not supported on socket", + /* EOTHER */ "Other error", + /* EOVERFLOW */ "Value too large to be stored in data type", + /* EOWNERDEAD */ "Previous owner died", + /* EPROTO */ "Protocol error", + /* EPROTONOSUPPORT */ "Protocol not supported", + /* EPROTOTYPE */ "Protocol wrong type for socket", + /* ETIME */ "Timeout", + /* ETIMEDOUT */ "Connection timed out", + /* ETXTBSY */ "Text file busy", + /* EWOULDBLOCK */ "Operation would block", + }; + int offset = EADDRINUSE; + + if (errnum < offset || errnum >= offset + countof(errstr)) + { + return strerror_s(buf, buflen, errnum); + } + strncpy(buf, errstr[errnum - offset], buflen); + buf[buflen - 1] = '\0'; + return 0; +} + +/** + * Set errno for a function setting WSA error on failure + */ +static int wserr(int retval) +{ + if (retval < 0) + { + static const struct { + DWORD wsa; + int err; + } map[] = { + { WSANOTINITIALISED, EBADF }, + { WSAENETDOWN, ENETDOWN }, + { WSAENETRESET, ENETRESET }, + { WSAECONNABORTED, ECONNABORTED }, + { WSAESHUTDOWN, ECONNABORTED }, + { WSAEACCES, EACCES }, + { WSAEINTR, EINTR }, + { WSAEINPROGRESS, EINPROGRESS }, + { WSAEFAULT, EFAULT }, + { WSAENOBUFS, ENOBUFS }, + { WSAENOTSOCK, ENOTSOCK }, + { WSAEOPNOTSUPP, EOPNOTSUPP }, + { WSAEWOULDBLOCK, EWOULDBLOCK }, + { WSAEMSGSIZE, EMSGSIZE }, + { WSAEINVAL, EINVAL }, + { WSAENOTCONN, ENOTCONN }, + { WSAEHOSTUNREACH, EHOSTUNREACH }, + { WSAENETUNREACH, ENETUNREACH }, + { WSAECONNABORTED, ECONNABORTED }, + { WSAECONNRESET, ECONNRESET }, + { WSAETIMEDOUT, ETIMEDOUT }, + { WSAEMFILE, EMFILE }, + { WSAEALREADY, EALREADY }, + { WSAEDESTADDRREQ, EDESTADDRREQ }, + { WSAEISCONN, EISCONN }, + { WSAEOPNOTSUPP, EOPNOTSUPP }, + { WSAEPROTOTYPE, EPROTOTYPE }, + { WSAENOPROTOOPT, ENOPROTOOPT }, + { WSAEPROTONOSUPPORT, EPROTONOSUPPORT }, + { WSAEPFNOSUPPORT, EPROTONOSUPPORT }, + { WSAEAFNOSUPPORT, EAFNOSUPPORT }, + { WSAEADDRNOTAVAIL, EADDRNOTAVAIL }, + { WSAEADDRINUSE, EADDRINUSE }, + { WSAETIMEDOUT, ETIMEDOUT }, + { WSAECONNREFUSED, ECONNREFUSED }, + { WSAELOOP, ELOOP }, + { WSAENAMETOOLONG, ENAMETOOLONG }, + { WSAENOTEMPTY, ENOTEMPTY }, + { WSAEPROTOTYPE, EPROTOTYPE }, + { WSAVERNOTSUPPORTED, ENOTSUP }, + }; + DWORD wsa, i; + + wsa = WSAGetLastError(); + for (i = 0; i < countof(map); i++) + { + if (map[i].wsa == wsa) + { + errno = map[i].err; + return retval; + } + } + errno = ENOENT; + return retval; + } + errno = 0; + return retval; +} + +/** + * Check and clear the dontwait flag + */ +static bool check_dontwait(int *flags) +{ + if (*flags & MSG_DONTWAIT) + { + *flags &= ~MSG_DONTWAIT; + return TRUE; + } + return FALSE; +} + +/** + * See header + */ +#undef shutdown +int windows_shutdown(int sockfd, int how) +{ + return wserr(shutdown(sockfd, how)); +} + +/** + * See header + */ +#undef accept +int windows_accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen) +{ + return wserr(accept(sockfd, addr, addrlen)); +} + +/** + * See header + */ +#undef bind +int windows_bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) +{ + return wserr(bind(sockfd, addr, addrlen)); +} + +/** + * See header + */ +#undef connect +int windows_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) +{ + return wserr(connect(sockfd, addr, addrlen)); +} + +/** + * See header + */ +#undef getsockname +int windows_getsockname(int sockfd, struct sockaddr *addr, socklen_t *addrlen) +{ + return wserr(getsockname(sockfd, addr, addrlen)); +} + +/** + * See header + */ +#undef getsockopt +int windows_getsockopt(int sockfd, int level, int optname, + void *optval, socklen_t *optlen) +{ + return wserr(getsockopt(sockfd, level, optname, optval, optlen)); +} + +/** + * See header + */ +#undef setsockopt +int windows_setsockopt(int sockfd, int level, int optname, + const void *optval, socklen_t optlen) +{ + return wserr(setsockopt(sockfd, level, optname, optval, optlen)); +} + +/** + * See header + */ +#undef socket +int windows_socket(int domain, int type, int protocol) +{ + return wserr(socket(domain, type, protocol)); +} + +/** + * See header + */ +#undef select +int windows_select(int nfds, fd_set *readfds, fd_set *writefds, + fd_set *exceptfds, struct timeval *timeout) +{ + return wserr(select(nfds, readfds, writefds, exceptfds, timeout)); +} + +/** + * See header + */ +#undef close +int windows_close(int fd) +{ + int ret; + + ret = close(fd); + if (ret == -1 && errno == EBADF) + { /* Winsock socket? */ + ret = wserr(closesocket(fd)); + } + return ret; +} + +/** + * See header + */ +#undef recv +ssize_t windows_recv(int sockfd, void *buf, size_t len, int flags) +{ + u_long on = 1, off = 0; + ssize_t outlen = -1; + + if (!check_dontwait(&flags)) + { + return wserr(recv(sockfd, buf, len, flags)); + } + if (wserr(ioctlsocket(sockfd, FIONBIO, &on) == 0)) + { + outlen = wserr(recv(sockfd, buf, len, flags)); + ioctlsocket(sockfd, FIONBIO, &off); + } + return outlen; +} + +/** + * See header + */ +#undef recvfrom +ssize_t windows_recvfrom(int sockfd, void *buf, size_t len, int flags, + struct sockaddr *src_addr, socklen_t *addrlen) +{ + u_long on = 1, off = 0; + ssize_t outlen = -1; + + if (!check_dontwait(&flags)) + { + return wserr(recvfrom(sockfd, buf, len, flags, src_addr, addrlen)); + } + if (wserr(ioctlsocket(sockfd, FIONBIO, &on)) == 0) + { + outlen = wserr(recvfrom(sockfd, buf, len, flags, src_addr, addrlen)); + ioctlsocket(sockfd, FIONBIO, &off); + } + return outlen; +} + +/** + * See header + */ +#undef send +ssize_t windows_send(int sockfd, const void *buf, size_t len, int flags) +{ + u_long on = 1, off = 0; + ssize_t outlen = -1; + + if (!check_dontwait(&flags)) + { + return wserr(send(sockfd, buf, len, flags)); + } + if (wserr(ioctlsocket(sockfd, FIONBIO, &on)) == 0) + { + outlen = wserr(send(sockfd, buf, len, flags)); + ioctlsocket(sockfd, FIONBIO, &off); + } + return outlen; +} + +/** + * See header + */ +#undef sendto +ssize_t windows_sendto(int sockfd, const void *buf, size_t len, int flags, + const struct sockaddr *dest_addr, socklen_t addrlen) +{ + u_long on = 1, off = 0; + ssize_t outlen = -1; + + if (!check_dontwait(&flags)) + { + return wserr(sendto(sockfd, buf, len, flags, dest_addr, addrlen)); + } + if (wserr(ioctlsocket(sockfd, FIONBIO, &on)) == 0) + { + outlen = wserr(sendto(sockfd, buf, len, flags, dest_addr, addrlen)); + ioctlsocket(sockfd, FIONBIO, &off); + } + return outlen; +} + +/** + * See header + */ +#undef read +ssize_t windows_read(int fd, void *buf, size_t count) +{ + ssize_t ret; + + ret = wserr(recv(fd, buf, count, 0)); + if (ret == -1 && errno == ENOTSOCK) + { + ret = read(fd, buf, count); + } + return ret; +} + +/** + * See header + */ +#undef write +ssize_t windows_write(int fd, void *buf, size_t count) +{ + ssize_t ret; + + ret = wserr(send(fd, buf, count, 0)); + if (ret == -1 && errno == ENOTSOCK) + { + ret = write(fd, buf, count); + } + return ret; +} + +/** + * See header + */ +int poll(struct pollfd *fds, int nfds, int timeout) +{ + return wserr(WSAPoll(fds, nfds, timeout)); +} diff --git a/src/libstrongswan/utils/compat/windows.h b/src/libstrongswan/utils/compat/windows.h new file mode 100644 index 000000000..fd4f1f196 --- /dev/null +++ b/src/libstrongswan/utils/compat/windows.h @@ -0,0 +1,627 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup windows windows + * @{ @ingroup compat + */ + +#ifndef WINDOWS_H_ +#define WINDOWS_H_ + +#include +#include +#include +#include +#include +#include + +/* undef Windows variants evaluating values more than once */ +#undef min +#undef max + +/* interface is defined as an alias to "struct" in basetypes.h, but + * we use it here and there as ordinary identifier. */ +#undef interface + +/* used by Windows API, but we have our own */ +#undef CALLBACK + +/* UID/GID types for capabilities, even if not supported */ +typedef u_int uid_t; +typedef u_int gid_t; + +/** + * Initialize Windows libraries + */ +void windows_init(); + +/** + * Deinitialize windows libraries + */ +void windows_deinit(); + +/** + * Replacement for random(3) + */ +static inline long random(void) +{ + return rand(); +} + +/** + * Replacement for srandom(3) + */ +static inline void srandom(unsigned int seed) +{ + srand(seed); +} + +/** + * Replacement of sched_yield(2) from + */ +static inline int sched_yield(void) +{ + Sleep(0); + return 0; +} + +/** + * Replacement of sleep(3), cancellable by thread_cancel() + */ +#define sleep sleep_cancellable +static inline int sleep_cancellable(unsigned int seconds) +{ + SleepEx(seconds * 1000, TRUE); + return 0; +} + +/** + * Replacement of usleep(3), cancellable, ms resolution only + */ +int usleep(useconds_t usec); + +/** + * strdup(3), the Windows variant can't free(strdup("")) and others + */ +#define strdup strdup_windows +static inline char* strdup_windows(const char *src) +{ + size_t len; + char *dst; + + len = strlen(src) + 1; + dst = malloc(len); + memcpy(dst, src, len); + return dst; +} + +/** + * strndup(3) + */ +char* strndup(const char *s, size_t n); + +/** + * Provided via ws2_32 + */ +#ifndef InetNtop +const char WINAPI *inet_ntop(int af, const void *src, char *dst, socklen_t size); +#endif + +/** + * Provided via ws2_32 + */ +#ifndef InetPton +int WINAPI inet_pton(int af, const char *src, void *dst); +#endif + +/** + * Provided by printf hook backend + */ +int asprintf(char **strp, const char *fmt, ...); + +/** + * Provided by printf hook backend + */ +int vasprintf(char **strp, const char *fmt, va_list ap); + +/** + * timeradd(3) from + */ +static inline void timeradd(struct timeval *a, struct timeval *b, + struct timeval *res) +{ + res->tv_sec = a->tv_sec + b->tv_sec; + res->tv_usec = a->tv_usec + b->tv_usec; + if (res->tv_usec >= 1000000) + { + res->tv_usec -= 1000000; + res->tv_sec++; + } +} + +/** + * timersub(3) from + */ +static inline void timersub(struct timeval *a, struct timeval *b, + struct timeval *res) +{ + res->tv_sec = a->tv_sec - b->tv_sec; + res->tv_usec = a->tv_usec - b->tv_usec; + if (res->tv_usec < 0) + { + res->tv_usec += 1000000; + res->tv_sec--; + } +} + +/** + * gmtime_r(3) from + */ +static inline struct tm *gmtime_r(const time_t *timep, struct tm *result) +{ + struct tm *ret; + + /* gmtime_s() and friends seem not to be implemented/functioning. + * Relying on gmtime() on Windows works as well, as it uses thread + * specific buffers. */ + ret = gmtime(timep); + if (ret) + { + memcpy(result, ret, sizeof(*result)); + } + return ret; +} + +/** + * localtime_r(3) from + */ +static inline struct tm *localtime_r(const time_t *timep, struct tm *result) +{ + struct tm *ret; + + /* localtime_s() and friends seem not to be implemented/functioning. + * Relying on localtime() on Windows works as well, as it uses thread + * specific buffers. */ + ret = localtime(timep); + if (ret) + { + memcpy(result, ret, sizeof(*result)); + } + return ret; +} + +/** + * setenv(3) from , overwrite flag is ignored + */ +static inline int setenv(const char *name, const char *value, int overwrite) +{ + if (SetEnvironmentVariableA(name, value) == 0) + { /* failed */ + return -1; + } + return 0; +} + +/** + * Lazy binding, ignored on Windows + */ +#define RTLD_LAZY 1 + +/** + * Default handle targeting .exe + */ +#define RTLD_DEFAULT (NULL) + +/** + * Find symbol in next library + */ +#define RTLD_NEXT ((void*)~(uintptr_t)0) + +/** + * dlopen(3) from + */ +void* dlopen(const char *filename, int flag); + +/** + * dlsym() from + */ +void* dlsym(void *handle, const char *symbol); + +/** + * dlerror(3) from , currently not thread save + */ +char* dlerror(void); + +/** + * dlclose() from + */ +int dlclose(void *handle); + +/** + * socketpair(2) for SOCK_STREAM, uses TCP on loopback + */ +int socketpair(int domain, int type, int protocol, int sv[2]); + +/** + * getpass(3) on Windows consoles + */ +char* getpass(const char *prompt); +#define HAVE_GETPASS + +/** + * Map MSG_DONTWAIT to the reserved, but deprecated MSG_INTERRUPT + */ +#define MSG_DONTWAIT MSG_INTERRUPT + +/** + * shutdown(2) "how"-aliases, to use Unix variant on Windows + */ +#define SHUT_RD SD_RECEIVE +#define SHUT_WR SD_SEND +#define SHUT_RDWR SD_BOTH + +/** + * shutdown(2) setting errno + */ +#define shutdown windows_shutdown +int windows_shutdown(int sockfd, int how); + +/** + * accept(2) setting errno + */ +#define accept windows_accept +int windows_accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen); + +/** + * bind(2) setting errno + */ +#define bind windows_bind +int windows_bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen); + +/** + * connect(2) setting errno + */ +#define connect windows_connect +int windows_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen); + +/** + * getsockname(2) setting errno + */ +#define getsockname windows_getsockname +int windows_getsockname(int sockfd, struct sockaddr *addr, socklen_t *addrlen); + +/** + * getsockopt(2) setting errno + */ +#define getsockopt windows_getsockopt +int windows_getsockopt(int sockfd, int level, int optname, + void *optval, socklen_t *optlen); + +/** + * setsockopt(2) setting errno + */ +#define setsockopt windows_setsockopt +int windows_setsockopt(int sockfd, int level, int optname, + const void *optval, socklen_t optlen); + +/** + * socket(2) setting errno + */ +#define socket windows_socket +int windows_socket(int domain, int type, int protocol); + +/** + * select(2) setting errno + */ +#define select windows_select +int windows_select(int nfds, fd_set *readfds, fd_set *writefds, + fd_set *exceptfds, struct timeval *timeout); + +/** + * close(2) working for file handles and Winsock sockets + */ +#define close windows_close +int windows_close(int fd); + +/** + * recv(2) with support for MSG_DONTWAIT + */ +#define recv windows_recv +ssize_t windows_recv(int sockfd, void *buf, size_t len, int flags); + +/** + * recvfrom(2) with support for MSG_DONTWAIT + */ +#define recvfrom windows_recvfrom +ssize_t windows_recvfrom(int sockfd, void *buf, size_t len, int flags, + struct sockaddr *src_addr, socklen_t *addrlen); + +/** + * recvfrom(2) with support for MSG_DONTWAIT + */ +#define send windows_send +ssize_t windows_send(int sockfd, const void *buf, size_t len, int flags); + +/** + * recvfrom(2) with support for MSG_DONTWAIT + */ +#define sendto windows_send +ssize_t windows_sendto(int sockfd, const void *buf, size_t len, int flags, + const struct sockaddr *dest_addr, socklen_t addrlen); + +/** + * read(2) working on files and sockets, cancellable on sockets only + * + * On Windows, there does not seem to be a way how a cancellable read can + * be implemented on Low level I/O functions for files, _pipe()s or stdio. + */ +#define read windows_read +ssize_t windows_read(int fd, void *buf, size_t count); + +/** + * write(2) working on files and sockets + */ +#define write windows_write +ssize_t windows_write(int fd, void *buf, size_t count); + +#if _WIN32_WINNT < 0x0600 +/** + * Define pollfd and flags on our own if not specified + */ +struct pollfd { + SOCKET fd; + short events; + short revents; +}; +enum { + POLLERR = 0x0001, + POLLHUP = 0x0002, + POLLNVAL = 0x0004, + POLLWRNORM = 0x0010, + POLLWRBAND = 0x0020, + POLLPRI = 0x0400, + POLLRDNORM = 0x0100, + POLLRDBAND = 0x0200, + POLLIN = POLLRDNORM | POLLRDBAND, + POLLOUT = POLLWRNORM, +}; +#endif /* _WIN32_WINNT < 0x0600 */ + +/** + * poll(2), implemented using Winsock2 WSAPoll() + */ +int poll(struct pollfd *fds, int nfds, int timeout); + +/** + * Declaration missing on older WinGW + */ +_CRTIMP errno_t strerror_s(char *buf, size_t size, int errnum); + +/** + * strerror_s, but supporting POSIX compatibility errno >= 100 + */ +#define strerror_s strerror_s_extended +int strerror_s_extended(char *buf, size_t buflen, int errnum); + +/** + * strerror_r(2) replacement, XSI variant + */ +static inline int strerror_r(int errnum, char *buf, size_t buflen) +{ + return strerror_s(buf, buflen, errnum); +} +#define HAVE_STRERROR_R /* but not STRERROR_R_CHAR_P */ + +/** + * MinGW does provide extended errno values. Windows itself knowns them + * for POSIX compatibility; we define them as well. + */ +#ifndef EADDRINUSE +#define EADDRINUSE 100 +#endif +#ifndef EADDRNOTAVAIL +#define EADDRNOTAVAIL 101 +#endif +#ifndef EAFNOSUPPORT +#define EAFNOSUPPORT 102 +#endif +#ifndef EALREADY +#define EALREADY 103 +#endif +#ifndef EBADMSG +#define EBADMSG 104 +#endif +#ifndef ECANCELED +#define ECANCELED 105 +#endif +#ifndef ECONNABORTED +#define ECONNABORTED 106 +#endif +#ifndef ECONNREFUSED +#define ECONNREFUSED 107 +#endif +#ifndef ECONNRESET +#define ECONNRESET 108 +#endif +#ifndef EDESTADDRREQ +#define EDESTADDRREQ 109 +#endif +#ifndef EHOSTUNREACH +#define EHOSTUNREACH 110 +#endif +#ifndef EIDRM +#define EIDRM 111 +#endif +#ifndef EINPROGRESS +#define EINPROGRESS 112 +#endif +#ifndef EISCONN +#define EISCONN 113 +#endif +#ifndef ELOOP +#define ELOOP 114 +#endif +#ifndef EMSGSIZE +#define EMSGSIZE 115 +#endif +#ifndef ENETDOWN +#define ENETDOWN 116 +#endif +#ifndef ENETRESET +#define ENETRESET 117 +#endif +#ifndef ENETUNREACH +#define ENETUNREACH 118 +#endif +#ifndef ENOBUFS +#define ENOBUFS 119 +#endif +#ifndef ENODATA +#define ENODATA 120 +#endif +#ifndef ENOLINK +#define ENOLINK 121 +#endif +#ifndef ENOMSG +#define ENOMSG 122 +#endif +#ifndef ENOPROTOOPT +#define ENOPROTOOPT 123 +#endif +#ifndef ENOSR +#define ENOSR 124 +#endif +#ifndef ENOSTR +#define ENOSTR 125 +#endif +#ifndef ENOTCONN +#define ENOTCONN 126 +#endif +#ifndef ENOTRECOVERABLE +#define ENOTRECOVERABLE 127 +#endif +#ifndef ENOTSOCK +#define ENOTSOCK 128 +#endif +#ifndef ENOTSUP +#define ENOTSUP 129 +#endif +#ifndef EOPNOTSUPP +#define EOPNOTSUPP 130 +#endif +#ifndef EOTHER +#define EOTHER 131 +#endif +#ifndef EOVERFLOW +#define EOVERFLOW 132 +#endif +#ifndef EOWNERDEAD +#define EOWNERDEAD 133 +#endif +#ifndef EPROTO +#define EPROTO 134 +#endif +#ifndef EPROTONOSUPPORT +#define EPROTONOSUPPORT 135 +#endif +#ifndef EPROTOTYPE +#define EPROTOTYPE 136 +#endif +#ifndef ETIME +#define ETIME 137 +#endif +#ifndef ETIMEDOUT +#define ETIMEDOUT 138 +#endif +#ifndef ETXTBSY +#define ETXTBSY 139 +#endif +#ifndef EWOULDBLOCK +#define EWOULDBLOCK 140 +#endif + + +/* Windows does not support "ll" format printf length modifiers. Mingw + * therefore maps these to the Windows specific I64 length modifier. That + * won't work for us, as we use our own printf backend on Windows, which works + * just fine with "ll". */ +#undef PRId64 +#define PRId64 "lld" +#undef PRId64 +#define PRId64 "lld" +#undef PRIdLEAST64 +#define PRIdLEAST64 "lld" +#undef PRIdFAST64 +#define PRIdFAST64 "lld" +#undef PRIdMAX +#define PRIdMAX "lld" +#undef PRIi64 +#define PRIi64 "lli" +#undef PRIiLEAST64 +#define PRIiLEAST64 "lli" +#undef PRIiFAST64 +#define PRIiFAST64 "lli" +#undef PRIiMAX +#define PRIiMAX "lli" +#undef PRIo64 +#define PRIo64 "llo" +#undef PRIoLEAST64 +#define PRIoLEAST64 "llo" +#undef PRIoFAST64 +#define PRIoFAST64 "llo" +#undef PRIoMAX +#define PRIoMAX "llo" +#undef PRIu64 +#define PRIu64 "llu" +#undef PRIuLEAST64 +#define PRIuLEAST64 "llu" +#undef PRIuFAST64 +#define PRIuFAST64 "llu" +#undef PRIuMAX +#define PRIuMAX "llu" +#undef PRIx64 +#define PRIx64 "llx" +#undef PRIxLEAST64 +#define PRIxLEAST64 "llx" +#undef PRIxFAST64 +#define PRIxFAST64 "llx" +#undef PRIxMAX +#define PRIxMAX "llx" +#undef PRIX64 +#define PRIX64 "llX" +#undef PRIXLEAST64 +#define PRIXLEAST64 "llX" +#undef PRIXFAST64 +#define PRIXFAST64 "llX" +#undef PRIXMAX +#define PRIXMAX "llX" + +#ifdef _WIN64 +# undef PRIdPTR +# define PRIdPTR "lld" +# undef PRIiPTR +# define PRIiPTR "lli" +# undef PRIoPTR +# define PRIoPTR "llo" +# undef PRIuPTR +# define PRIuPTR "llu" +# undef PRIxPTR +# define PRIxPTR "llx" +# undef PRIXPTR +# define PRIXPTR "llX" +#endif /* _WIN64 */ + +#endif /** WINDOWS_H_ @}*/ diff --git a/src/libstrongswan/utils/enum.c b/src/libstrongswan/utils/enum.c index f96fe2989..089bebb79 100644 --- a/src/libstrongswan/utils/enum.c +++ b/src/libstrongswan/utils/enum.c @@ -59,21 +59,104 @@ bool enum_from_name_as_int(enum_name_t *e, const char *name, int *val) return FALSE; } +/** + * Get the position of a flag name using offset calculation + */ +static int find_flag_pos(u_int val, u_int first) +{ + int offset = 0; + + while (val != 0x01) + { + val = val >> 1; + offset++; + } + return first - offset; +} + /** * Described in header. */ +char *enum_flags_to_string(enum_name_t *e, u_int val, char *buf, size_t len) +{ + char *pos = buf, *delim = ""; + int i, wr; + + if (e->next != ENUM_FLAG_MAGIC) + { + if (snprintf(buf, len, "(%d)", (int)val) >= len) + { + return NULL; + } + return buf; + } + + if (snprintf(buf, len, "(unset)") >= len) + { + return NULL; + } + + for (i = 0; val; i++) + { + u_int flag = 1 << i; + + if (val & flag) + { + char *name = NULL, hex[32]; + + if (flag >= (u_int)e->first && flag <= (u_int)e->last) + { + name = e->names[find_flag_pos(e->first, i)]; + } + else + { + snprintf(hex, sizeof(hex), "(0x%X)", flag); + name = hex; + } + if (name) + { + wr = snprintf(pos, len, "%s%s", delim, name); + if (wr >= len) + { + return NULL; + } + len -= wr; + pos += wr; + delim = " | "; + } + val &= ~flag; + } + } + return buf; +} + +/** + * See header. + */ int enum_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, const void *const *args) { enum_name_t *ed = *((enum_name_t**)(args[0])); int val = *((int*)(args[1])); - char *name, buf[32]; + char *name, buf[512]; - name = enum_to_name(ed, val); - if (name == NULL) + if (ed->next == ENUM_FLAG_MAGIC) + { + name = enum_flags_to_string(ed, val, buf, sizeof(buf)); + if (name == NULL) + { + snprintf(buf, sizeof(buf), "(0x%X)", val); + name = buf; + } + } + else { - snprintf(buf, sizeof(buf), "(%d)", val); - name = buf; + name = enum_to_name(ed, val); + if (name == NULL) + { + snprintf(buf, sizeof(buf), "(%d)", val); + name = buf; + } } if (spec->minus) { diff --git a/src/libstrongswan/utils/enum.h b/src/libstrongswan/utils/enum.h index 3c03c2a7b..928f4079a 100644 --- a/src/libstrongswan/utils/enum.h +++ b/src/libstrongswan/utils/enum.h @@ -26,6 +26,11 @@ typedef struct enum_name_t enum_name_t; +/** + * Magic enum_name_t pointer indicating this is an enum name for flags + */ +#define ENUM_FLAG_MAGIC ((enum_name_t*)~(uintptr_t)0) + /** * Struct to store names for enums. * @@ -58,7 +63,7 @@ struct enum_name_t { int first; /** value of the last enum string */ int last; - /** next enum_name_t in list */ + /** next enum_name_t in list, or ENUM_FLAG_MAGIC */ enum_name_t *next; /** array of strings containing names from first to last */ char *names[]; @@ -106,6 +111,23 @@ struct enum_name_t { */ #define ENUM(name, first, last, ...) ENUM_BEGIN(name, first, last, __VA_ARGS__); ENUM_END(name, last) +/** + * Define a enum name with only one range for flags. + * + * Using an enum list for flags would be overkill. Hence we use a single + * range with all values in range. The next pointer is abused to mark + * that the enum name is for flags only. Use NULL if a particular flag + * is not meant to be printed. + * + * @param name name of the enum_name list + * @param first enum value of the first enum string + * @param last enum value of the last enum string + * @param ... a list of strings + */ +#define ENUM_FLAGS(name, first, last, ...) \ + static enum_name_t name##last = {first, last, ENUM_FLAG_MAGIC, { __VA_ARGS__ }}; \ + ENUM_END(name, last) + /** * Convert a enum value to its string representation. * @@ -145,6 +167,17 @@ char *enum_to_name(enum_name_t *e, int val); */ bool enum_from_name_as_int(enum_name_t *e, const char *name, int *val); +/** + * Convert a enum value containing flags to its string representation. + * + * @param e enum names for this enum value suitable for flags + * @param val enum value to get string for + * @param buf buffer to write flag string to + * @param len buffer size + * @return buf, NULL if buffer too small + */ +char *enum_flags_to_string(enum_name_t *e, u_int val, char *buf, size_t len); + /** * printf hook function for enum_names_t. * diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 46ac7e890..b69adf399 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -17,6 +17,7 @@ #include #include +#include #include "identification.h" @@ -927,6 +928,82 @@ static private_identification_t *identification_create(id_type_t type) return this; } +/** + * Create an identity for a specific type, determined by prefix + */ +static private_identification_t* create_from_string_with_prefix_type(char *str) +{ + struct { + const char *str; + id_type_t type; + } prefixes[] = { + { "ipv4:", ID_IPV4_ADDR }, + { "ipv6:", ID_IPV6_ADDR }, + { "rfc822:", ID_RFC822_ADDR }, + { "email:", ID_RFC822_ADDR }, + { "userfqdn:", ID_USER_FQDN }, + { "fqdn:", ID_FQDN }, + { "dns:", ID_FQDN }, + { "asn1dn:", ID_DER_ASN1_DN }, + { "asn1gn:", ID_DER_ASN1_GN }, + { "keyid:", ID_KEY_ID }, + }; + private_identification_t *this; + int i; + + for (i = 0; i < countof(prefixes); i++) + { + if (strcasepfx(str, prefixes[i].str)) + { + this = identification_create(prefixes[i].type); + str += strlen(prefixes[i].str); + if (*str == '#') + { + this->encoded = chunk_from_hex(chunk_from_str(str + 1), NULL); + } + else + { + this->encoded = chunk_clone(chunk_from_str(str)); + } + return this; + } + } + return NULL; +} + +/** + * Create an identity for a specific type, determined by a numerical prefix + * + * The prefix is of the form "{x}:", where x denotes the numerical identity + * type. + */ +static private_identification_t* create_from_string_with_num_type(char *str) +{ + private_identification_t *this; + u_long type; + + if (*str++ != '{') + { + return NULL; + } + errno = 0; + type = strtoul(str, &str, 0); + if (errno || *str++ != '}' || *str++ != ':') + { + return NULL; + } + this = identification_create(type); + if (*str == '#') + { + this->encoded = chunk_from_hex(chunk_from_str(str + 1), NULL); + } + else + { + this->encoded = chunk_clone(chunk_from_str(str)); + } + return this; +} + /* * Described in header. */ @@ -939,6 +1016,16 @@ identification_t *identification_create_from_string(char *string) { string = "%any"; } + this = create_from_string_with_prefix_type(string); + if (this) + { + return &this->public; + } + this = create_from_string_with_num_type(string); + if (this) + { + return &this->public; + } if (strchr(string, '=') != NULL) { /* we interpret this as an ASCII X.501 ID_DER_ASN1_DN. diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h index e62446879..e6a9fe1c6 100644 --- a/src/libstrongswan/utils/identification.h +++ b/src/libstrongswan/utils/identification.h @@ -302,6 +302,15 @@ struct identification_t { * N, G, I, dnQualifier, ID, EN, EmployeeNumber, E, Email, emailAddress, UN, * unstructuredName, TCGID. * + * To skip automatic type detection the following prefixes may be used to + * enforce a specific type: ipv4:, ipv6:, rfc822:, email:, userfqdn:, fqdn:, + * dns:, asn1dn:, asn1gn: and keyid:. If a # follows the :, the remaining data + * is interpreted as hex encoded binary data for that ID, otherwise the raw + * string following the prefix is used as identity data, without conversion. + * To specify a non-standard ID type, the numerical type may be prefixed + * between curly backets, building a prefix. For instance the "{1}:" prefix + * defines an ID_IPV4_ADDR type. + * * This constructor never returns NULL. If it does not find a suitable * conversion function, it will copy the string to an ID_KEY_ID. * diff --git a/src/libstrongswan/utils/utils.h b/src/libstrongswan/utils/utils.h index da253cc35..7c48d949f 100644 --- a/src/libstrongswan/utils/utils.h +++ b/src/libstrongswan/utils/utils.h @@ -29,7 +29,7 @@ #include #ifdef WIN32 -# include "windows.h" +# include "compat/windows.h" #else # define _GNU_SOURCE # include @@ -37,6 +37,7 @@ # include # include # include +# include #endif /** @@ -96,6 +97,9 @@ #include "enum.h" #include "utils/strerror.h" +#ifdef __APPLE__ +# include "compat/apple.h" +#endif /** * Directory separator character in paths on this platform diff --git a/src/libstrongswan/utils/windows.c b/src/libstrongswan/utils/windows.c deleted file mode 100644 index 8820287b1..000000000 --- a/src/libstrongswan/utils/windows.c +++ /dev/null @@ -1,641 +0,0 @@ -/* - * Copyright (C) 2013 Martin Willi - * Copyright (C) 2013 revosec AG - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "utils.h" - -#include - -/** - * See header - */ -void windows_init() -{ - WSADATA wsad; - - /* initialize winsock2 */ - WSAStartup(MAKEWORD(2, 2), &wsad); -} - -/** - * See header - */ -void windows_deinit() -{ - WSACleanup(); -} - -/** - * See header - */ -int usleep(useconds_t usec) -{ - if (usec > 0 && usec < 1000) - { /* do not Sleep(0) for small values */ - usec = 1000; - } - SleepEx(usec / 1000, TRUE); - return 0; -} - -/** - * See header. - */ -char* strndup(const char *s, size_t n) -{ - char *dst; - - n = min(strnlen(s, n), n); - dst = malloc(n + 1); - memcpy(dst, s, n); - dst[n] = '\0'; - - return dst; -} - -/* - * See header. - */ -void *dlopen(const char *filename, int flag) -{ - return LoadLibrary(filename); -} - -/** - * Load a symbol from known default libs (monolithic build) - */ -static void* dlsym_default(const char *name) -{ - const char *dlls[] = { - "libstrongswan-0.dll", - "libhydra-0.dll", - "libcharon-0.dll", - "libtnccs-0.dll", - NULL /* .exe */ - }; - HANDLE handle; - void *sym = NULL; - int i; - - for (i = 0; i < countof(dlls); i++) - { - handle = GetModuleHandle(dlls[i]); - if (handle) - { - sym = GetProcAddress(handle, name); - if (sym) - { - break; - } - } - } - return sym; -} - -/** - * Emulate RTLD_NEXT for some known symbols - */ -static void* dlsym_next(const char *name) -{ - struct { - const char *dll; - const char *syms[4]; - } dlls[] = { - /* for leak detective */ - { "msvcrt", - { "malloc", "calloc", "realloc", "free" } - }, - }; - HANDLE handle = NULL; - int i, j; - - for (i = 0; i < countof(dlls); i++) - { - for (j = 0; j < countof(dlls[0].syms); j++) - { - if (dlls[i].syms[j] && streq(dlls[i].syms[j], name)) - { - handle = GetModuleHandle(dlls[i].dll); - break; - } - } - } - if (handle) - { - return GetProcAddress(handle, name); - } - return handle; -} - -/** - * See header. - */ -void* dlsym(void *handle, const char *symbol) -{ - if (handle == RTLD_DEFAULT) - { - return dlsym_default(symbol); - } - if (handle == RTLD_NEXT) - { - return dlsym_next(symbol); - } - return GetProcAddress((HMODULE)handle, symbol); -} - -/** - * See header. - */ -char* dlerror(void) -{ - static char buf[128]; - char *pos; - DWORD err; - - err = GetLastError(); - if (FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, - NULL, err, 0, buf, sizeof(buf), NULL) > 0) - { - pos = strchr(buf, '\n'); - if (pos) - { - *pos = '\0'; - } - } - else - { - snprintf(buf, sizeof(buf), "(%u)", err); - } - return buf; -} - -/** - * See header. - */ -int dlclose(void *handle) -{ - return FreeLibrary((HMODULE)handle); -} - -/** - * See header - */ -int socketpair(int domain, int type, int protocol, int sv[2]) -{ - struct sockaddr_in addr = { - .sin_family = AF_INET, - .sin_addr.s_addr = htonl(INADDR_LOOPBACK), - }; - socklen_t len = sizeof(addr); - int s, c, sc; - BOOL on; - - /* We don't check domain for AF_INET, as we use it as replacement for - * AF_UNIX. */ - if (type != SOCK_STREAM) - { - errno = EINVAL; - return -1; - } - if (protocol != 0 && protocol != IPPROTO_TCP) - { - errno = EINVAL; - return -1; - } - s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); - if (s == -1) - { - return -1; - } - c = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); - if (c == -1) - { - closesocket(s); - return -1; - } - if (bind(s, (struct sockaddr*)&addr, sizeof(addr)) == 0 && - getsockname(s,(struct sockaddr*)&addr, &len) == 0 && - listen(s, 0) == 0 && - connect(c, (struct sockaddr*)&addr, sizeof(addr)) == 0) - { - sc = accept(s, NULL, NULL); - if (sc >= 0) - { - closesocket(s); - s = sc; - if (setsockopt(s, IPPROTO_TCP, TCP_NODELAY, - (void*)&on, sizeof(on)) == 0 && - setsockopt(c, IPPROTO_TCP, TCP_NODELAY, - (void*)&on, sizeof(on)) == 0) - { - sv[0] = s; - sv[1] = c; - return 0; - } - } - } - closesocket(s); - closesocket(c); - return -1; -} - -/** - * See header - */ -char* getpass(const char *prompt) -{ - static char buf[64] = ""; - char *pos; - HANDLE in, out; - DWORD mode, written = 0, total, done; - - out = GetStdHandle(STD_OUTPUT_HANDLE); - in = GetStdHandle(STD_INPUT_HANDLE); - - if (out == INVALID_HANDLE_VALUE || in == INVALID_HANDLE_VALUE || - !GetConsoleMode(out, &mode) || !GetConsoleMode(in, &mode)) - { - return NULL; - } - - total = strlen(prompt); - while (written < total) - { - if (!WriteConsole(out, prompt + written, total - written, &done, NULL)) - { - return NULL; - } - written += done; - } - - if (!SetConsoleMode(in, mode & ~ENABLE_ECHO_INPUT)) - { - return NULL; - } - - while (TRUE) - { - if (!ReadConsole(in, buf, sizeof(buf), &done, NULL)) - { - SetConsoleMode(in, mode); - return NULL; - } - buf[sizeof(buf)-1] = '\0'; - - if (done) - { - pos = strchr(buf, '\r'); - if (pos) - { - *pos = '\0'; - } - break; - } - } - SetConsoleMode(in, mode); - - /* append a newline, as we have no echo during input */ - WriteConsole(out, "\r\n", 2, &done, NULL); - - return buf; -} - -/** - * See header. - */ -#undef strerror_s -int strerror_s_extended(char *buf, size_t buflen, int errnum) -{ - const char *errstr [] = { - /* EADDRINUSE */ "Address in use", - /* EADDRNOTAVAIL */ "Address not available", - /* EAFNOSUPPORT */ "Address family not supported", - /* EALREADY */ "Connection already in progress", - /* EBADMSG */ "Bad message", - /* ECANCELED */ "Operation canceled", - /* ECONNABORTED */ "Connection aborted", - /* ECONNREFUSED */ "Connection refused", - /* ECONNRESET */ "Connection reset", - /* EDESTADDRREQ */ "Destination address required", - /* EHOSTUNREACH */ "Host is unreachable", - /* EIDRM */ "Identifier removed", - /* EINPROGRESS */ "Operation in progress", - /* EISCONN */ "Socket is connected", - /* ELOOP */ "Too many levels of symbolic links", - /* EMSGSIZE */ "Message too large", - /* ENETDOWN */ "Network is down", - /* ENETRESET */ "Connection aborted by network", - /* ENETUNREACH */ "Network unreachable", - /* ENOBUFS */ "No buffer space available", - /* ENODATA */ "No message is available", - /* ENOLINK */ "No link", - /* ENOMSG */ "No message of the desired type", - /* ENOPROTOOPT */ "Protocol not available", - /* ENOSR */ "No stream resources", - /* ENOSTR */ "Not a stream", - /* ENOTCONN */ "The socket is not connected", - /* ENOTRECOVERABLE */ "State not recoverable", - /* ENOTSOCK */ "Not a socket", - /* ENOTSUP */ "Not supported", - /* EOPNOTSUPP */ "Operation not supported on socket", - /* EOTHER */ "Other error", - /* EOVERFLOW */ "Value too large to be stored in data type", - /* EOWNERDEAD */ "Previous owner died", - /* EPROTO */ "Protocol error", - /* EPROTONOSUPPORT */ "Protocol not supported", - /* EPROTOTYPE */ "Protocol wrong type for socket", - /* ETIME */ "Timeout", - /* ETIMEDOUT */ "Connection timed out", - /* ETXTBSY */ "Text file busy", - /* EWOULDBLOCK */ "Operation would block", - }; - int offset = EADDRINUSE; - - if (errnum < offset || errnum >= offset + countof(errstr)) - { - return strerror_s(buf, buflen, errnum); - } - strncpy(buf, errstr[errnum - offset], buflen); - buf[buflen - 1] = '\0'; - return 0; -} - -/** - * Set errno for a function setting WSA error on failure - */ -static int wserr(int retval) -{ - if (retval < 0) - { - static const struct { - DWORD wsa; - int err; - } map[] = { - { WSANOTINITIALISED, EBADF }, - { WSAENETDOWN, ENETDOWN }, - { WSAENETRESET, ENETRESET }, - { WSAECONNABORTED, ECONNABORTED }, - { WSAESHUTDOWN, ECONNABORTED }, - { WSAEACCES, EACCES }, - { WSAEINTR, EINTR }, - { WSAEINPROGRESS, EINPROGRESS }, - { WSAEFAULT, EFAULT }, - { WSAENOBUFS, ENOBUFS }, - { WSAENOTSOCK, ENOTSOCK }, - { WSAEOPNOTSUPP, EOPNOTSUPP }, - { WSAEWOULDBLOCK, EWOULDBLOCK }, - { WSAEMSGSIZE, EMSGSIZE }, - { WSAEINVAL, EINVAL }, - { WSAENOTCONN, ENOTCONN }, - { WSAEHOSTUNREACH, EHOSTUNREACH }, - { WSAENETUNREACH, ENETUNREACH }, - { WSAECONNABORTED, ECONNABORTED }, - { WSAECONNRESET, ECONNRESET }, - { WSAETIMEDOUT, ETIMEDOUT }, - { WSAEMFILE, EMFILE }, - { WSAEALREADY, EALREADY }, - { WSAEDESTADDRREQ, EDESTADDRREQ }, - { WSAEISCONN, EISCONN }, - { WSAEOPNOTSUPP, EOPNOTSUPP }, - { WSAEPROTOTYPE, EPROTOTYPE }, - { WSAENOPROTOOPT, ENOPROTOOPT }, - { WSAEPROTONOSUPPORT, EPROTONOSUPPORT }, - { WSAEPFNOSUPPORT, EPROTONOSUPPORT }, - { WSAEAFNOSUPPORT, EAFNOSUPPORT }, - { WSAEADDRNOTAVAIL, EADDRNOTAVAIL }, - { WSAEADDRINUSE, EADDRINUSE }, - { WSAETIMEDOUT, ETIMEDOUT }, - { WSAECONNREFUSED, ECONNREFUSED }, - { WSAELOOP, ELOOP }, - { WSAENAMETOOLONG, ENAMETOOLONG }, - { WSAENOTEMPTY, ENOTEMPTY }, - { WSAEPROTOTYPE, EPROTOTYPE }, - { WSAVERNOTSUPPORTED, ENOTSUP }, - }; - DWORD wsa, i; - - wsa = WSAGetLastError(); - for (i = 0; i < countof(map); i++) - { - if (map[i].wsa == wsa) - { - errno = map[i].err; - return retval; - } - } - errno = ENOENT; - return retval; - } - errno = 0; - return retval; -} - -/** - * Check and clear the dontwait flag - */ -static bool check_dontwait(int *flags) -{ - if (*flags & MSG_DONTWAIT) - { - *flags &= ~MSG_DONTWAIT; - return TRUE; - } - return FALSE; -} - -/** - * See header - */ -#undef shutdown -int windows_shutdown(int sockfd, int how) -{ - return wserr(shutdown(sockfd, how)); -} - -/** - * See header - */ -#undef accept -int windows_accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen) -{ - return wserr(accept(sockfd, addr, addrlen)); -} - -/** - * See header - */ -#undef bind -int windows_bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) -{ - return wserr(bind(sockfd, addr, addrlen)); -} - -/** - * See header - */ -#undef connect -int windows_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) -{ - return wserr(connect(sockfd, addr, addrlen)); -} - -/** - * See header - */ -#undef getsockname -int windows_getsockname(int sockfd, struct sockaddr *addr, socklen_t *addrlen) -{ - return wserr(getsockname(sockfd, addr, addrlen)); -} - -/** - * See header - */ -#undef getsockopt -int windows_getsockopt(int sockfd, int level, int optname, - void *optval, socklen_t *optlen) -{ - return wserr(getsockopt(sockfd, level, optname, optval, optlen)); -} - -/** - * See header - */ -#undef setsockopt -int windows_setsockopt(int sockfd, int level, int optname, - const void *optval, socklen_t optlen) -{ - return wserr(setsockopt(sockfd, level, optname, optval, optlen)); -} - -/** - * See header - */ -#undef socket -int windows_socket(int domain, int type, int protocol) -{ - return wserr(socket(domain, type, protocol)); -} - -/** - * See header - */ -#undef select -int windows_select(int nfds, fd_set *readfds, fd_set *writefds, - fd_set *exceptfds, struct timeval *timeout) -{ - return wserr(select(nfds, readfds, writefds, exceptfds, timeout)); -} - -/** - * See header - */ -#undef close -int windows_close(int fd) -{ - int ret; - - ret = close(fd); - if (ret == -1 && errno == EBADF) - { /* Winsock socket? */ - ret = wserr(closesocket(fd)); - } - return ret; -} - -/** - * See header - */ -#undef recv -ssize_t windows_recv(int sockfd, void *buf, size_t len, int flags) -{ - u_long on = 1, off = 0; - ssize_t outlen = -1; - - if (!check_dontwait(&flags)) - { - return wserr(recv(sockfd, buf, len, flags)); - } - if (wserr(ioctlsocket(sockfd, FIONBIO, &on) == 0)) - { - outlen = wserr(recv(sockfd, buf, len, flags)); - ioctlsocket(sockfd, FIONBIO, &off); - } - return outlen; -} - -/** - * See header - */ -#undef recvfrom -ssize_t windows_recvfrom(int sockfd, void *buf, size_t len, int flags, - struct sockaddr *src_addr, socklen_t *addrlen) -{ - u_long on = 1, off = 0; - ssize_t outlen = -1; - - if (!check_dontwait(&flags)) - { - return wserr(recvfrom(sockfd, buf, len, flags, src_addr, addrlen)); - } - if (wserr(ioctlsocket(sockfd, FIONBIO, &on)) == 0) - { - outlen = wserr(recvfrom(sockfd, buf, len, flags, src_addr, addrlen)); - ioctlsocket(sockfd, FIONBIO, &off); - } - return outlen; -} - -/** - * See header - */ -#undef send -ssize_t windows_send(int sockfd, const void *buf, size_t len, int flags) -{ - u_long on = 1, off = 0; - ssize_t outlen = -1; - - if (!check_dontwait(&flags)) - { - return wserr(send(sockfd, buf, len, flags)); - } - if (wserr(ioctlsocket(sockfd, FIONBIO, &on)) == 0) - { - outlen = wserr(send(sockfd, buf, len, flags)); - ioctlsocket(sockfd, FIONBIO, &off); - } - return outlen; -} - -/** - * See header - */ -#undef sendto -ssize_t windows_sendto(int sockfd, const void *buf, size_t len, int flags, - const struct sockaddr *dest_addr, socklen_t addrlen) -{ - u_long on = 1, off = 0; - ssize_t outlen = -1; - - if (!check_dontwait(&flags)) - { - return wserr(sendto(sockfd, buf, len, flags, dest_addr, addrlen)); - } - if (wserr(ioctlsocket(sockfd, FIONBIO, &on)) == 0) - { - outlen = wserr(sendto(sockfd, buf, len, flags, dest_addr, addrlen)); - ioctlsocket(sockfd, FIONBIO, &off); - } - return outlen; -} diff --git a/src/libstrongswan/utils/windows.h b/src/libstrongswan/utils/windows.h deleted file mode 100644 index 3761e10ab..000000000 --- a/src/libstrongswan/utils/windows.h +++ /dev/null @@ -1,584 +0,0 @@ -/* - * Copyright (C) 2013 Martin Willi - * Copyright (C) 2013 revosec AG - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup windows windows - * @{ @ingroup utils - */ - -#ifndef WINDOWS_H_ -#define WINDOWS_H_ - -#include -#include -#include -#include -#include -#include - -/* undef Windows variants evaluating values more than once */ -#undef min -#undef max - -/* interface is defined as an alias to "struct" in basetypes.h, but - * we use it here and there as ordinary identifier. */ -#undef interface - -/* used by Windows API, but we have our own */ -#undef CALLBACK - -/* UID/GID types for capabilities, even if not supported */ -typedef u_int uid_t; -typedef u_int gid_t; - -/** - * Initialize Windows libraries - */ -void windows_init(); - -/** - * Deinitialize windows libraries - */ -void windows_deinit(); - -/** - * Replacement for random(3) - */ -static inline long random(void) -{ - return rand(); -} - -/** - * Replacement for srandom(3) - */ -static inline void srandom(unsigned int seed) -{ - srand(seed); -} - -/** - * Replacement of sched_yield(2) from - */ -static inline int sched_yield(void) -{ - Sleep(0); - return 0; -} - -/** - * Replacement of sleep(3), cancellable by thread_cancel() - */ -#define sleep sleep_cancellable -static inline int sleep_cancellable(unsigned int seconds) -{ - SleepEx(seconds * 1000, TRUE); - return 0; -} - -/** - * Replacement of usleep(3), cancellable, ms resolution only - */ -int usleep(useconds_t usec); - -/** - * strdup(3), the Windows variant can't free(strdup("")) and others - */ -#define strdup strdup_windows -static inline char* strdup_windows(const char *src) -{ - size_t len; - char *dst; - - len = strlen(src) + 1; - dst = malloc(len); - memcpy(dst, src, len); - return dst; -} - -/** - * strndup(3) - */ -char* strndup(const char *s, size_t n); - -/** - * Provided via ws2_32 - */ -#ifndef InetNtop -const char WINAPI *inet_ntop(int af, const void *src, char *dst, socklen_t size); -#endif - -/** - * Provided via ws2_32 - */ -#ifndef InetPton -int WINAPI inet_pton(int af, const char *src, void *dst); -#endif - -/** - * Provided by printf hook backend - */ -int asprintf(char **strp, const char *fmt, ...); - -/** - * Provided by printf hook backend - */ -int vasprintf(char **strp, const char *fmt, va_list ap); - -/** - * timeradd(3) from - */ -static inline void timeradd(struct timeval *a, struct timeval *b, - struct timeval *res) -{ - res->tv_sec = a->tv_sec + b->tv_sec; - res->tv_usec = a->tv_usec + b->tv_usec; - if (res->tv_usec >= 1000000) - { - res->tv_usec -= 1000000; - res->tv_sec++; - } -} - -/** - * timersub(3) from - */ -static inline void timersub(struct timeval *a, struct timeval *b, - struct timeval *res) -{ - res->tv_sec = a->tv_sec - b->tv_sec; - res->tv_usec = a->tv_usec - b->tv_usec; - if (res->tv_usec < 0) - { - res->tv_usec += 1000000; - res->tv_sec--; - } -} - -/** - * gmtime_r(3) from - */ -static inline struct tm *gmtime_r(const time_t *timep, struct tm *result) -{ - struct tm *ret; - - /* gmtime_s() and friends seem not to be implemented/functioning. - * Relying on gmtime() on Windows works as well, as it uses thread - * specific buffers. */ - ret = gmtime(timep); - if (ret) - { - memcpy(result, ret, sizeof(*result)); - } - return ret; -} - -/** - * localtime_r(3) from - */ -static inline struct tm *localtime_r(const time_t *timep, struct tm *result) -{ - struct tm *ret; - - /* localtime_s() and friends seem not to be implemented/functioning. - * Relying on localtime() on Windows works as well, as it uses thread - * specific buffers. */ - ret = localtime(timep); - if (ret) - { - memcpy(result, ret, sizeof(*result)); - } - return ret; -} - -/** - * setenv(3) from , overwrite flag is ignored - */ -static inline int setenv(const char *name, const char *value, int overwrite) -{ - if (SetEnvironmentVariableA(name, value) == 0) - { /* failed */ - return -1; - } - return 0; -} - -/** - * Lazy binding, ignored on Windows - */ -#define RTLD_LAZY 1 - -/** - * Default handle targeting .exe - */ -#define RTLD_DEFAULT (NULL) - -/** - * Find symbol in next library - */ -#define RTLD_NEXT ((void*)~(uintptr_t)0) - -/** - * dlopen(3) from - */ -void* dlopen(const char *filename, int flag); - -/** - * dlsym() from - */ -void* dlsym(void *handle, const char *symbol); - -/** - * dlerror(3) from , currently not thread save - */ -char* dlerror(void); - -/** - * dlclose() from - */ -int dlclose(void *handle); - -/** - * socketpair(2) for SOCK_STREAM, uses TCP on loopback - */ -int socketpair(int domain, int type, int protocol, int sv[2]); - -/** - * getpass(3) on Windows consoles - */ -char* getpass(const char *prompt); -#define HAVE_GETPASS - -/** - * Map MSG_DONTWAIT to the reserved, but deprecated MSG_INTERRUPT - */ -#define MSG_DONTWAIT MSG_INTERRUPT - -/** - * shutdown(2) "how"-aliases, to use Unix variant on Windows - */ -#define SHUT_RD SD_RECEIVE -#define SHUT_WR SD_SEND -#define SHUT_RDWR SD_BOTH - -/** - * shutdown(2) setting errno - */ -#define shutdown windows_shutdown -int windows_shutdown(int sockfd, int how); - -/** - * accept(2) setting errno - */ -#define accept windows_accept -int windows_accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen); - -/** - * bind(2) setting errno - */ -#define bind windows_bind -int windows_bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen); - -/** - * connect(2) setting errno - */ -#define connect windows_connect -int windows_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen); - -/** - * getsockname(2) setting errno - */ -#define getsockname windows_getsockname -int windows_getsockname(int sockfd, struct sockaddr *addr, socklen_t *addrlen); - -/** - * getsockopt(2) setting errno - */ -#define getsockopt windows_getsockopt -int windows_getsockopt(int sockfd, int level, int optname, - void *optval, socklen_t *optlen); - -/** - * setsockopt(2) setting errno - */ -#define setsockopt windows_setsockopt -int windows_setsockopt(int sockfd, int level, int optname, - const void *optval, socklen_t optlen); - -/** - * socket(2) setting errno - */ -#define socket windows_socket -int windows_socket(int domain, int type, int protocol); - -/** - * select(2) setting errno - */ -#define select windows_select -int windows_select(int nfds, fd_set *readfds, fd_set *writefds, - fd_set *exceptfds, struct timeval *timeout); - -/** - * close(2) working for file handles and Winsock sockets - */ -#define close windows_close -int windows_close(int fd); - -/** - * recv(2) with support for MSG_DONTWAIT - */ -#define recv windows_recv -ssize_t windows_recv(int sockfd, void *buf, size_t len, int flags); - -/** - * recvfrom(2) with support for MSG_DONTWAIT - */ -#define recvfrom windows_recvfrom -ssize_t windows_recvfrom(int sockfd, void *buf, size_t len, int flags, - struct sockaddr *src_addr, socklen_t *addrlen); - -/** - * recvfrom(2) with support for MSG_DONTWAIT - */ -#define send windows_send -ssize_t windows_send(int sockfd, const void *buf, size_t len, int flags); - -/** - * recvfrom(2) with support for MSG_DONTWAIT - */ -#define sendto windows_send -ssize_t windows_sendto(int sockfd, const void *buf, size_t len, int flags, - const struct sockaddr *dest_addr, socklen_t addrlen); - -/** - * Declaration missing on older WinGW - */ -_CRTIMP errno_t strerror_s(char *buf, size_t size, int errnum); - -/** - * strerror_s, but supporting POSIX compatibility errno >= 100 - */ -#define strerror_s strerror_s_extended -int strerror_s_extended(char *buf, size_t buflen, int errnum); - -/** - * strerror_r(2) replacement, XSI variant - */ -static inline int strerror_r(int errnum, char *buf, size_t buflen) -{ - return strerror_s(buf, buflen, errnum); -} -#define HAVE_STRERROR_R /* but not STRERROR_R_CHAR_P */ - -/** - * MinGW does provide extended errno values. Windows itself knowns them - * for POSIX compatibility; we define them as well. - */ -#ifndef EADDRINUSE -#define EADDRINUSE 100 -#endif -#ifndef EADDRNOTAVAIL -#define EADDRNOTAVAIL 101 -#endif -#ifndef EAFNOSUPPORT -#define EAFNOSUPPORT 102 -#endif -#ifndef EALREADY -#define EALREADY 103 -#endif -#ifndef EBADMSG -#define EBADMSG 104 -#endif -#ifndef ECANCELED -#define ECANCELED 105 -#endif -#ifndef ECONNABORTED -#define ECONNABORTED 106 -#endif -#ifndef ECONNREFUSED -#define ECONNREFUSED 107 -#endif -#ifndef ECONNRESET -#define ECONNRESET 108 -#endif -#ifndef EDESTADDRREQ -#define EDESTADDRREQ 109 -#endif -#ifndef EHOSTUNREACH -#define EHOSTUNREACH 110 -#endif -#ifndef EIDRM -#define EIDRM 111 -#endif -#ifndef EINPROGRESS -#define EINPROGRESS 112 -#endif -#ifndef EISCONN -#define EISCONN 113 -#endif -#ifndef ELOOP -#define ELOOP 114 -#endif -#ifndef EMSGSIZE -#define EMSGSIZE 115 -#endif -#ifndef ENETDOWN -#define ENETDOWN 116 -#endif -#ifndef ENETRESET -#define ENETRESET 117 -#endif -#ifndef ENETUNREACH -#define ENETUNREACH 118 -#endif -#ifndef ENOBUFS -#define ENOBUFS 119 -#endif -#ifndef ENODATA -#define ENODATA 120 -#endif -#ifndef ENOLINK -#define ENOLINK 121 -#endif -#ifndef ENOMSG -#define ENOMSG 122 -#endif -#ifndef ENOPROTOOPT -#define ENOPROTOOPT 123 -#endif -#ifndef ENOSR -#define ENOSR 124 -#endif -#ifndef ENOSTR -#define ENOSTR 125 -#endif -#ifndef ENOTCONN -#define ENOTCONN 126 -#endif -#ifndef ENOTRECOVERABLE -#define ENOTRECOVERABLE 127 -#endif -#ifndef ENOTSOCK -#define ENOTSOCK 128 -#endif -#ifndef ENOTSUP -#define ENOTSUP 129 -#endif -#ifndef EOPNOTSUPP -#define EOPNOTSUPP 130 -#endif -#ifndef EOTHER -#define EOTHER 131 -#endif -#ifndef EOVERFLOW -#define EOVERFLOW 132 -#endif -#ifndef EOWNERDEAD -#define EOWNERDEAD 133 -#endif -#ifndef EPROTO -#define EPROTO 134 -#endif -#ifndef EPROTONOSUPPORT -#define EPROTONOSUPPORT 135 -#endif -#ifndef EPROTOTYPE -#define EPROTOTYPE 136 -#endif -#ifndef ETIME -#define ETIME 137 -#endif -#ifndef ETIMEDOUT -#define ETIMEDOUT 138 -#endif -#ifndef ETXTBSY -#define ETXTBSY 139 -#endif -#ifndef EWOULDBLOCK -#define EWOULDBLOCK 140 -#endif - - -/* Windows does not support "ll" format printf length modifiers. Mingw - * therefore maps these to the Windows specific I64 length modifier. That - * won't work for us, as we use our own printf backend on Windows, which works - * just fine with "ll". */ -#undef PRId64 -#define PRId64 "lld" -#undef PRId64 -#define PRId64 "lld" -#undef PRIdLEAST64 -#define PRIdLEAST64 "lld" -#undef PRIdFAST64 -#define PRIdFAST64 "lld" -#undef PRIdMAX -#define PRIdMAX "lld" -#undef PRIi64 -#define PRIi64 "lli" -#undef PRIiLEAST64 -#define PRIiLEAST64 "lli" -#undef PRIiFAST64 -#define PRIiFAST64 "lli" -#undef PRIiMAX -#define PRIiMAX "lli" -#undef PRIo64 -#define PRIo64 "llo" -#undef PRIoLEAST64 -#define PRIoLEAST64 "llo" -#undef PRIoFAST64 -#define PRIoFAST64 "llo" -#undef PRIoMAX -#define PRIoMAX "llo" -#undef PRIu64 -#define PRIu64 "llu" -#undef PRIuLEAST64 -#define PRIuLEAST64 "llu" -#undef PRIuFAST64 -#define PRIuFAST64 "llu" -#undef PRIuMAX -#define PRIuMAX "llu" -#undef PRIx64 -#define PRIx64 "llx" -#undef PRIxLEAST64 -#define PRIxLEAST64 "llx" -#undef PRIxFAST64 -#define PRIxFAST64 "llx" -#undef PRIxMAX -#define PRIxMAX "llx" -#undef PRIX64 -#define PRIX64 "llX" -#undef PRIXLEAST64 -#define PRIXLEAST64 "llX" -#undef PRIXFAST64 -#define PRIXFAST64 "llX" -#undef PRIXMAX -#define PRIXMAX "llX" - -#ifdef _WIN64 -# undef PRIdPTR -# define PRIdPTR "lld" -# undef PRIiPTR -# define PRIiPTR "lli" -# undef PRIoPTR -# define PRIoPTR "llo" -# undef PRIuPTR -# define PRIuPTR "llu" -# undef PRIxPTR -# define PRIxPTR "llx" -# undef PRIXPTR -# define PRIXPTR "llX" -#endif /* _WIN64 */ - -#endif /** WINDOWS_H_ @}*/ diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in index 426d8bcb3..e6c23d970 100644 --- a/src/libtls/Makefile.in +++ b/src/libtls/Makefile.in @@ -278,6 +278,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -338,10 +339,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -415,6 +418,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libtls/tests/Makefile.in b/src/libtls/tests/Makefile.in index 2e44fb4a5..7d5b3771c 100644 --- a/src/libtls/tests/Makefile.in +++ b/src/libtls/tests/Makefile.in @@ -223,6 +223,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -283,10 +284,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -360,6 +363,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libtls/tls.c b/src/libtls/tls.c index 6a8d5030c..08a06f5ef 100644 --- a/src/libtls/tls.c +++ b/src/libtls/tls.c @@ -415,6 +415,12 @@ METHOD(tls_t, get_eap_msk, chunk_t, return this->crypto->get_eap_msk(this->crypto); } +METHOD(tls_t, get_auth, auth_cfg_t*, + private_tls_t *this) +{ + return this->handshake->get_auth(this->handshake); +} + METHOD(tls_t, destroy, void, private_tls_t *this) { @@ -465,6 +471,7 @@ tls_t *tls_create(bool is_server, identification_t *server, .get_purpose = _get_purpose, .is_complete = _is_complete, .get_eap_msk = _get_eap_msk, + .get_auth = _get_auth, .destroy = _destroy, }, .is_server = is_server, @@ -487,7 +494,7 @@ tls_t *tls_create(bool is_server, identification_t *server, this->alert, peer, server)->handshake; } this->fragmentation = tls_fragmentation_create(this->handshake, this->alert, - this->application); + this->application, purpose); this->compression = tls_compression_create(this->fragmentation, this->alert); this->protection = tls_protection_create(this->compression, this->alert); this->crypto->set_protection(this->crypto, this->protection); diff --git a/src/libtls/tls.h b/src/libtls/tls.h index fc1d9b9fd..f3dc198cf 100644 --- a/src/libtls/tls.h +++ b/src/libtls/tls.h @@ -251,6 +251,13 @@ struct tls_t { */ chunk_t (*get_eap_msk)(tls_t *this); + /** + * Get the authentication details after completing the handshake. + * + * @return authentication details, internal data + */ + auth_cfg_t* (*get_auth)(tls_t *this); + /** * Destroy a tls_t. */ diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c index ebe5bc3a8..12d5aed53 100644 --- a/src/libtls/tls_eap.c +++ b/src/libtls/tls_eap.c @@ -426,6 +426,12 @@ METHOD(tls_eap_t, set_identifier, void, this->identifier = identifier; } +METHOD(tls_eap_t, get_auth, auth_cfg_t*, + private_tls_eap_t *this) +{ + return this->tls->get_auth(this->tls); +} + METHOD(tls_eap_t, destroy, void, private_tls_eap_t *this) { @@ -453,6 +459,7 @@ tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size, .get_msk = _get_msk, .get_identifier = _get_identifier, .set_identifier = _set_identifier, + .get_auth = _get_auth, .destroy = _destroy, }, .type = type, diff --git a/src/libtls/tls_eap.h b/src/libtls/tls_eap.h index f3fbba078..df41fc4d7 100644 --- a/src/libtls/tls_eap.h +++ b/src/libtls/tls_eap.h @@ -76,6 +76,13 @@ struct tls_eap_t { */ void (*set_identifier) (tls_eap_t *this, uint8_t identifier); + /** + * Get the authentication details after completing the handshake. + * + * @return authentication details, internal data + */ + auth_cfg_t* (*get_auth)(tls_eap_t *this); + /** * Destroy a tls_eap_t. */ diff --git a/src/libtls/tls_fragmentation.c b/src/libtls/tls_fragmentation.c index 6e4347e3c..a97ca1eaa 100644 --- a/src/libtls/tls_fragmentation.c +++ b/src/libtls/tls_fragmentation.c @@ -96,8 +96,31 @@ struct private_tls_fragmentation_t { * Upper layer application data protocol */ tls_application_t *application; + + /** + * Type of context this TLS instance runs in + */ + tls_purpose_t purpose; }; +/** + * Check if we should send a close notify once the application finishes + */ +static bool send_close_notify(private_tls_fragmentation_t *this) +{ + switch (this->purpose) + { + case TLS_PURPOSE_EAP_TLS: + case TLS_PURPOSE_EAP_TTLS: + case TLS_PURPOSE_EAP_PEAP: + /* not for TLS-in-EAP, as we indicate completion with EAP-SUCCCESS. + * Windows does not like close notifies, and hangs/disconnects. */ + return FALSE; + default: + return TRUE; + } +} + /** * Process a TLS alert */ @@ -223,6 +246,10 @@ static status_t process_application(private_tls_fragmentation_t *this, continue; case SUCCESS: this->application_finished = TRUE; + if (!send_close_notify(this)) + { + return SUCCESS; + } /* FALL */ case FAILED: default: @@ -368,6 +395,10 @@ static status_t build_application(private_tls_fragmentation_t *this) break; case SUCCESS: this->application_finished = TRUE; + if (!send_close_notify(this)) + { + break; + } /* FALL */ case FAILED: default: @@ -463,7 +494,8 @@ METHOD(tls_fragmentation_t, destroy, void, * See header */ tls_fragmentation_t *tls_fragmentation_create(tls_handshake_t *handshake, - tls_alert_t *alert, tls_application_t *application) + tls_alert_t *alert, tls_application_t *application, + tls_purpose_t purpose) { private_tls_fragmentation_t *this; @@ -478,6 +510,7 @@ tls_fragmentation_t *tls_fragmentation_create(tls_handshake_t *handshake, .alert = alert, .state = ALERT_NONE, .application = application, + .purpose = purpose, ); return &this->public; diff --git a/src/libtls/tls_fragmentation.h b/src/libtls/tls_fragmentation.h index f650e7be8..a49f27b20 100644 --- a/src/libtls/tls_fragmentation.h +++ b/src/libtls/tls_fragmentation.h @@ -80,9 +80,11 @@ struct tls_fragmentation_t { * @param handshake upper layer handshake protocol * @param alert TLS alert handler * @param application upper layer application data or NULL + * @param purpose type of context this TLS stack is running in * @return TLS fragmentation layer */ tls_fragmentation_t *tls_fragmentation_create(tls_handshake_t *handshake, - tls_alert_t *alert, tls_application_t *application); + tls_alert_t *alert, tls_application_t *application, + tls_purpose_t purpose); #endif /** TLS_FRAGMENTATION_H_ @}*/ diff --git a/src/libtls/tls_handshake.h b/src/libtls/tls_handshake.h index 7fa660c58..7edb49ba0 100644 --- a/src/libtls/tls_handshake.h +++ b/src/libtls/tls_handshake.h @@ -97,6 +97,13 @@ struct tls_handshake_t { */ identification_t* (*get_server_id)(tls_handshake_t *this); + /** + * Get the peers authentication information after completing the handshake. + * + * @return authentication data, internal data + */ + auth_cfg_t* (*get_auth)(tls_handshake_t *this); + /** * Destroy a tls_handshake_t. */ diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c index a95b40f55..e6be36b7b 100644 --- a/src/libtls/tls_peer.c +++ b/src/libtls/tls_peer.c @@ -312,7 +312,7 @@ static status_t process_certificate(private_tls_peer_t *this, static public_key_t *find_public_key(private_tls_peer_t *this) { public_key_t *public = NULL, *current; - certificate_t *cert; + certificate_t *cert, *found; enumerator_t *enumerator; auth_cfg_t *auth; @@ -323,8 +323,13 @@ static public_key_t *find_public_key(private_tls_peer_t *this) KEY_ANY, cert->get_subject(cert), this->server_auth); while (enumerator->enumerate(enumerator, ¤t, &auth)) { - public = current->get_ref(current); - break; + found = auth->get(auth, AUTH_RULE_SUBJECT_CERT); + if (found && cert->equals(cert, found)) + { + public = current->get_ref(current); + this->server_auth->merge(this->server_auth, auth, FALSE); + break; + } } enumerator->destroy(enumerator); } @@ -379,7 +384,12 @@ static status_t process_modp_key_exchange(private_tls_peer_t *this, this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); return NEED_MORE; } - this->dh->set_other_public_value(this->dh, pub); + if (!this->dh->set_other_public_value(this->dh, pub)) + { + DBG1(DBG_TLS, "applying DH public value failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } this->state = STATE_KEY_EXCHANGE_RECEIVED; return NEED_MORE; @@ -489,7 +499,12 @@ static status_t process_ec_key_exchange(private_tls_peer_t *this, this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); return NEED_MORE; } - this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1)); + if (!this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1))) + { + DBG1(DBG_TLS, "applying DH public value failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } this->state = STATE_KEY_EXCHANGE_RECEIVED; return NEED_MORE; @@ -968,7 +983,7 @@ static status_t send_key_exchange_dhe(private_tls_peer_t *this, { chunk_t premaster, pub; - if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS) + if (!this->dh->get_shared_secret(this->dh, &premaster)) { DBG1(DBG_TLS, "calculating premaster from DH failed"); this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); @@ -985,7 +1000,11 @@ static status_t send_key_exchange_dhe(private_tls_peer_t *this, } chunk_clear(&premaster); - this->dh->get_my_public_value(this->dh, &pub); + if (!this->dh->get_my_public_value(this->dh, &pub)) + { + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } if (this->dh->get_dh_group(this->dh) == MODP_CUSTOM) { writer->write_data16(writer, pub); @@ -1153,6 +1172,12 @@ METHOD(tls_handshake_t, get_server_id, identification_t*, return this->server; } +METHOD(tls_handshake_t, get_auth, auth_cfg_t*, + private_tls_peer_t *this) +{ + return this->server_auth; +} + METHOD(tls_handshake_t, destroy, void, private_tls_peer_t *this) { @@ -1186,6 +1211,7 @@ tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert .finished = _finished, .get_peer_id = _get_peer_id, .get_server_id = _get_server_id, + .get_auth = _get_auth, .destroy = _destroy, }, }, diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c index b016db21f..e73fedc5d 100644 --- a/src/libtls/tls_protection.c +++ b/src/libtls/tls_protection.c @@ -101,14 +101,13 @@ METHOD(tls_protection_t, build, status_t, status_t status; status = this->compression->build(this->compression, type, data); - if (*type == TLS_CHANGE_CIPHER_SPEC) - { - this->seq_out = 0; - return status; - } - if (status == NEED_MORE) { + if (*type == TLS_CHANGE_CIPHER_SPEC) + { + this->seq_out = 0; + return status; + } if (this->aead_out) { if (!this->aead_out->encrypt(this->aead_out, this->version, diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c index aeb5a714f..b1a214f7f 100644 --- a/src/libtls/tls_server.c +++ b/src/libtls/tls_server.c @@ -494,8 +494,13 @@ static status_t process_key_exchange_dhe(private_tls_server_t *this, } pub = chunk_skip(pub, 1); } - this->dh->set_other_public_value(this->dh, pub); - if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS) + if (!this->dh->set_other_public_value(this->dh, pub)) + { + DBG1(DBG_TLS, "applying DH public value failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } + if (!this->dh->get_shared_secret(this->dh, &premaster)) { DBG1(DBG_TLS, "calculating premaster from DH failed"); this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); @@ -551,6 +556,7 @@ static status_t process_cert_verify(private_tls_server_t *this, sig->destroy(sig); if (verified) { + this->peer_auth->merge(this->peer_auth, auth, FALSE); break; } DBG1(DBG_TLS, "signature verification failed, trying another key"); @@ -914,7 +920,11 @@ static status_t send_server_key_exchange(private_tls_server_t *this, this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); return NEED_MORE; } - this->dh->get_my_public_value(this->dh, &chunk); + if (!this->dh->get_my_public_value(this->dh, &chunk)) + { + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } if (params) { writer->write_data16(writer, chunk); @@ -1073,6 +1083,12 @@ METHOD(tls_handshake_t, get_server_id, identification_t*, return this->server; } +METHOD(tls_handshake_t, get_auth, auth_cfg_t*, + private_tls_server_t *this) +{ + return this->peer_auth; +} + METHOD(tls_handshake_t, destroy, void, private_tls_server_t *this) { @@ -1107,6 +1123,7 @@ tls_server_t *tls_server_create(tls_t *tls, .finished = _finished, .get_peer_id = _get_peer_id, .get_server_id = _get_server_id, + .get_auth = _get_auth, .destroy = _destroy, }, }, diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c index 648771e75..2ccd97571 100644 --- a/src/libtls/tls_socket.c +++ b/src/libtls/tls_socket.c @@ -291,25 +291,24 @@ METHOD(tls_socket_t, splice, bool, private_tls_socket_t *this, int rfd, int wfd) { char buf[PLAIN_BUF_SIZE], *pos; - fd_set set; ssize_t in, out; bool old, plain_eof = FALSE, crypto_eof = FALSE; + struct pollfd pfd[] = { + { .fd = this->fd, .events = POLLIN, }, + { .fd = rfd, .events = POLLIN, }, + }; while (!plain_eof && !crypto_eof) { - FD_ZERO(&set); - FD_SET(rfd, &set); - FD_SET(this->fd, &set); - old = thread_cancelability(TRUE); - in = select(max(rfd, this->fd) + 1, &set, NULL, NULL, NULL); + in = poll(pfd, countof(pfd), -1); thread_cancelability(old); if (in == -1) { DBG1(DBG_TLS, "TLS select error: %s", strerror(errno)); return FALSE; } - while (!plain_eof && FD_ISSET(this->fd, &set)) + while (!plain_eof && pfd[0].revents & (POLLIN | POLLHUP | POLLNVAL)) { in = read_(this, buf, sizeof(buf), FALSE); switch (in) @@ -342,7 +341,7 @@ METHOD(tls_socket_t, splice, bool, } break; } - if (!crypto_eof && FD_ISSET(rfd, &set)) + if (!crypto_eof && pfd[1].revents & (POLLIN | POLLHUP | POLLNVAL)) { in = read(rfd, buf, sizeof(buf)); switch (in) diff --git a/src/libtnccs/Android.mk b/src/libtnccs/Android.mk index 68f85c252..e37973202 100644 --- a/src/libtnccs/Android.mk +++ b/src/libtnccs/Android.mk @@ -22,7 +22,7 @@ endif LOCAL_SRC_FILES += $(call add_plugin, tnc-tnccs) LOCAL_SRC_FILES += $(call add_plugin, tnccs-20) -LOCAL_SRC_FILES += $(call add_plugin_subdirs, tnccs-20, batch messages messages/ietf messages/tcg state_machine) +LOCAL_SRC_FILES += $(call add_plugin_subdirs, tnccs-20, batch messages messages/ietf messages/ita messages/tcg state_machine) ifneq ($(call plugin_enabled, tnccs-20),) LOCAL_C_INCLUDES += $(LOCAL_PATH)/plugins/tnccs_20/ endif diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in index b0bfdf20d..dc8c1b8cc 100644 --- a/src/libtnccs/Makefile.in +++ b/src/libtnccs/Makefile.in @@ -283,6 +283,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -343,10 +344,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -420,6 +423,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libtnccs/plugins/tnc_imc/Makefile.in b/src/libtnccs/plugins/tnc_imc/Makefile.in index 2b76aabe6..3641bdf5b 100644 --- a/src/libtnccs/plugins/tnc_imc/Makefile.in +++ b/src/libtnccs/plugins/tnc_imc/Makefile.in @@ -231,6 +231,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.c b/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.c index 859dded79..ce5b48133 100644 --- a/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.c +++ b/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.c @@ -44,6 +44,7 @@ METHOD(plugin_t, get_features, int, PLUGIN_CALLBACK(tnc_manager_register, tnc_imc_manager_create), PLUGIN_PROVIDE(CUSTOM, "imc-manager"), PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"), + PLUGIN_SDEPEND(CUSTOM, "imv-manager"), PLUGIN_SDEPEND(CERT_DECODE, CERT_X509), PLUGIN_SDEPEND(CERT_DECODE, CERT_TRUSTED_PUBKEY), }; diff --git a/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.h b/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.h index 8c5521cb2..8cbc70367 100644 --- a/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.h +++ b/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.h @@ -15,7 +15,7 @@ /** * @defgroup tnc_imc tnc_imc - * @ingroup cplugins + * @ingroup tplugins * * @defgroup tnc_imc_plugin tnc_imc_plugin * @{ @ingroup tnc_imc diff --git a/src/libtnccs/plugins/tnc_imv/Makefile.in b/src/libtnccs/plugins/tnc_imv/Makefile.in index 06e7b0480..c4b1bee23 100644 --- a/src/libtnccs/plugins/tnc_imv/Makefile.in +++ b/src/libtnccs/plugins/tnc_imv/Makefile.in @@ -232,6 +232,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h b/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h index afeee2ea2..5786bbaab 100644 --- a/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h +++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h @@ -15,7 +15,7 @@ /** * @defgroup tnc_imv tnc_imv - * @ingroup cplugins + * @ingroup tplugins * * @defgroup tnc_imv_plugin tnc_imv_plugin * @{ @ingroup tnc_imv diff --git a/src/libtnccs/plugins/tnc_tnccs/Makefile.in b/src/libtnccs/plugins/tnc_tnccs/Makefile.in index 8910fe761..5b01e317a 100644 --- a/src/libtnccs/plugins/tnc_tnccs/Makefile.in +++ b/src/libtnccs/plugins/tnc_tnccs/Makefile.in @@ -231,6 +231,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c index b8683f78c..30e505246 100644 --- a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c +++ b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2013 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -169,8 +169,8 @@ METHOD(tnccs_manager_t, remove_method, void, METHOD(tnccs_manager_t, create_instance, tnccs_t*, private_tnc_tnccs_manager_t *this, tnccs_type_t type, bool is_server, - identification_t *server, identification_t *peer, tnc_ift_type_t transport, - tnccs_cb_t cb) + identification_t *server_id, identification_t *peer_id, host_t *server_ip, + host_t *peer_ip, tnc_ift_type_t transport, tnccs_cb_t cb) { enumerator_t *enumerator; tnccs_entry_t *entry; @@ -182,7 +182,8 @@ METHOD(tnccs_manager_t, create_instance, tnccs_t*, { if (type == entry->type) { - protocol = entry->constructor(is_server, server, peer, transport, cb); + protocol = entry->constructor(is_server, server_id, peer_id, + server_ip, peer_ip, transport, cb); if (protocol) { break; @@ -716,7 +717,8 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result, case TNC_ATTRIBUTEID_AR_IDENTITIES: { linked_list_t *list; - identification_t *peer; + identification_t *peer_id; + host_t *peer_ip; tnccs_t *tnccs; tncif_identity_t *tnc_id; u_int32_t id_type, subject_type; @@ -726,10 +728,11 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result, list = linked_list_create(); tnccs = entry->tnccs; - peer = tnccs->tls.get_peer_id(&tnccs->tls); - if (peer) + + peer_id = tnccs->tls.get_peer_id(&tnccs->tls); + if (peer_id) { - switch (peer->get_type(peer)) + switch (peer_id->get_type(peer_id)) { case ID_IPV4_ADDR: id_type = TNC_ID_IPV4_ADDR; @@ -756,7 +759,7 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result, subject_type = TNC_SUBJECT_UNKNOWN; } if (id_type != TNC_ID_UNKNOWN && - asprintf(&id_str, "%Y", peer) >= 0) + asprintf(&id_str, "%Y", peer_id) >= 0) { id_value = chunk_from_str(id_str); tnc_id = tncif_identity_create( @@ -767,6 +770,33 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result, list->insert_last(list, tnc_id); } } + + peer_ip = tnccs->get_peer_ip(tnccs); + if (peer_ip) + { + switch (peer_ip->get_family(peer_ip)) + { + case AF_INET: + id_type = TNC_ID_IPV4_ADDR; + break; + case AF_INET6: + id_type = TNC_ID_IPV6_ADDR; + break; + default: + id_type = TNC_ID_UNKNOWN; + } + + if (id_type != TNC_ID_UNKNOWN && + asprintf(&id_str, "%H", peer_ip) >= 0) + { + id_value = chunk_from_str(id_str); + tnc_id = tncif_identity_create( + pen_type_create(PEN_TCG, id_type), id_value, + pen_type_create(PEN_TCG, TNC_SUBJECT_MACHINE), + pen_type_create(PEN_TCG, TNC_AUTH_UNKNOWN)); + list->insert_last(list, tnc_id); + } + } result = identity_attribute(buffer_len, buffer, value_len, list); list->destroy_offset(list, offsetof(tncif_identity_t, destroy)); return result; diff --git a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_plugin.h b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_plugin.h index f935fa462..c99d5e7c8 100644 --- a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_plugin.h +++ b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_plugin.h @@ -15,7 +15,7 @@ /** * @defgroup tnc_tnccs tnc_tnccs - * @ingroup cplugins + * @ingroup tplugins * * @defgroup tnc_tnccs_plugin tnc_tnccs_plugin * @{ @ingroup tnc_tnccs diff --git a/src/libtnccs/plugins/tnccs_11/Makefile.in b/src/libtnccs/plugins/tnccs_11/Makefile.in index ea6ac5546..e0c039af9 100644 --- a/src/libtnccs/plugins/tnccs_11/Makefile.in +++ b/src/libtnccs/plugins/tnccs_11/Makefile.in @@ -241,6 +241,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -301,10 +302,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -378,6 +381,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11.c b/src/libtnccs/plugins/tnccs_11/tnccs_11.c index 28c5e52b7..0918a2bad 100644 --- a/src/libtnccs/plugins/tnccs_11/tnccs_11.c +++ b/src/libtnccs/plugins/tnccs_11/tnccs_11.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2013 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -54,12 +54,22 @@ struct private_tnccs_11_t { /** * Server identity */ - identification_t *server; + identification_t *server_id; /** * Client identity */ - identification_t *peer; + identification_t *peer_id; + + /** + * Server IP address + */ + host_t *server_ip; + + /** + * Client IP address + */ + host_t *peer_ip; /** * Underlying TNC IF-T transport protocol @@ -527,20 +537,20 @@ METHOD(tls_t, is_server, bool, METHOD(tls_t, get_server_id, identification_t*, private_tnccs_11_t *this) { - return this->server; + return this->server_id; } METHOD(tls_t, set_peer_id, void, private_tnccs_11_t *this, identification_t *id) { - DESTROY_IF(this->peer); - this->peer = id->clone(id); + DESTROY_IF(this->peer_id); + this->peer_id = id->clone(id); } METHOD(tls_t, get_peer_id, identification_t*, private_tnccs_11_t *this) { - return this->peer; + return this->peer_id; } METHOD(tls_t, get_purpose, tls_purpose_t, @@ -578,14 +588,28 @@ METHOD(tls_t, destroy, void, { tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id, this->is_server); - this->server->destroy(this->server); - this->peer->destroy(this->peer); + this->server_id->destroy(this->server_id); + this->peer_id->destroy(this->peer_id); + this->server_ip->destroy(this->server_ip); + this->peer_ip->destroy(this->peer_ip); this->mutex->destroy(this->mutex); DESTROY_IF(this->batch); free(this); } } +METHOD(tnccs_t, get_server_ip, host_t*, + private_tnccs_11_t *this) +{ + return this->server_ip; +} + +METHOD(tnccs_t, get_peer_ip, host_t*, + private_tnccs_11_t *this) +{ + return this->peer_ip; +} + METHOD(tnccs_t, get_transport, tnc_ift_type_t, private_tnccs_11_t *this) { @@ -628,9 +652,10 @@ METHOD(tnccs_t, get_ref, tnccs_t*, /** * See header */ -tnccs_t* tnccs_11_create(bool is_server, - identification_t *server, identification_t *peer, - tnc_ift_type_t transport, tnccs_cb_t cb) +tnccs_t* tnccs_11_create(bool is_server, identification_t *server_id, + identification_t *peer_id, host_t *server_ip, + host_t *peer_ip, tnc_ift_type_t transport, + tnccs_cb_t cb) { private_tnccs_11_t *this; @@ -648,6 +673,8 @@ tnccs_t* tnccs_11_create(bool is_server, .get_eap_msk = _get_eap_msk, .destroy = _destroy, }, + .get_server_ip = _get_server_ip, + .get_peer_ip = _get_peer_ip, .get_transport = _get_transport, .set_transport = _set_transport, .get_auth_type = _get_auth_type, @@ -656,8 +683,10 @@ tnccs_t* tnccs_11_create(bool is_server, .get_ref = _get_ref, }, .is_server = is_server, - .server = server->clone(server), - .peer = peer->clone(peer), + .server_id = server_id->clone(server_id), + .peer_id = peer_id->clone(peer_id), + .server_ip = server_ip->clone(server_ip), + .peer_ip = peer_ip->clone(peer_ip), .transport = transport, .callback = cb, .mutex = mutex_create(MUTEX_TYPE_DEFAULT), diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11.h b/src/libtnccs/plugins/tnccs_11/tnccs_11.h index e805df8bb..60d5518bc 100644 --- a/src/libtnccs/plugins/tnccs_11/tnccs_11.h +++ b/src/libtnccs/plugins/tnccs_11/tnccs_11.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2013 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -29,14 +29,17 @@ * Create an instance of the TNC IF-TNCCS 1.1 protocol handler. * * @param is_server TRUE to act as TNC Server, FALSE for TNC Client - * @param server Server identity - * @param peer Client identity + * @param server_id Server identity + * @param peer_id Client identity + * @param server_ip Server IP address + * @param peer_ip Client IP address * @param transport Underlying IF-T transport protocol * @param cb Callback function if TNC Server, NULL if TNC Client * @return TNC_IF_TNCCS 1.1 protocol stack */ -tnccs_t* tnccs_11_create(bool is_server, - identification_t *server, identification_t *peer, - tnc_ift_type_t transport, tnccs_cb_t cb); +tnccs_t* tnccs_11_create(bool is_server, identification_t *server_id, + identification_t *peer_id, host_t *server_ip, + host_t *peer_ip, tnc_ift_type_t transport, + tnccs_cb_t cb); #endif /** TNCCS_11_H_ @}*/ diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11_plugin.h b/src/libtnccs/plugins/tnccs_11/tnccs_11_plugin.h index 619a073ad..73ea5759b 100644 --- a/src/libtnccs/plugins/tnccs_11/tnccs_11_plugin.h +++ b/src/libtnccs/plugins/tnccs_11/tnccs_11_plugin.h @@ -15,7 +15,7 @@ /** * @defgroup tnccs_11 tnccs_11 - * @ingroup cplugins + * @ingroup tplugins * * @defgroup tnccs_11_plugin tnccs_11_plugin * @{ @ingroup tnccs_11 diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.am b/src/libtnccs/plugins/tnccs_20/Makefile.am index 2aefecd26..7d1cdded1 100644 --- a/src/libtnccs/plugins/tnccs_20/Makefile.am +++ b/src/libtnccs/plugins/tnccs_20/Makefile.am @@ -18,6 +18,8 @@ endif libstrongswan_tnccs_20_la_SOURCES = \ tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c \ + tnccs_20_handler.h \ + tnccs_20_server.h tnccs_20_server.c tnccs_20_client.h tnccs_20_client.c \ batch/pb_tnc_batch.h batch/pb_tnc_batch.c \ messages/pb_tnc_msg.h messages/pb_tnc_msg.c \ messages/ietf/pb_experimental_msg.h messages/ietf/pb_experimental_msg.c \ @@ -28,6 +30,8 @@ libstrongswan_tnccs_20_la_SOURCES = \ messages/ietf/pb_language_preference_msg.h messages/ietf/pb_language_preference_msg.c \ messages/ietf/pb_reason_string_msg.h messages/ietf/pb_reason_string_msg.c \ messages/ietf/pb_remediation_parameters_msg.h messages/ietf/pb_remediation_parameters_msg.c \ + messages/ita/pb_mutual_capability_msg.h messages/ita/pb_mutual_capability_msg.c \ + messages/ita/pb_noskip_test_msg.h messages/ita/pb_noskip_test_msg.c \ messages/tcg/pb_pdp_referral_msg.h messages/tcg/pb_pdp_referral_msg.c \ state_machine/pb_tnc_state_machine.h state_machine/pb_tnc_state_machine.c diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.in b/src/libtnccs/plugins/tnccs_20/Makefile.in index 90c804710..17d997f76 100644 --- a/src/libtnccs/plugins/tnccs_20/Makefile.in +++ b/src/libtnccs/plugins/tnccs_20/Makefile.in @@ -132,8 +132,8 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) @MONOLITHIC_FALSE@ $(top_builddir)/src/libtnccs/libtnccs.la am__dirstamp = $(am__leading_dot)dirstamp am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo \ - batch/pb_tnc_batch.lo messages/pb_tnc_msg.lo \ - messages/ietf/pb_experimental_msg.lo \ + tnccs_20_server.lo tnccs_20_client.lo batch/pb_tnc_batch.lo \ + messages/pb_tnc_msg.lo messages/ietf/pb_experimental_msg.lo \ messages/ietf/pb_pa_msg.lo \ messages/ietf/pb_assessment_result_msg.lo \ messages/ietf/pb_access_recommendation_msg.lo \ @@ -141,6 +141,8 @@ am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo \ messages/ietf/pb_language_preference_msg.lo \ messages/ietf/pb_reason_string_msg.lo \ messages/ietf/pb_remediation_parameters_msg.lo \ + messages/ita/pb_mutual_capability_msg.lo \ + messages/ita/pb_noskip_test_msg.lo \ messages/tcg/pb_pdp_referral_msg.lo \ state_machine/pb_tnc_state_machine.lo libstrongswan_tnccs_20_la_OBJECTS = \ @@ -242,6 +244,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -302,10 +305,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -379,6 +384,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -454,6 +461,8 @@ AM_CFLAGS = \ libstrongswan_tnccs_20_la_SOURCES = \ tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c \ + tnccs_20_handler.h \ + tnccs_20_server.h tnccs_20_server.c tnccs_20_client.h tnccs_20_client.c \ batch/pb_tnc_batch.h batch/pb_tnc_batch.c \ messages/pb_tnc_msg.h messages/pb_tnc_msg.c \ messages/ietf/pb_experimental_msg.h messages/ietf/pb_experimental_msg.c \ @@ -464,6 +473,8 @@ libstrongswan_tnccs_20_la_SOURCES = \ messages/ietf/pb_language_preference_msg.h messages/ietf/pb_language_preference_msg.c \ messages/ietf/pb_reason_string_msg.h messages/ietf/pb_reason_string_msg.c \ messages/ietf/pb_remediation_parameters_msg.h messages/ietf/pb_remediation_parameters_msg.c \ + messages/ita/pb_mutual_capability_msg.h messages/ita/pb_mutual_capability_msg.c \ + messages/ita/pb_noskip_test_msg.h messages/ita/pb_noskip_test_msg.c \ messages/tcg/pb_pdp_referral_msg.h messages/tcg/pb_pdp_referral_msg.c \ state_machine/pb_tnc_state_machine.h state_machine/pb_tnc_state_machine.c @@ -590,6 +601,17 @@ messages/ietf/pb_reason_string_msg.lo: messages/ietf/$(am__dirstamp) \ messages/ietf/pb_remediation_parameters_msg.lo: \ messages/ietf/$(am__dirstamp) \ messages/ietf/$(DEPDIR)/$(am__dirstamp) +messages/ita/$(am__dirstamp): + @$(MKDIR_P) messages/ita + @: > messages/ita/$(am__dirstamp) +messages/ita/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) messages/ita/$(DEPDIR) + @: > messages/ita/$(DEPDIR)/$(am__dirstamp) +messages/ita/pb_mutual_capability_msg.lo: \ + messages/ita/$(am__dirstamp) \ + messages/ita/$(DEPDIR)/$(am__dirstamp) +messages/ita/pb_noskip_test_msg.lo: messages/ita/$(am__dirstamp) \ + messages/ita/$(DEPDIR)/$(am__dirstamp) messages/tcg/$(am__dirstamp): @$(MKDIR_P) messages/tcg @: > messages/tcg/$(am__dirstamp) @@ -618,6 +640,8 @@ mostlyclean-compile: -rm -f messages/*.lo -rm -f messages/ietf/*.$(OBJEXT) -rm -f messages/ietf/*.lo + -rm -f messages/ita/*.$(OBJEXT) + -rm -f messages/ita/*.lo -rm -f messages/tcg/*.$(OBJEXT) -rm -f messages/tcg/*.lo -rm -f state_machine/*.$(OBJEXT) @@ -627,7 +651,9 @@ distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_client.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_server.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@batch/$(DEPDIR)/pb_tnc_batch.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@messages/$(DEPDIR)/pb_tnc_msg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@messages/ietf/$(DEPDIR)/pb_access_recommendation_msg.Plo@am__quote@ @@ -638,6 +664,8 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@messages/ietf/$(DEPDIR)/pb_pa_msg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@messages/ietf/$(DEPDIR)/pb_reason_string_msg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@messages/ietf/$(DEPDIR)/pb_remediation_parameters_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@messages/ita/$(DEPDIR)/pb_mutual_capability_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@messages/ita/$(DEPDIR)/pb_noskip_test_msg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@messages/tcg/$(DEPDIR)/pb_pdp_referral_msg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@state_machine/$(DEPDIR)/pb_tnc_state_machine.Plo@am__quote@ @@ -673,6 +701,7 @@ clean-libtool: -rm -rf batch/.libs batch/_libs -rm -rf messages/.libs messages/_libs -rm -rf messages/ietf/.libs messages/ietf/_libs + -rm -rf messages/ita/.libs messages/ita/_libs -rm -rf messages/tcg/.libs messages/tcg/_libs -rm -rf state_machine/.libs state_machine/_libs @@ -797,6 +826,8 @@ distclean-generic: -rm -f messages/$(am__dirstamp) -rm -f messages/ietf/$(DEPDIR)/$(am__dirstamp) -rm -f messages/ietf/$(am__dirstamp) + -rm -f messages/ita/$(DEPDIR)/$(am__dirstamp) + -rm -f messages/ita/$(am__dirstamp) -rm -f messages/tcg/$(DEPDIR)/$(am__dirstamp) -rm -f messages/tcg/$(am__dirstamp) -rm -f state_machine/$(DEPDIR)/$(am__dirstamp) @@ -811,7 +842,7 @@ clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ clean-pluginLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) batch/$(DEPDIR) messages/$(DEPDIR) messages/ietf/$(DEPDIR) messages/tcg/$(DEPDIR) state_machine/$(DEPDIR) + -rm -rf ./$(DEPDIR) batch/$(DEPDIR) messages/$(DEPDIR) messages/ietf/$(DEPDIR) messages/ita/$(DEPDIR) messages/tcg/$(DEPDIR) state_machine/$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -857,7 +888,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) batch/$(DEPDIR) messages/$(DEPDIR) messages/ietf/$(DEPDIR) messages/tcg/$(DEPDIR) state_machine/$(DEPDIR) + -rm -rf ./$(DEPDIR) batch/$(DEPDIR) messages/$(DEPDIR) messages/ietf/$(DEPDIR) messages/ita/$(DEPDIR) messages/tcg/$(DEPDIR) state_machine/$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic diff --git a/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c b/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c index 228c08255..faad02b9b 100644 --- a/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c +++ b/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2010 Sansar Choinyanbuu - * Copyright (C) 2010-2012 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -85,7 +85,7 @@ struct private_pb_tnc_batch_t { pb_tnc_batch_t public; /** - * TNCC if TRUE, TNCS if FALSE + * from TNC server if TRUE, from TNC client if FALSE */ bool is_server; @@ -166,6 +166,9 @@ METHOD(pb_tnc_batch_t, add_msg, bool, case PEN_TCG: msg_type_names = pb_tnc_tcg_msg_type_names; break; + case PEN_ITA: + msg_type_names = pb_tnc_ita_msg_type_names; + break; } DBG2(DBG_TNC, "adding %N/%N message", pen_names, msg_type.vendor_id, msg_type_names, msg_type.type); @@ -176,6 +179,7 @@ METHOD(pb_tnc_batch_t, add_msg, bool, METHOD(pb_tnc_batch_t, build, void, private_pb_tnc_batch_t *this) { + u_int8_t version; u_int32_t msg_len; chunk_t msg_value; enumerator_t *enumerator; @@ -184,9 +188,14 @@ METHOD(pb_tnc_batch_t, build, void, pb_tnc_msg_info_t *msg_infos; bio_writer_t *writer; + /* Set wrong PB-TNC version for testing purposes to force a PB-TNC error */ + version = lib->settings->get_int(lib->settings, + "%s.plugins.tnccs-20.tests.pb_tnc_version", + PB_TNC_VERSION, lib->ns); + /* build PB-TNC batch header */ writer = bio_writer_create(this->batch_len); - writer->write_uint8 (writer, PB_TNC_VERSION); + writer->write_uint8 (writer, version); writer->write_uint8 (writer, this->is_server ? PB_TNC_BATCH_FLAG_D : PB_TNC_BATCH_FLAG_NONE); writer->write_uint16(writer, this->type); @@ -211,6 +220,9 @@ METHOD(pb_tnc_batch_t, build, void, case PEN_TCG: msg_infos = pb_tnc_tcg_msg_infos; break; + case PEN_ITA: + msg_infos = pb_tnc_ita_msg_infos; + break; } if (msg_infos[msg_type.type].has_noskip_flag) { @@ -228,15 +240,15 @@ METHOD(pb_tnc_batch_t, build, void, writer->destroy(writer); } -static status_t process_batch_header(private_pb_tnc_batch_t *this, - pb_tnc_state_machine_t *state_machine) +METHOD(pb_tnc_batch_t, process_header, status_t, + private_pb_tnc_batch_t *this, bool directionality, bool is_server, + bool *from_server) { bio_reader_t *reader; pb_tnc_msg_t *msg; pb_error_msg_t *err_msg; u_int8_t version, flags, reserved, type; u_int32_t batch_len; - bool directionality; if (this->encoding.len < PB_TNC_BATCH_HEADER_SIZE) { @@ -267,13 +279,14 @@ static status_t process_batch_header(private_pb_tnc_batch_t *this, } /* Directionality */ - directionality = (flags & PB_TNC_BATCH_FLAG_D) != PB_TNC_BATCH_FLAG_NONE; - if (directionality == this->is_server) + *from_server = (flags & PB_TNC_BATCH_FLAG_D) != PB_TNC_BATCH_FLAG_NONE; + + if (directionality & (*from_server == is_server)) { DBG1(DBG_TNC, "wrong Directionality: batch is from a PB %s", - directionality ? "server" : "client"); + is_server ? "server" : "client"); msg = pb_error_msg_create_with_offset(TRUE, PEN_IETF, - PB_ERROR_INVALID_PARAMETER, 1); + PB_ERROR_INVALID_PARAMETER, 1); goto fatal; } @@ -287,17 +300,6 @@ static status_t process_batch_header(private_pb_tnc_batch_t *this, goto fatal; } - if (!state_machine->receive_batch(state_machine, this->type)) - { - DBG1(DBG_TNC, "unexpected PB-TNC batch type: %N", - pb_tnc_batch_type_names, this->type); - msg = pb_error_msg_create(TRUE, PEN_IETF, - PB_ERROR_UNEXPECTED_BATCH_TYPE); - goto fatal; - } - DBG1(DBG_TNC, "processing PB-TNC %N batch", pb_tnc_batch_type_names, - this->type); - /* Batch Length */ if (this->encoding.len != batch_len) { @@ -310,12 +312,6 @@ static status_t process_batch_header(private_pb_tnc_batch_t *this, this->offset = PB_TNC_BATCH_HEADER_SIZE; - /* Register an empty CDATA batch with the state machine */ - if (this->type == PB_BATCH_CDATA) - { - state_machine->set_empty_cdata(state_machine, - this->offset == this->encoding.len); - } return SUCCESS; fatal: @@ -395,11 +391,18 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this) msg_type_names = pb_tnc_msg_type_names; msg_infos = pb_tnc_msg_infos; } - else if (vendor_id == PEN_TCG && msg_type <= PB_TCG_MSG_ROOF) + else if (vendor_id == PEN_TCG && msg_type <= PB_TCG_MSG_ROOF && + msg_type > PB_TCG_MSG_RESERVED) { msg_type_names = pb_tnc_tcg_msg_type_names; msg_infos = pb_tnc_tcg_msg_infos; } + else if (vendor_id == PEN_ITA && msg_type <= PB_ITA_MSG_ROOF && + msg_type > PB_ITA_MSG_NOSKIP_TEST) + { + msg_type_names = pb_tnc_ita_msg_type_names; + msg_infos = pb_tnc_ita_msg_infos; + } else { if (msg_len < PB_TNC_MSG_HEADER_SIZE) @@ -413,7 +416,7 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this) if (noskip_flag) { - DBG1(DBG_TNC, "reject PB-TNC message 0x%06x/0x%08x)", + DBG1(DBG_TNC, "reject PB-TNC message (0x%06x/0x%08x)", vendor_id, msg_type); msg = pb_error_msg_create_with_offset(TRUE, PEN_IETF, PB_ERROR_UNSUPPORTED_MANDATORY_MSG, this->offset); @@ -421,7 +424,7 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this) } else { - DBG1(DBG_TNC, "ignore PB-TNC message 0x%06x/0x%08x)", + DBG1(DBG_TNC, "ignore PB-TNC message (0x%06x/0x%08x)", vendor_id, msg_type); this->offset += msg_len; return SUCCESS; @@ -502,14 +505,26 @@ fatal: METHOD(pb_tnc_batch_t, process, status_t, private_pb_tnc_batch_t *this, pb_tnc_state_machine_t *state_machine) { - status_t status; + pb_tnc_msg_t *msg; + status_t status = SUCCESS; - status = process_batch_header(this, state_machine); - if (status != SUCCESS) + if (!state_machine->receive_batch(state_machine, this->type)) { + DBG1(DBG_TNC, "unexpected PB-TNC batch type: %N", + pb_tnc_batch_type_names, this->type); + msg = pb_error_msg_create(TRUE, PEN_IETF, + PB_ERROR_UNEXPECTED_BATCH_TYPE); + this->errors->insert_last(this->errors, msg); return FAILED; } + /* Register an empty CDATA batch with the state machine */ + if (this->type == PB_BATCH_CDATA) + { + state_machine->set_empty_cdata(state_machine, + this->offset == this->encoding.len); + } + while (this->offset < this->encoding.len) { switch (process_tnc_msg(this)) @@ -585,7 +600,7 @@ pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type, /** * See header */ -pb_tnc_batch_t* pb_tnc_batch_create_from_data(bool is_server, chunk_t data) +pb_tnc_batch_t* pb_tnc_batch_create_from_data(chunk_t data) { private_pb_tnc_batch_t *this; @@ -595,12 +610,12 @@ pb_tnc_batch_t* pb_tnc_batch_create_from_data(bool is_server, chunk_t data) .get_encoding = _get_encoding, .add_msg = _add_msg, .build = _build, + .process_header = _process_header, .process = _process, .create_msg_enumerator = _create_msg_enumerator, .create_error_enumerator = _create_error_enumerator, .destroy = _destroy, }, - .is_server = is_server, .messages = linked_list_create(), .errors = linked_list_create(), .encoding = chunk_clone(data), diff --git a/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.h b/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.h index 106c5578c..6089c7d2e 100644 --- a/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.h +++ b/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2012 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -83,11 +83,22 @@ struct pb_tnc_batch_t { */ void (*build)(pb_tnc_batch_t *this); + /** + * Process the PB-TNC Batch header + * + * @param directionality TRUE if no mutual TNC measurements + * @param is_server TRUE if called by TNC server + * @param from_server TRUE if sent by TNC server + * @return return processing status + */ + status_t (*process_header)(pb_tnc_batch_t *this, bool directionality, + bool is_server, bool *from_server); + /** * Process the PB-TNC Batch * - * @param PB-TNC state machine - * @return return processing status + * @param state_machine PB-TNC state machine + * @return return processing status */ status_t (*process)(pb_tnc_batch_t *this, pb_tnc_state_machine_t *state_machine); @@ -95,14 +106,14 @@ struct pb_tnc_batch_t { /** * Enumerates over all PB-TNC Messages * - * @return return message enumerator + * @return return message enumerator */ enumerator_t* (*create_msg_enumerator)(pb_tnc_batch_t *this); /** * Enumerates over all parsing errors * - * @return return error enumerator + * @return return error enumerator */ enumerator_t* (*create_error_enumerator)(pb_tnc_batch_t *this); @@ -115,9 +126,9 @@ struct pb_tnc_batch_t { /** * Create an empty PB-TNC Batch of a given type * - * @param is_server TRUE if server, FALSE if client - * @param type PB-TNC batch type - * @param max_batch_len maximum size the PB-TNC batch + * @param is_server TRUE if server, FALSE if client + * @param type PB-TNC batch type + * @param max_batch_len maximum size the PB-TNC batch */ pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type, size_t max_batch_len); @@ -125,9 +136,8 @@ pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type, /** * Create an unprocessed PB-TNC Batch from data * - * @param is_server TRUE if server, FALSE if client * @param data encoded PB-TNC batch */ -pb_tnc_batch_t* pb_tnc_batch_create_from_data(bool is_server, chunk_t data); +pb_tnc_batch_t* pb_tnc_batch_create_from_data(chunk_t data); #endif /** PB_TNC_BATCH_H_ @}*/ diff --git a/src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.c b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.c new file mode 100644 index 000000000..1f35cae6b --- /dev/null +++ b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.c @@ -0,0 +1,174 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_mutual_capability_msg.h" + +#include +#include +#include + +ENUM(pb_tnc_mutual_protocol_type_names, PB_MUTUAL_HALF_DUPLEX, + PB_MUTUAL_FULL_DUPLEX, + "half duplex", + "full duplex" +); + +typedef struct private_pb_mutual_capability_msg_t private_pb_mutual_capability_msg_t; + +/** + * PB-Mutual-Capability message + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * |H|F| Reserved | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +# define MUTUAL_CAPABILITY_HEADER_SIZE 4 + +/** + * Private data of a pb_mutual_capability_msg_t object. + * + */ +struct private_pb_mutual_capability_msg_t { + /** + * Public pb_mutual_capability_msg_t interface. + */ + pb_mutual_capability_msg_t public; + + /** + * PB-TNC message type + */ + pen_type_t type; + + /** + * PB-TNC mutual protocols + */ + uint32_t protocols; + + /** + * Encoded message + */ + chunk_t encoding; +}; + +METHOD(pb_tnc_msg_t, get_type, pen_type_t, + private_pb_mutual_capability_msg_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_msg_t, get_encoding, chunk_t, + private_pb_mutual_capability_msg_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_msg_t, build, void, + private_pb_mutual_capability_msg_t *this) +{ + bio_writer_t *writer; + + if (this->encoding.ptr) + { + return; + } + writer = bio_writer_create(MUTUAL_CAPABILITY_HEADER_SIZE); + writer->write_uint32(writer, this->protocols); + + this->encoding = writer->get_buf(writer); + this->encoding = chunk_clone(this->encoding); + writer->destroy(writer); +} + +METHOD(pb_tnc_msg_t, process, status_t, + private_pb_mutual_capability_msg_t *this, u_int32_t *offset) +{ + bio_reader_t *reader; + + *offset = 0; + + /* process message */ + reader = bio_reader_create(this->encoding); + reader->read_uint32(reader, &this->protocols); + reader->destroy(reader); + + return SUCCESS; +} + +METHOD(pb_tnc_msg_t, destroy, void, + private_pb_mutual_capability_msg_t *this) +{ + free(this->encoding.ptr); + free(this); +} + +METHOD(pb_mutual_capability_msg_t, get_protocols, uint32_t, + private_pb_mutual_capability_msg_t *this) +{ + return this->protocols; +} + +/** + * See header + */ +pb_tnc_msg_t* pb_mutual_capability_msg_create(uint32_t protocols) +{ + private_pb_mutual_capability_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_protocols = _get_protocols, + }, + .type = { PEN_ITA, PB_ITA_MSG_MUTUAL_CAPABILITY }, + .protocols = protocols, + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_mutual_capability_msg_create_from_data(chunk_t data) +{ + private_pb_mutual_capability_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_protocols = _get_protocols, + }, + .type = { PEN_ITA, PB_ITA_MSG_MUTUAL_CAPABILITY }, + .encoding = chunk_clone(data), + ); + + return &this->public.pb_interface; +} + diff --git a/src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.h b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.h new file mode 100644 index 000000000..db810a012 --- /dev/null +++ b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.h @@ -0,0 +1,75 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_mutual_capability_msg pb_mutual_capability_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_MUTUAL_CAPABILITY_MSG_H_ +#define PB_MUTUAL_CAPABILITY_MSG_H_ + +typedef enum pb_tnc_mutual_protocol_type_t pb_tnc_mutual_protocol_type_t; +typedef struct pb_mutual_capability_msg_t pb_mutual_capability_msg_t; + +#include "messages/pb_tnc_msg.h" + +/** + * PB-TNC mutual protocol types + */ +enum pb_tnc_mutual_protocol_type_t { + PB_MUTUAL_HALF_DUPLEX = (1 << 31), + PB_MUTUAL_FULL_DUPLEX = (1 << 30) +}; + +/** + * enum name for pb_mutual_protocol_type_t. + */ +extern enum_name_t *pb_tnc_mutual_protocol_type_names; + +/** + * Class representing the PB-Mutual-Capabilities message type. + */ +struct pb_mutual_capability_msg_t { + + /** + * PB-TNC Message interface + */ + pb_tnc_msg_t pb_interface; + + /** + * Get the PB-TNC mutual protocol types + * + * @return PB-TNC mutual protocol types + */ + uint32_t(*get_protocols)(pb_mutual_capability_msg_t *this); + +}; + +/** + * Create a PB-Mutual-Capability message + * + * @param protocols Supported PB-TNC mutual protocols + */ +pb_tnc_msg_t* pb_mutual_capability_msg_create(uint32_t protocols); + +/** + * Create an unprocessed PB-Mutual-Capability message from raw data + * + * @param data PB-Mutual-Capability message data + */ +pb_tnc_msg_t* pb_mutual_capability_msg_create_from_data(chunk_t data); + +#endif /** PB_MUTUAL_CAPABILITY_MSG_ @}*/ diff --git a/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.c b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.c new file mode 100644 index 000000000..c95222e3a --- /dev/null +++ b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.c @@ -0,0 +1,92 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_noskip_test_msg.h" + +typedef struct private_pb_noskip_test_msg_t private_pb_noskip_test_msg_t; + +/** + * Private data of a pb_noskip_test_msg_t object. + * + */ +struct private_pb_noskip_test_msg_t { + /** + * Public pb_noskip_test_msg_t interface. + */ + pb_noskip_test_msg_t public; + + /** + * PB-TNC message type + */ + pen_type_t type; + + /** + * Encoded message + */ + chunk_t encoding; +}; + +METHOD(pb_tnc_msg_t, get_type, pen_type_t, + private_pb_noskip_test_msg_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_msg_t, get_encoding, chunk_t, + private_pb_noskip_test_msg_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_msg_t, build, void, + private_pb_noskip_test_msg_t *this) +{ + /* nothing to do since the message is empty */ +} + +METHOD(pb_tnc_msg_t, process, status_t, + private_pb_noskip_test_msg_t *this, u_int32_t *offset) +{ + return SUCCESS; +} + +METHOD(pb_tnc_msg_t, destroy, void, + private_pb_noskip_test_msg_t *this) +{ + free(this); +} + +/** + * See header + */ +pb_tnc_msg_t *pb_noskip_test_msg_create(void) +{ + private_pb_noskip_test_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + }, + .type = { PEN_ITA, PB_ITA_MSG_NOSKIP_TEST }, + ); + + return &this->public.pb_interface; +} diff --git a/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.h b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.h new file mode 100644 index 000000000..6325582da --- /dev/null +++ b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.h @@ -0,0 +1,44 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_noskip_test_msg pb_noskip_test_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_NOSKIP_TEST_MSG_H_ +#define PB_NOSKIP_TEST_MSG_H_ + +typedef struct pb_noskip_test_msg_t pb_noskip_test_msg_t; + +#include "messages/pb_tnc_msg.h" + +/** + * Class representing the PB-Noskip-Test message type. + */ +struct pb_noskip_test_msg_t { + + /** + * PB-TNC Message interface + */ + pb_tnc_msg_t pb_interface; +}; + +/** + * Create a PB-Noskip-Test message from parameters + */ +pb_tnc_msg_t* pb_noskip_test_msg_create(void); + +#endif /** PB_NOSKIP_TEST_MSG_H_ @}*/ diff --git a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c index ec43490f4..b46c776e4 100644 --- a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c +++ b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c @@ -22,6 +22,7 @@ #include "ietf/pb_access_recommendation_msg.h" #include "ietf/pb_remediation_parameters_msg.h" #include "ietf/pb_reason_string_msg.h" +#include "ita/pb_mutual_capability_msg.h" #include "tcg/pb_pdp_referral_msg.h" #include @@ -37,10 +38,17 @@ ENUM(pb_tnc_msg_type_names, PB_MSG_EXPERIMENTAL, PB_MSG_REASON_STRING, "PB-Reason-String" ); -ENUM(pb_tnc_tcg_msg_type_names, PB_TCG_MSG_PDP_REFERRAL, PB_TCG_MSG_PDP_REFERRAL, +ENUM(pb_tnc_tcg_msg_type_names, PB_TCG_MSG_PDP_REFERRAL, + PB_TCG_MSG_PDP_REFERRAL, "PB-PDP-Referral" ); +ENUM(pb_tnc_ita_msg_type_names, PB_ITA_MSG_NOSKIP_TEST, + PB_ITA_MSG_MUTUAL_CAPABILITY, + "PB-Noskip-Test", + "PB-Mutual-Capability" +); + pb_tnc_msg_info_t pb_tnc_msg_infos[] = { { 12, FALSE, FALSE, TRUE_OR_FALSE }, { 24, FALSE, FALSE, TRUE }, @@ -57,6 +65,11 @@ pb_tnc_msg_info_t pb_tnc_tcg_msg_infos[] = { { 20, FALSE, FALSE, FALSE }, }; +pb_tnc_msg_info_t pb_tnc_ita_msg_infos[] = { + { 12, TRUE, FALSE, TRUE }, + { 16, FALSE, FALSE, FALSE }, +}; + /** * See header */ @@ -91,5 +104,12 @@ pb_tnc_msg_t* pb_tnc_msg_create_from_data(pen_type_t msg_type, chunk_t value) return pb_pdp_referral_msg_create_from_data(value); } } + else if (msg_type.vendor_id == PEN_ITA) + { + if (msg_type.type == PB_ITA_MSG_MUTUAL_CAPABILITY) + { + return pb_mutual_capability_msg_create_from_data(value); + } + } return NULL; } diff --git a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h index 6eeed5156..35b0b7c26 100644 --- a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h +++ b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h @@ -54,6 +54,7 @@ extern enum_name_t *pb_tnc_msg_type_names; * PB-TNC Message Type defined in the TCG namespace */ enum pb_tnc_tcg_msg_type_t { + PB_TCG_MSG_RESERVED = 0, PB_TCG_MSG_PDP_REFERRAL = 1, PB_TCG_MSG_ROOF = 1 }; @@ -63,6 +64,20 @@ enum pb_tnc_tcg_msg_type_t { */ extern enum_name_t *pb_tnc_tcg_msg_type_names; +/** + * PB-TNC Message Type defined in the ITA namespace + */ +enum pb_tnc_ita_msg_type_t { + PB_ITA_MSG_NOSKIP_TEST = 0, + PB_ITA_MSG_MUTUAL_CAPABILITY = 1, + PB_ITA_MSG_ROOF = 1 +}; + +/** + * enum name for pb_tnc_tcg_msg_type_t. + */ +extern enum_name_t *pb_tnc_ita_msg_type_names; + /** * Information entry describing a PB-TNC Message Type */ @@ -85,6 +100,11 @@ extern pb_tnc_msg_info_t pb_tnc_msg_infos[]; */ extern pb_tnc_msg_info_t pb_tnc_tcg_msg_infos[]; +/** + * Information on PB-TNC ITA Message Types + */ +extern pb_tnc_msg_info_t pb_tnc_ita_msg_infos[]; + /** * Generic interface for all PB-TNC message types. * diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.c b/src/libtnccs/plugins/tnccs_20/tnccs_20.c index dc4da51c6..a1a95733f 100644 --- a/src/libtnccs/plugins/tnccs_20/tnccs_20.c +++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2010 Sansar Choinyanbuu - * Copyright (C) 2010-2013 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -15,30 +15,17 @@ */ #include "tnccs_20.h" +#include "tnccs_20_handler.h" +#include "tnccs_20_server.h" +#include "tnccs_20_client.h" #include "batch/pb_tnc_batch.h" #include "messages/pb_tnc_msg.h" #include "messages/ietf/pb_pa_msg.h" -#include "messages/ietf/pb_error_msg.h" -#include "messages/ietf/pb_assessment_result_msg.h" -#include "messages/ietf/pb_access_recommendation_msg.h" -#include "messages/ietf/pb_remediation_parameters_msg.h" -#include "messages/ietf/pb_reason_string_msg.h" -#include "messages/ietf/pb_language_preference_msg.h" -#include "messages/tcg/pb_pdp_referral_msg.h" -#include "state_machine/pb_tnc_state_machine.h" #include #include -#include -#include -#include -#include - -#include #include -#include -#include typedef struct private_tnccs_20_t private_tnccs_20_t; @@ -60,98 +47,78 @@ struct private_tnccs_20_t { /** * Server identity */ - identification_t *server; + identification_t *server_id; /** * Client identity */ - identification_t *peer; + identification_t *peer_id; /** - * Underlying TNC IF-T transport protocol + * Server IP address */ - tnc_ift_type_t transport; + host_t *server_ip; /** - * Type of TNC client authentication + * Client IP address */ - u_int32_t auth_type; + host_t *peer_ip; /** - * PB-TNC State Machine + * Underlying TNC IF-T transport protocol */ - pb_tnc_state_machine_t *state_machine; + tnc_ift_type_t transport; /** - * Connection ID assigned to this TNCCS connection + * TNC IF-T transport protocol for EAP methods */ - TNC_ConnectionID connection_id; + bool eap_transport; /** - * PB-TNC messages to be sent + * Type of TNC client authentication */ - linked_list_t *messages; + u_int32_t auth_type; /** - * Type of PB-TNC batch being constructed + * Mutual PB-TNC protocol enabled */ - pb_tnc_batch_type_t batch_type; + bool mutual; /** - * Maximum PB-TNC batch size + * Direction the next batch will go to */ - size_t max_batch_len; + bool to_server; /** - * Maximum PA-TNC message size + * TNC Server */ - size_t max_msg_len; + tnccs_20_handler_t *tnc_server; /** - * Mutex locking the batch in construction + * TNC Client */ - mutex_t *mutex; + tnccs_20_handler_t *tnc_client; /** - * Flag set while processing + * Active TNCSS handler */ - bool fatal_error; + tnccs_20_handler_t *tnccs_handler; /** - * Flag set by IMC/IMV RequestHandshakeRetry() function + * Maximum PB-TNC batch size */ - bool request_handshake_retry; - - /** - * SendMessage() by IMC/IMV only allowed if flag is set - */ - bool send_msg; + size_t max_batch_len; /** - * Set of IMV recommendations (TNC Server only) + * Maximum PA-TNC message size */ - recommendations_t *recs; + size_t max_msg_len; /** * Callback function to communicate recommendation (TNC Server only) */ tnccs_cb_t callback; - /** - * Data to pass to callback function (TNC Server only) - */ - void *cb_data; - - /** - * PDP server FQDN - */ - chunk_t pdp_server; - - /** - * PDP server port - */ - u_int16_t pdp_port; - /** * reference count */ @@ -159,48 +126,24 @@ struct private_tnccs_20_t { }; -/** - * If the batch type changes then delete all accumulated PB-TNC messages - */ -void change_batch_type(private_tnccs_20_t *this, pb_tnc_batch_type_t batch_type) -{ - pb_tnc_msg_t *msg; - - if (batch_type != this->batch_type) - { - if (this->batch_type != PB_BATCH_NONE) - { - DBG1(DBG_TNC, "cancelling PB-TNC %N batch", - pb_tnc_batch_type_names, this->batch_type); - - while (this->messages->remove_last(this->messages, - (void**)&msg) == SUCCESS) - { - msg->destroy(msg); - } - } - this->batch_type = batch_type; - } -} - METHOD(tnccs_t, send_msg, TNC_Result, private_tnccs_20_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id, - TNC_UInt32 msg_flags, + TNC_UInt32 msg_flags, TNC_BufferReference msg, TNC_UInt32 msg_len, - TNC_VendorID msg_vid, - TNC_MessageSubtype msg_subtype) + TNC_VendorID msg_vid, + TNC_MessageSubtype msg_subtype) { pb_tnc_msg_t *pb_tnc_msg; - pb_tnc_batch_type_t batch_type; enum_name_t *pa_subtype_names; bool excl; - if (!this->send_msg) + if (!this->tnccs_handler->get_send_flag(this->tnccs_handler)) { DBG1(DBG_TNC, "%s %u not allowed to call SendMessage()", - this->is_server ? "IMV" : "IMC", - this->is_server ? imv_id : imc_id); + this->to_server ? "IMC" : "IMV", + this->to_server ? imc_id : imv_id); + return TNC_RESULT_ILLEGAL_OPERATION; } excl = (msg_flags & TNC_MESSAGE_FLAGS_EXCLUSIVE) != 0; @@ -220,698 +163,169 @@ METHOD(tnccs_t, send_msg, TNC_Result, DBG2(DBG_TNC, "creating PB-PA message type '%N' 0x%06x/0x%08x", pen_names, msg_vid, msg_vid, msg_subtype); } + this->tnccs_handler->add_msg(this->tnccs_handler, pb_tnc_msg); - /* adding PA message to SDATA or CDATA batch only */ - batch_type = this->is_server ? PB_BATCH_SDATA : PB_BATCH_CDATA; - this->mutex->lock(this->mutex); - if (this->batch_type == PB_BATCH_NONE) - { - this->batch_type = batch_type; - } - if (this->batch_type == batch_type) - { - this->messages->insert_last(this->messages, pb_tnc_msg); - } - else - { - pb_tnc_msg->destroy(pb_tnc_msg); - } - this->mutex->unlock(this->mutex); return TNC_RESULT_SUCCESS; } -/** - * Handle a single PB-TNC IETF standard message according to its type - */ -static void handle_ietf_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg) -{ - pen_type_t msg_type = msg->get_type(msg); - - switch (msg_type.type) - { - case PB_MSG_EXPERIMENTAL: - /* nothing to do */ - break; - case PB_MSG_PA: - { - pb_pa_msg_t *pa_msg; - pen_type_t msg_subtype; - u_int16_t imc_id, imv_id; - chunk_t msg_body; - bool excl; - enum_name_t *pa_subtype_names; - - pa_msg = (pb_pa_msg_t*)msg; - msg_subtype = pa_msg->get_subtype(pa_msg); - msg_body = pa_msg->get_body(pa_msg); - imc_id = pa_msg->get_collector_id(pa_msg); - imv_id = pa_msg->get_validator_id(pa_msg); - excl = pa_msg->get_exclusive_flag(pa_msg); - - pa_subtype_names = get_pa_subtype_names(msg_subtype.vendor_id); - if (pa_subtype_names) - { - DBG2(DBG_TNC, "handling PB-PA message type '%N/%N' 0x%06x/0x%08x", - pen_names, msg_subtype.vendor_id, pa_subtype_names, - msg_subtype.type, msg_subtype.vendor_id, msg_subtype.type); - } - else - { - DBG2(DBG_TNC, "handling PB-PA message type '%N' 0x%06x/0x%08x", - pen_names, msg_subtype.vendor_id, msg_subtype.vendor_id, - msg_subtype.type); - } - - this->send_msg = TRUE; - if (this->is_server) - { - tnc->imvs->receive_message(tnc->imvs, this->connection_id, - excl, msg_body.ptr, msg_body.len, - msg_subtype.vendor_id, - msg_subtype.type, imc_id, imv_id); - } - else - { - tnc->imcs->receive_message(tnc->imcs, this->connection_id, - excl, msg_body.ptr, msg_body.len, - msg_subtype.vendor_id, - msg_subtype.type, imv_id, imc_id); - } - this->send_msg = FALSE; - break; - } - case PB_MSG_ASSESSMENT_RESULT: - { - pb_assessment_result_msg_t *assess_msg; - u_int32_t result; - - assess_msg = (pb_assessment_result_msg_t*)msg; - result = assess_msg->get_assessment_result(assess_msg); - DBG1(DBG_TNC, "PB-TNC assessment result is '%N'", - TNC_IMV_Evaluation_Result_names, result); - break; - } - case PB_MSG_ACCESS_RECOMMENDATION: - { - pb_access_recommendation_msg_t *rec_msg; - pb_access_recommendation_code_t rec; - TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE; - - rec_msg = (pb_access_recommendation_msg_t*)msg; - rec = rec_msg->get_access_recommendation(rec_msg); - DBG1(DBG_TNC, "PB-TNC access recommendation is '%N'", - pb_access_recommendation_code_names, rec); - switch (rec) - { - case PB_REC_ACCESS_ALLOWED: - state = TNC_CONNECTION_STATE_ACCESS_ALLOWED; - break; - case PB_REC_ACCESS_DENIED: - state = TNC_CONNECTION_STATE_ACCESS_NONE; - break; - case PB_REC_QUARANTINED: - state = TNC_CONNECTION_STATE_ACCESS_ISOLATED; - } - tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id, - state); - break; - } - case PB_MSG_REMEDIATION_PARAMETERS: - { - pb_remediation_parameters_msg_t *rem_msg; - pen_type_t parameters_type; - chunk_t parameters, string, lang_code; - - rem_msg = (pb_remediation_parameters_msg_t*)msg; - parameters_type = rem_msg->get_parameters_type(rem_msg); - parameters = rem_msg->get_parameters(rem_msg); - - if (parameters_type.vendor_id == PEN_IETF) - { - switch (parameters_type.type) - { - case PB_REMEDIATION_URI: - DBG1(DBG_TNC, "remediation uri: %.*s", - parameters.len, parameters.ptr); - break; - case PB_REMEDIATION_STRING: - string = rem_msg->get_string(rem_msg, &lang_code); - DBG1(DBG_TNC, "remediation string: [%.*s]\n%.*s", - lang_code.len, lang_code.ptr, - string.len, string.ptr); - break; - default: - DBG1(DBG_TNC, "remediation parameters: %B", ¶meters); - } - } - else - { - DBG1(DBG_TNC, "remediation parameters: %B", ¶meters); - } - break; - } - case PB_MSG_ERROR: - { - pb_error_msg_t *err_msg; - bool fatal; - u_int32_t vendor_id; - u_int16_t error_code; - - err_msg = (pb_error_msg_t*)msg; - fatal = err_msg->get_fatal_flag(err_msg); - vendor_id = err_msg->get_vendor_id(err_msg); - error_code = err_msg->get_error_code(err_msg); - - if (fatal) - { - this->fatal_error = TRUE; - } - - if (vendor_id == PEN_IETF) - { - switch (error_code) - { - case PB_ERROR_INVALID_PARAMETER: - case PB_ERROR_UNSUPPORTED_MANDATORY_MSG: - DBG1(DBG_TNC, "received %s PB-TNC error '%N' " - "(offset %u bytes)", - fatal ? "fatal" : "non-fatal", - pb_tnc_error_code_names, error_code, - err_msg->get_offset(err_msg)); - break; - case PB_ERROR_VERSION_NOT_SUPPORTED: - DBG1(DBG_TNC, "received %s PB-TNC error '%N' " - "caused by bad version 0x%02x", - fatal ? "fatal" : "non-fatal", - pb_tnc_error_code_names, error_code, - err_msg->get_bad_version(err_msg)); - break; - case PB_ERROR_UNEXPECTED_BATCH_TYPE: - case PB_ERROR_LOCAL_ERROR: - default: - DBG1(DBG_TNC, "received %s PB-TNC error '%N'", - fatal ? "fatal" : "non-fatal", - pb_tnc_error_code_names, error_code); - break; - } - } - else - { - DBG1(DBG_TNC, "received %s PB-TNC error (%u) " - "with Vendor ID 0x%06x", - fatal ? "fatal" : "non-fatal", - error_code, vendor_id); - } - break; - } - case PB_MSG_LANGUAGE_PREFERENCE: - { - pb_language_preference_msg_t *lang_msg; - chunk_t lang; - - lang_msg = (pb_language_preference_msg_t*)msg; - lang = lang_msg->get_language_preference(lang_msg); - - if (this->recs) - { - DBG2(DBG_TNC, "setting language preference to '%.*s'", - (int)lang.len, lang.ptr); - this->recs->set_preferred_language(this->recs, lang); - } - break; - } - case PB_MSG_REASON_STRING: - { - pb_reason_string_msg_t *reason_msg; - chunk_t reason_string, language_code; - - reason_msg = (pb_reason_string_msg_t*)msg; - reason_string = reason_msg->get_reason_string(reason_msg); - language_code = reason_msg->get_language_code(reason_msg); - DBG1(DBG_TNC, "reason string is '%.*s' [%.*s]", - (int)reason_string.len, reason_string.ptr, - (int)language_code.len, language_code.ptr); - break; - } - default: - break; - } -} - -/** - * Handle a single PB-TNC TCG standard message according to its type - */ -static void handle_tcg_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg) -{ - pen_type_t msg_type = msg->get_type(msg); - - switch (msg_type.type) - { - case PB_TCG_MSG_PDP_REFERRAL: - { - pb_pdp_referral_msg_t *pdp_msg; - pen_type_t pdp_id_type; - u_int8_t pdp_protocol; - - pdp_msg = (pb_pdp_referral_msg_t*)msg; - pdp_id_type = pdp_msg->get_identifier_type(pdp_msg); - - if (pdp_id_type.vendor_id == PEN_TCG && - pdp_id_type.type == PB_PDP_ID_FQDN) - { - this->pdp_server = chunk_clone(pdp_msg->get_fqdn(pdp_msg, - &pdp_protocol, &this->pdp_port)); - if (pdp_protocol != 0) - { - DBG1(DBG_TNC, "unsupported PDP transport protocol"); - break; - } - DBG1(DBG_TNC, "PDP server '%.*s' is listening on port %u", - this->pdp_server.len, this->pdp_server.ptr, - this->pdp_port); - } - break; - } - default: - break; - } -} - -/** - * Handle a single PB-TNC message according to its type - */ -static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg) -{ - pen_type_t msg_type = msg->get_type(msg); - - switch (msg_type.vendor_id) - { - case PEN_IETF: - handle_ietf_message(this, msg); - break; - case PEN_TCG: - handle_tcg_message(this, msg); - break; - default: - break; - } -} - -/** - * Build a CRETRY or SRETRY batch - */ -static void build_retry_batch(private_tnccs_20_t *this) -{ - pb_tnc_batch_type_t batch_retry_type; - - batch_retry_type = this->is_server ? PB_BATCH_SRETRY : PB_BATCH_CRETRY; - if (this->batch_type == batch_retry_type) - { - /* retry batch has already been selected */ - return; - } - - change_batch_type(this, batch_retry_type); - - if (this->is_server) - { - this->recs->clear_recommendation(this->recs); - tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id, - TNC_CONNECTION_STATE_HANDSHAKE); - } -} - METHOD(tls_t, process, status_t, private_tnccs_20_t *this, void *buf, size_t buflen) { - chunk_t data; pb_tnc_batch_t *batch; - pb_tnc_msg_t *msg; - enumerator_t *enumerator; - identification_t *pdp_server; - u_int16_t *pdp_port; + bool from_server, fatal_header_error = FALSE; status_t status; + chunk_t data; - if (this->is_server && !this->connection_id) + /* On arrival of first batch from TNC client create TNC server */ + if (this->is_server && !this->tnc_server) { - this->connection_id = tnc->tnccs->create_connection(tnc->tnccs, - TNCCS_2_0, (tnccs_t*)this, _send_msg, - &this->request_handshake_retry, - this->max_msg_len, &this->recs); - if (!this->connection_id) + this->tnc_server = tnccs_20_server_create(&this->public, _send_msg, + this->max_batch_len, this->max_msg_len, + this->eap_transport); + if (!this->tnc_server) { return FAILED; } - tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id, - TNC_CONNECTION_STATE_CREATE); - tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id, - TNC_CONNECTION_STATE_HANDSHAKE); - - /* Send a PB-TNC TCG PDP Referral message if PDP is known */ - pdp_server = (identification_t*)lib->get(lib, "pt-tls-server"); - pdp_port = (u_int16_t*)lib->get(lib, "pt-tls-port"); - - if ((this->transport == TNC_IFT_EAP_1_1 || - this->transport == TNC_IFT_EAP_2_0) && pdp_server && pdp_port) - { - msg = pb_pdp_referral_msg_create_from_fqdn( - pdp_server->get_encoding(pdp_server), *pdp_port); - this->messages->insert_last(this->messages, msg); - } - + this->tnccs_handler = this->tnc_server; + this->tnccs_handler->begin_handshake(this->tnccs_handler, FALSE); } data = chunk_create(buf, buflen); - DBG1(DBG_TNC, "received TNCCS batch (%u bytes) for Connection ID %u", - data.len, this->connection_id); + DBG1(DBG_TNC, "received TNCCS batch (%u bytes)", data.len); DBG3(DBG_TNC, "%B", &data); - batch = pb_tnc_batch_create_from_data(this->is_server, data); - status = batch->process(batch, this->state_machine); - if (status != FAILED) + /* Parse the header of the received PB-TNC batch */ + batch = pb_tnc_batch_create_from_data(data); + status = batch->process_header(batch, !this->mutual, this->is_server, + &from_server); + if (status == FAILED) { - enumerator_t *enumerator; - pb_tnc_msg_t *msg; - pb_tnc_batch_type_t batch_type; - bool empty = TRUE; - - batch_type = batch->get_type(batch); - - if (batch_type == PB_BATCH_CRETRY) - { - /* Send an SRETRY batch in response */ - this->mutex->lock(this->mutex); - build_retry_batch(this); - this->mutex->unlock(this->mutex); - } - else if (batch_type == PB_BATCH_SRETRY) - { - /* Restart the measurements */ - tnc->imcs->notify_connection_change(tnc->imcs, - this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE); - this->send_msg = TRUE; - tnc->imcs->begin_handshake(tnc->imcs, this->connection_id); - this->send_msg = FALSE; - } - - enumerator = batch->create_msg_enumerator(batch); - while (enumerator->enumerate(enumerator, &msg)) - { - handle_message(this, msg); - empty = FALSE; - } - enumerator->destroy(enumerator); + fatal_header_error = TRUE; + status = VERIFY_ERROR; + } + this->to_server = this->mutual ? from_server : !this->is_server; - /* received an empty CLOSE batch from PB-TNC client */ - if (this->is_server && batch_type == PB_BATCH_CLOSE && empty) + /* In the mutual case, first batch from TNC server requires a TNC client */ + if (this->to_server && !this->tnc_client) + { + this->tnc_client = tnccs_20_client_create(&this->public, _send_msg, + this->max_batch_len, this->max_msg_len); + if (!this->tnc_client) { batch->destroy(batch); - if (this->fatal_error) - { - DBG1(DBG_TNC, "a fatal PB-TNC error occurred, " - "terminating connection"); - return FAILED; - } - else - { - return SUCCESS; - } - } - - this->send_msg = TRUE; - if (this->is_server) - { - tnc->imvs->batch_ending(tnc->imvs, this->connection_id); - } - else - { - tnc->imcs->batch_ending(tnc->imcs, this->connection_id); + return FAILED; } - this->send_msg = FALSE; + this->tnccs_handler = this->tnc_client; + this->tnccs_handler->begin_handshake(this->tnccs_handler, this->mutual); } + else + { + /* Set active TNCCS handler for processing */ + this->tnccs_handler = this->to_server ? this->tnc_client : + this->tnc_server; + } + DBG2(DBG_TNC, "TNC %s is handling inbound connection", + this->to_server ? "client" : "server"); - switch (status) + if (status == SUCCESS) { - case FAILED: - this->fatal_error = TRUE; - this->mutex->lock(this->mutex); - change_batch_type(this, PB_BATCH_CLOSE); - this->mutex->unlock(this->mutex); - /* fall through to add error messages to outbound batch */ - case VERIFY_ERROR: - enumerator = batch->create_error_enumerator(batch); - while (enumerator->enumerate(enumerator, &msg)) - { - this->mutex->lock(this->mutex); - this->messages->insert_last(this->messages, msg->get_ref(msg)); - this->mutex->unlock(this->mutex); - } - enumerator->destroy(enumerator); - break; - case SUCCESS: - default: - break; + status = this->tnccs_handler->process(this->tnccs_handler, batch); + } + if (status == VERIFY_ERROR) + { + this->tnccs_handler->handle_errors(this->tnccs_handler, batch, + fatal_header_error); + status = NEED_MORE; } batch->destroy(batch); - return NEED_MORE; -} + /* Has a mutual connection been established? */ + this->mutual = this->is_server ? + this->tnc_server->get_mutual(this->tnc_server) : + this->tnc_client->get_mutual(this->tnc_client); -/** - * Build a RESULT batch if a final recommendation is available - */ -static void check_and_build_recommendation(private_tnccs_20_t *this) -{ - TNC_IMV_Action_Recommendation rec; - TNC_IMV_Evaluation_Result eval; - TNC_ConnectionState state; - TNC_IMVID id; - chunk_t reason, language; - enumerator_t *enumerator; - pb_tnc_msg_t *msg; - pb_access_recommendation_code_t pb_rec; - - if (!this->recs->have_recommendation(this->recs, &rec, &eval)) - { - tnc->imvs->solicit_recommendation(tnc->imvs, this->connection_id); - } - if (this->recs->have_recommendation(this->recs, &rec, &eval)) + if (this->mutual && !this->is_server) { - this->batch_type = PB_BATCH_RESULT; + pb_tnc_state_t client_state, server_state; - msg = pb_assessment_result_msg_create(eval); - this->messages->insert_last(this->messages, msg); + client_state = !this->tnc_client ? PB_STATE_INIT : + this->tnc_client->get_state(this->tnc_client); + server_state = !this->tnc_server ? PB_STATE_INIT : + this->tnc_server->get_state(this->tnc_server); - /** - * Map IMV Action Recommendation codes to PB Access Recommendation codes - * and communicate Access Recommendation to IMVs - */ - switch (rec) + /* In half-duplex mutual mode toggle the direction on the client side */ + if ((!this->to_server && client_state != PB_STATE_DECIDED) || + ( this->to_server && server_state != PB_STATE_END)) { - case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: - state = TNC_CONNECTION_STATE_ACCESS_ALLOWED; - pb_rec = PB_REC_ACCESS_ALLOWED; - break; - case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: - state = TNC_CONNECTION_STATE_ACCESS_ISOLATED; - pb_rec = PB_REC_QUARANTINED; - break; - case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: - case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: - default: - state = TNC_CONNECTION_STATE_ACCESS_NONE; - pb_rec = PB_REC_ACCESS_DENIED; + this->to_server = !this->to_server; + } + else if (client_state == PB_STATE_DECIDED && + server_state == PB_STATE_END) + { + /* Cause the final CLOSE batch to be sent to the TNC server */ + this->to_server = TRUE; } - tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id, - state); - - msg = pb_access_recommendation_msg_create(pb_rec); - this->messages->insert_last(this->messages, msg); - enumerator = this->recs->create_reason_enumerator(this->recs); - while (enumerator->enumerate(enumerator, &id, &reason, &language)) + /* Suppress a successful CLOSE batch coming from the TNC server */ + if (status == SUCCESS) { - msg = pb_reason_string_msg_create(reason, language); - this->messages->insert_last(this->messages, msg); + status = NEED_MORE; } - enumerator->destroy(enumerator); } + + return status; } METHOD(tls_t, build, status_t, private_tnccs_20_t *this, void *buf, size_t *buflen, size_t *msglen) { - status_t status; - pb_tnc_state_t state; - - /* Initialize the connection */ - if (!this->is_server && !this->connection_id) - { - pb_tnc_msg_t *msg; - char *pref_lang; - - this->connection_id = tnc->tnccs->create_connection(tnc->tnccs, - TNCCS_2_0, (tnccs_t*)this, _send_msg, - &this->request_handshake_retry, - this->max_msg_len, NULL); - if (!this->connection_id) - { - return FAILED; - } - - /* Create PB-TNC Language Preference message */ - pref_lang = tnc->imcs->get_preferred_language(tnc->imcs); - msg = pb_language_preference_msg_create(chunk_create(pref_lang, - strlen(pref_lang))); - this->mutex->lock(this->mutex); - this->batch_type = PB_BATCH_CDATA; - this->messages->insert_last(this->messages, msg); - this->mutex->unlock(this->mutex); - - tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id, - TNC_CONNECTION_STATE_CREATE); - tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id, - TNC_CONNECTION_STATE_HANDSHAKE); - this->send_msg = TRUE; - tnc->imcs->begin_handshake(tnc->imcs, this->connection_id); - this->send_msg = FALSE; - } - - state = this->state_machine->get_state(this->state_machine); - - if (this->fatal_error && state == PB_STATE_END) - { - DBG1(DBG_TNC, "a fatal PB-TNC error occurred, terminating connection"); - return FAILED; - } - - /* Do not allow any asynchronous IMCs or IMVs to add additional messages */ - this->mutex->lock(this->mutex); - - if (this->request_handshake_retry) - { - if (state != PB_STATE_INIT) - { - build_retry_batch(this); - } - - /* Reset the flag for the next handshake retry request */ - this->request_handshake_retry = FALSE; - } - - if (this->is_server && state == PB_STATE_SERVER_WORKING && - this->recs->have_recommendation(this->recs, NULL, NULL)) + if (this->to_server) { - check_and_build_recommendation(this); - } + DBG2(DBG_TNC, "TNC client is handling outbound connection"); - if (this->batch_type == PB_BATCH_NONE) - { - if (this->is_server) + /* Before sending the first PB-TNC batch create TNC client */ + if (this->tnc_client) { - if (state == PB_STATE_SERVER_WORKING) - { - if (this->state_machine->get_empty_cdata(this->state_machine)) - { - check_and_build_recommendation(this); - } - else - { - DBG2(DBG_TNC, "no recommendation available yet, " - "sending empty PB-TNC SDATA batch"); - this->batch_type = PB_BATCH_SDATA; - } - } + this->tnccs_handler = this->tnc_client; } else { - switch (state) + this->tnc_client = tnccs_20_client_create(&this->public, _send_msg, + this->max_batch_len, + this->max_msg_len); + if (!this->tnc_client) { - case PB_STATE_CLIENT_WORKING: - DBG2(DBG_TNC, "no client data to send, " - "sending empty PB-TNC CDATA batch"); - this->batch_type = PB_BATCH_CDATA; - break; - case PB_STATE_DECIDED: - /** - * In the DECIDED state and if no CRETRY is under way, - * a PB-TNC client replies with an empty CLOSE batch. - */ - this->batch_type = PB_BATCH_CLOSE; - break; - default: - break; + return FAILED; } + this->tnccs_handler = this->tnc_client; + this->tnccs_handler->begin_handshake(this->tnccs_handler, + this->mutual); } } - - if (this->batch_type != PB_BATCH_NONE) + else { - pb_tnc_batch_t *batch; - pb_tnc_msg_t *msg; - chunk_t data; - int msg_count; - enumerator_t *enumerator; + DBG2(DBG_TNC, "TNC server is handling outbound connection"); - if (this->state_machine->send_batch(this->state_machine, this->batch_type)) + /* Before sending the first PB-TNC batch create TNC server */ + if (this->tnc_server) { - batch = pb_tnc_batch_create(this->is_server, this->batch_type, - min(this->max_batch_len, *buflen)); - - enumerator = this->messages->create_enumerator(this->messages); - while (enumerator->enumerate(enumerator, &msg)) - { - if (batch->add_msg(batch, msg)) - { - this->messages->remove_at(this->messages, enumerator); - } - else - { - break; - } - } - enumerator->destroy(enumerator); - - batch->build(batch); - data = batch->get_encoding(batch); - DBG1(DBG_TNC, "sending PB-TNC %N batch (%d bytes) for Connection ID %u", - pb_tnc_batch_type_names, this->batch_type, data.len, - this->connection_id); - DBG3(DBG_TNC, "%B", &data); - - *buflen = data.len; - *msglen = 0; - memcpy(buf, data.ptr, *buflen); - batch->destroy(batch); - - msg_count = this->messages->get_count(this->messages); - if (msg_count) - { - DBG2(DBG_TNC, "queued %d PB-TNC message%s for next %N batch", - msg_count, (msg_count == 1) ? "" : "s", - pb_tnc_batch_type_names, this->batch_type); - } - else - { - this->batch_type = PB_BATCH_NONE; - } - - status = ALREADY_DONE; + this->tnccs_handler = this->tnc_server; } else { - change_batch_type(this, PB_BATCH_NONE); - status = INVALID_STATE; + this->tnc_server = tnccs_20_server_create(&this->public, _send_msg, + this->max_batch_len, this->max_msg_len, + this->eap_transport); + if (!this->tnc_server) + { + return FAILED; + } + this->tnccs_handler = this->tnc_server; + this->tnccs_handler->begin_handshake(this->tnccs_handler, + this->mutual); } } - else - { - DBG1(DBG_TNC, "no PB-TNC batch to send"); - status = INVALID_STATE; - } - this->mutex->unlock(this->mutex); - - return status; + return this->tnccs_handler->build(this->tnccs_handler, buf, buflen, msglen); } METHOD(tls_t, is_server, bool, @@ -923,20 +337,20 @@ METHOD(tls_t, is_server, bool, METHOD(tls_t, get_server_id, identification_t*, private_tnccs_20_t *this) { - return this->server; + return this->server_id; } METHOD(tls_t, set_peer_id, void, private_tnccs_20_t *this, identification_t *id) { - DESTROY_IF(this->peer); - this->peer = id->clone(id); + DESTROY_IF(this->peer_id); + this->peer_id = id->clone(id); } METHOD(tls_t, get_peer_id, identification_t*, private_tnccs_20_t *this) { - return this->peer; + return this->peer_id; } METHOD(tls_t, get_purpose, tls_purpose_t, @@ -951,14 +365,17 @@ METHOD(tls_t, is_complete, bool, TNC_IMV_Action_Recommendation rec; TNC_IMV_Evaluation_Result eval; - if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval)) + if (this->tnc_server) { - return this->callback ? this->callback(rec, eval) : TRUE; - } - else - { - return FALSE; + tnccs_20_server_t *tnc_server; + + tnc_server = (tnccs_20_server_t*)this->tnc_server; + if (tnc_server->have_recommendation(tnc_server, &rec, &eval)) + { + return this->callback ? this->callback(rec, eval) : TRUE; + } } + return FALSE; } METHOD(tls_t, get_eap_msk, chunk_t, @@ -972,19 +389,28 @@ METHOD(tls_t, destroy, void, { if (ref_put(&this->ref)) { - tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id, - this->is_server); - this->server->destroy(this->server); - this->peer->destroy(this->peer); - this->state_machine->destroy(this->state_machine); - this->mutex->destroy(this->mutex); - this->messages->destroy_offset(this->messages, - offsetof(pb_tnc_msg_t, destroy)); - free(this->pdp_server.ptr); + DESTROY_IF(this->tnc_server); + DESTROY_IF(this->tnc_client); + this->server_id->destroy(this->server_id); + this->peer_id->destroy(this->peer_id); + this->server_ip->destroy(this->server_ip); + this->peer_ip->destroy(this->peer_ip); free(this); } } +METHOD(tnccs_t, get_server_ip, host_t*, + private_tnccs_20_t *this) +{ + return this->server_ip; +} + +METHOD(tnccs_t, get_peer_ip, host_t*, + private_tnccs_20_t *this) +{ + return this->peer_ip; +} + METHOD(tnccs_t, get_transport, tnc_ift_type_t, private_tnccs_20_t *this) { @@ -1012,9 +438,19 @@ METHOD(tnccs_t, set_auth_type, void, METHOD(tnccs_t, get_pdp_server, chunk_t, private_tnccs_20_t *this, u_int16_t *port) { - *port = this->pdp_port; + if (this->tnc_client) + { + tnccs_20_client_t *tnc_client; + + tnc_client = (tnccs_20_client_t*)this->tnc_client; - return this->pdp_server; + return tnc_client->get_pdp_server(tnc_client, port); + } + else + { + *port = 0; + return chunk_empty; + } } METHOD(tnccs_t, get_ref, tnccs_t*, @@ -1027,9 +463,10 @@ METHOD(tnccs_t, get_ref, tnccs_t*, /** * See header */ -tnccs_t* tnccs_20_create(bool is_server, - identification_t *server, identification_t *peer, - tnc_ift_type_t transport, tnccs_cb_t cb) +tnccs_t* tnccs_20_create(bool is_server, identification_t *server_id, + identification_t *peer_id, host_t *server_ip, + host_t *peer_ip, tnc_ift_type_t transport, + tnccs_cb_t cb) { private_tnccs_20_t *this; size_t max_batch_size, default_max_batch_size; @@ -1079,6 +516,8 @@ tnccs_t* tnccs_20_create(bool is_server, .get_eap_msk = _get_eap_msk, .destroy = _destroy, }, + .get_server_ip = _get_server_ip, + .get_peer_ip = _get_peer_ip, .get_transport = _get_transport, .set_transport = _set_transport, .get_auth_type = _get_auth_type, @@ -1087,13 +526,15 @@ tnccs_t* tnccs_20_create(bool is_server, .get_ref = _get_ref, }, .is_server = is_server, - .server = server->clone(server), - .peer = peer->clone(peer), + .to_server = !is_server, + .server_id = server_id->clone(server_id), + .peer_id = peer_id->clone(peer_id), + .server_ip = server_ip->clone(server_ip), + .peer_ip = peer_ip->clone(peer_ip), .transport = transport, + .eap_transport = transport == TNC_IFT_EAP_1_1 || + transport == TNC_IFT_EAP_2_0, .callback = cb, - .state_machine = pb_tnc_state_machine_create(is_server), - .mutex = mutex_create(MUTEX_TYPE_DEFAULT), - .messages = linked_list_create(), .max_batch_len = max_batch_size, .max_msg_len = max_message_size, .ref = 1, diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.h b/src/libtnccs/plugins/tnccs_20/tnccs_20.h index 2857b1408..010cbecdc 100644 --- a/src/libtnccs/plugins/tnccs_20/tnccs_20.h +++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2013 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -29,14 +29,17 @@ * Create an instance of the TNC IF-TNCCS 2.0 protocol handler. * * @param is_server TRUE to act as TNC Server, FALSE for TNC Client - * @param server Server identity - * @param peer Client identity + * @param server_id Server identity + * @param peer_id Client identity + * @param server_ip Server IP address + * @param peer_ip Client IP address * @param transport Underlying IF-T transport protocol * @param cb Callback function if TNC Server, NULL if TNC Client * @return TNC_IF_TNCCS 2.0 protocol stack */ -tnccs_t* tnccs_20_create(bool is_server, - identification_t *server, identification_t *peer, - tnc_ift_type_t transport, tnccs_cb_t cb); +tnccs_t* tnccs_20_create(bool is_server, identification_t *server_id, + identification_t *peer_id, host_t *server_ip, + host_t *peer_ip, tnc_ift_type_t transport, + tnccs_cb_t cb); #endif /** TNCCS_20_H_ @}*/ diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c b/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c new file mode 100644 index 000000000..4ba8221d0 --- /dev/null +++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c @@ -0,0 +1,820 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_20_client.h" +#include "messages/pb_tnc_msg.h" +#include "messages/ietf/pb_pa_msg.h" +#include "messages/ietf/pb_error_msg.h" +#include "messages/ietf/pb_assessment_result_msg.h" +#include "messages/ietf/pb_access_recommendation_msg.h" +#include "messages/ietf/pb_remediation_parameters_msg.h" +#include "messages/ietf/pb_reason_string_msg.h" +#include "messages/ietf/pb_language_preference_msg.h" +#include "messages/ita/pb_mutual_capability_msg.h" +#include "messages/ita/pb_noskip_test_msg.h" +#include "messages/tcg/pb_pdp_referral_msg.h" +#include "state_machine/pb_tnc_state_machine.h" + +#include +#include + +#include +#include +#include + +#include +#include +#include +#include + +typedef struct private_tnccs_20_client_t private_tnccs_20_client_t; + +/** + * Private data of a tnccs_20_client_t object. + */ +struct private_tnccs_20_client_t { + + /** + * Public tnccs_20_client_t interface. + */ + tnccs_20_client_t public; + + /** + * PB-TNC State Machine + */ + pb_tnc_state_machine_t *state_machine; + + /** + * Connection ID assigned to this TNCCS connection + */ + TNC_ConnectionID connection_id; + + /** + * PB-TNC messages to be sent + */ + linked_list_t *messages; + + /** + * Type of PB-TNC batch being constructed + */ + pb_tnc_batch_type_t batch_type; + + /** + * Maximum PB-TNC batch size + */ + size_t max_batch_len; + + /** + * Mutex locking the batch in construction + */ + mutex_t *mutex; + + /** + * Flag set while processing + */ + bool fatal_error; + + /** + * Flag set by IMC RequestHandshakeRetry() function + */ + bool request_handshake_retry; + + /** + * SendMessage() by IMC only allowed if flag is set + */ + bool send_msg; + + /** + * PDP server FQDN + */ + chunk_t pdp_server; + + /** + * PDP server port + */ + u_int16_t pdp_port; + + /** + * Mutual PB-TNC protocol enabled + */ + bool mutual; + + /** + * Mutual Capability message sent + */ + bool sent_mutual_capability; + +}; + +/** + * The following two functions are shared with the tnccs_20_server class + */ +void tnccs_20_handle_ietf_error_msg(pb_tnc_msg_t *msg, bool *fatal_error) +{ + pb_error_msg_t *err_msg; + u_int32_t vendor_id; + u_int16_t error_code; + bool fatal; + + err_msg = (pb_error_msg_t*)msg; + fatal = err_msg->get_fatal_flag(err_msg); + vendor_id = err_msg->get_vendor_id(err_msg); + error_code = err_msg->get_error_code(err_msg); + + if (fatal) + { + *fatal_error = TRUE; + } + + if (vendor_id == PEN_IETF) + { + switch (error_code) + { + case PB_ERROR_INVALID_PARAMETER: + case PB_ERROR_UNSUPPORTED_MANDATORY_MSG: + DBG1(DBG_TNC, "received %s PB-TNC error '%N' (offset %u bytes)", + fatal ? "fatal" : "non-fatal", + pb_tnc_error_code_names, error_code, + err_msg->get_offset(err_msg)); + break; + case PB_ERROR_VERSION_NOT_SUPPORTED: + DBG1(DBG_TNC, "received %s PB-TNC error '%N' " + "caused by bad version 0x%02x", + fatal ? "fatal" : "non-fatal", + pb_tnc_error_code_names, error_code, + err_msg->get_bad_version(err_msg)); + break; + case PB_ERROR_UNEXPECTED_BATCH_TYPE: + case PB_ERROR_LOCAL_ERROR: + default: + DBG1(DBG_TNC, "received %s PB-TNC error '%N'", + fatal ? "fatal" : "non-fatal", + pb_tnc_error_code_names, error_code); + break; + } + } + else + { + DBG1(DBG_TNC, "received %s PB-TNC error (%u) with Vendor ID 0x%06x", + fatal ? "fatal" : "non-fatal", error_code, vendor_id); + } +} + +bool tnccs_20_handle_ita_mutual_capability_msg(pb_tnc_msg_t *msg) +{ + pb_mutual_capability_msg_t *mutual_msg; + uint32_t protocols; + + if (!lib->settings->get_bool(lib->settings, + "%s.plugins.tnccs-20.mutual", FALSE, lib->ns)) + { + /* PB-TNC mutual capability disabled, ignore message */ + return FALSE; + } + + mutual_msg = (pb_mutual_capability_msg_t*)msg; + protocols = mutual_msg->get_protocols(mutual_msg); + + if (protocols & PB_MUTUAL_HALF_DUPLEX) + { + DBG1(DBG_TNC, "activating mutual PB-TNC %N protocol", + pb_tnc_mutual_protocol_type_names, PB_MUTUAL_HALF_DUPLEX); + return TRUE; + } + + return FALSE; +} + +/** + * If the batch type changes then delete all accumulated PB-TNC messages + */ +static void change_batch_type(private_tnccs_20_client_t *this, + pb_tnc_batch_type_t batch_type) +{ + pb_tnc_msg_t *msg; + + if (batch_type != this->batch_type) + { + if (this->batch_type != PB_BATCH_NONE) + { + DBG1(DBG_TNC, "cancelling PB-TNC %N batch", + pb_tnc_batch_type_names, this->batch_type); + + while (this->messages->remove_last(this->messages, + (void**)&msg) == SUCCESS) + { + msg->destroy(msg); + } + } + this->batch_type = batch_type; + } +} + +/** + * Handle a single PB-TNC IETF standard message according to its type + */ +static void handle_ietf_message(private_tnccs_20_client_t *this, pb_tnc_msg_t *msg) +{ + pen_type_t msg_type = msg->get_type(msg); + + switch (msg_type.type) + { + case PB_MSG_EXPERIMENTAL: + /* nothing to do */ + break; + case PB_MSG_PA: + { + pb_pa_msg_t *pa_msg; + pen_type_t msg_subtype; + u_int16_t imc_id, imv_id; + chunk_t msg_body; + bool excl; + enum_name_t *pa_subtype_names; + + pa_msg = (pb_pa_msg_t*)msg; + msg_subtype = pa_msg->get_subtype(pa_msg); + msg_body = pa_msg->get_body(pa_msg); + imc_id = pa_msg->get_collector_id(pa_msg); + imv_id = pa_msg->get_validator_id(pa_msg); + excl = pa_msg->get_exclusive_flag(pa_msg); + + pa_subtype_names = get_pa_subtype_names(msg_subtype.vendor_id); + if (pa_subtype_names) + { + DBG2(DBG_TNC, "handling PB-PA message type '%N/%N' 0x%06x/0x%08x", + pen_names, msg_subtype.vendor_id, pa_subtype_names, + msg_subtype.type, msg_subtype.vendor_id, msg_subtype.type); + } + else + { + DBG2(DBG_TNC, "handling PB-PA message type '%N' 0x%06x/0x%08x", + pen_names, msg_subtype.vendor_id, msg_subtype.vendor_id, + msg_subtype.type); + } + this->send_msg = TRUE; + tnc->imcs->receive_message(tnc->imcs, this->connection_id, + excl, msg_body.ptr, msg_body.len, + msg_subtype.vendor_id, + msg_subtype.type, imv_id, imc_id); + this->send_msg = FALSE; + break; + } + case PB_MSG_ASSESSMENT_RESULT: + { + pb_assessment_result_msg_t *assess_msg; + u_int32_t result; + + assess_msg = (pb_assessment_result_msg_t*)msg; + result = assess_msg->get_assessment_result(assess_msg); + DBG1(DBG_TNC, "PB-TNC assessment result is '%N'", + TNC_IMV_Evaluation_Result_names, result); + break; + } + case PB_MSG_ACCESS_RECOMMENDATION: + { + pb_access_recommendation_msg_t *rec_msg; + pb_access_recommendation_code_t rec; + TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE; + + rec_msg = (pb_access_recommendation_msg_t*)msg; + rec = rec_msg->get_access_recommendation(rec_msg); + DBG1(DBG_TNC, "PB-TNC access recommendation is '%N'", + pb_access_recommendation_code_names, rec); + switch (rec) + { + case PB_REC_ACCESS_ALLOWED: + state = TNC_CONNECTION_STATE_ACCESS_ALLOWED; + break; + case PB_REC_ACCESS_DENIED: + state = TNC_CONNECTION_STATE_ACCESS_NONE; + break; + case PB_REC_QUARANTINED: + state = TNC_CONNECTION_STATE_ACCESS_ISOLATED; + } + tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id, + state); + break; + } + case PB_MSG_REMEDIATION_PARAMETERS: + { + pb_remediation_parameters_msg_t *rem_msg; + pen_type_t parameters_type; + chunk_t parameters, string, lang_code; + + rem_msg = (pb_remediation_parameters_msg_t*)msg; + parameters_type = rem_msg->get_parameters_type(rem_msg); + parameters = rem_msg->get_parameters(rem_msg); + + if (parameters_type.vendor_id == PEN_IETF) + { + switch (parameters_type.type) + { + case PB_REMEDIATION_URI: + DBG1(DBG_TNC, "remediation uri: %.*s", + parameters.len, parameters.ptr); + break; + case PB_REMEDIATION_STRING: + string = rem_msg->get_string(rem_msg, &lang_code); + DBG1(DBG_TNC, "remediation string: [%.*s]\n%.*s", + lang_code.len, lang_code.ptr, + string.len, string.ptr); + break; + default: + DBG1(DBG_TNC, "remediation parameters: %B", ¶meters); + } + } + else + { + DBG1(DBG_TNC, "remediation parameters: %B", ¶meters); + } + break; + } + case PB_MSG_ERROR: + tnccs_20_handle_ietf_error_msg(msg, &this->fatal_error); + break; + case PB_MSG_REASON_STRING: + { + pb_reason_string_msg_t *reason_msg; + chunk_t reason_string, language_code; + + reason_msg = (pb_reason_string_msg_t*)msg; + reason_string = reason_msg->get_reason_string(reason_msg); + language_code = reason_msg->get_language_code(reason_msg); + DBG1(DBG_TNC, "reason string is '%.*s' [%.*s]", + (int)reason_string.len, reason_string.ptr, + (int)language_code.len, language_code.ptr); + break; + } + default: + break; + } +} + +/** + * Handle a single PB-TNC TCG standard message according to its type + */ +static void handle_tcg_message(private_tnccs_20_client_t *this, pb_tnc_msg_t *msg) +{ + pen_type_t msg_type = msg->get_type(msg); + + switch (msg_type.type) + { + case PB_TCG_MSG_PDP_REFERRAL: + { + pb_pdp_referral_msg_t *pdp_msg; + pen_type_t pdp_id_type; + u_int8_t pdp_protocol; + + pdp_msg = (pb_pdp_referral_msg_t*)msg; + pdp_id_type = pdp_msg->get_identifier_type(pdp_msg); + + if (pdp_id_type.vendor_id == PEN_TCG && + pdp_id_type.type == PB_PDP_ID_FQDN) + { + this->pdp_server = chunk_clone(pdp_msg->get_fqdn(pdp_msg, + &pdp_protocol, &this->pdp_port)); + if (pdp_protocol != 0) + { + DBG1(DBG_TNC, "unsupported PDP transport protocol"); + break; + } + DBG1(DBG_TNC, "PDP server '%.*s' is listening on port %u", + this->pdp_server.len, this->pdp_server.ptr, + this->pdp_port); + } + break; + } + default: + break; + } +} + +/** + * Handle a single PB-TNC ITA standard message according to its type + */ +static void handle_ita_message(private_tnccs_20_client_t *this, pb_tnc_msg_t *msg) +{ + pen_type_t msg_type = msg->get_type(msg); + + switch (msg_type.type) + { + case PB_ITA_MSG_MUTUAL_CAPABILITY: + this->mutual = tnccs_20_handle_ita_mutual_capability_msg(msg); + break; + default: + break; + } +} + +/** + * Handle a single PB-TNC message according to its type + */ +static void handle_message(private_tnccs_20_client_t *this, pb_tnc_msg_t *msg) +{ + pen_type_t msg_type = msg->get_type(msg); + + switch (msg_type.vendor_id) + { + case PEN_IETF: + handle_ietf_message(this, msg); + break; + case PEN_TCG: + handle_tcg_message(this, msg); + break; + case PEN_ITA: + handle_ita_message(this, msg); + break; + default: + break; + } +} + +/** + * Build a CRETRY batch + */ +static void build_retry_batch(private_tnccs_20_client_t *this) +{ + if (this->batch_type == PB_BATCH_CRETRY) + { + /* retry batch has already been selected */ + return; + } + change_batch_type(this, PB_BATCH_CRETRY); +} + +METHOD(tnccs_20_handler_t, process, status_t, + private_tnccs_20_client_t *this, pb_tnc_batch_t *batch) +{ + pb_tnc_batch_type_t batch_type; + status_t status; + + batch_type = batch->get_type(batch); + + DBG1(DBG_TNC, "processing PB-TNC %N batch for Connection ID %d", + pb_tnc_batch_type_names, batch_type, this->connection_id); + + status = batch->process(batch, this->state_machine); + + if (status != FAILED) + { + enumerator_t *enumerator; + pb_tnc_msg_t *msg; + bool empty = TRUE; + + if (batch_type == PB_BATCH_SRETRY) + { + /* Restart the measurements */ + tnc->imcs->notify_connection_change(tnc->imcs, + this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE); + this->send_msg = TRUE; + tnc->imcs->begin_handshake(tnc->imcs, this->connection_id); + this->send_msg = FALSE; + } + + enumerator = batch->create_msg_enumerator(batch); + while (enumerator->enumerate(enumerator, &msg)) + { + handle_message(this, msg); + empty = FALSE; + } + enumerator->destroy(enumerator); + + /* received a CLOSE batch from PB-TNC server */ + if (batch_type == PB_BATCH_CLOSE) + { + return empty ? SUCCESS : FAILED; + } + + this->send_msg = TRUE; + tnc->imcs->batch_ending(tnc->imcs, this->connection_id); + this->send_msg = FALSE; + } + + switch (status) + { + case FAILED: + this->fatal_error = TRUE; + status = VERIFY_ERROR; + break; + case VERIFY_ERROR: + break; + case SUCCESS: + default: + status = NEED_MORE; + break; + } + + return status; +} + +METHOD(tnccs_20_handler_t, build, status_t, + private_tnccs_20_client_t *this, void *buf, size_t *buflen, size_t *msglen) +{ + status_t status; + pb_tnc_state_t state; + + state = this->state_machine->get_state(this->state_machine); + + if (this->fatal_error && state == PB_STATE_END) + { + DBG1(DBG_TNC, "a fatal PB-TNC error occurred, terminating connection"); + return FAILED; + } + + /* Do not allow any asynchronous IMCs to add additional messages */ + this->mutex->lock(this->mutex); + + if (this->request_handshake_retry) + { + if (state != PB_STATE_INIT) + { + build_retry_batch(this); + } + + /* Reset the flag for the next handshake retry request */ + this->request_handshake_retry = FALSE; + } + + if (this->batch_type == PB_BATCH_NONE) + { + switch (state) + { + case PB_STATE_CLIENT_WORKING: + DBG2(DBG_TNC, "no client data to send, " + "sending empty PB-TNC CDATA batch"); + this->batch_type = PB_BATCH_CDATA; + break; + case PB_STATE_DECIDED: + /** + * In the DECIDED state and if no CRETRY is under way, + * a PB-TNC client replies with an empty CLOSE batch. + */ + this->batch_type = PB_BATCH_CLOSE; + break; + default: + break; + } + } + + if (this->batch_type != PB_BATCH_NONE) + { + pb_tnc_batch_t *batch; + pb_tnc_msg_t *msg; + chunk_t data; + int msg_count; + enumerator_t *enumerator; + + if (this->state_machine->send_batch(this->state_machine, this->batch_type)) + { + batch = pb_tnc_batch_create(FALSE, this->batch_type, + min(this->max_batch_len, *buflen)); + + enumerator = this->messages->create_enumerator(this->messages); + while (enumerator->enumerate(enumerator, &msg)) + { + if (batch->add_msg(batch, msg)) + { + this->messages->remove_at(this->messages, enumerator); + } + else + { + break; + } + } + enumerator->destroy(enumerator); + + batch->build(batch); + data = batch->get_encoding(batch); + DBG1(DBG_TNC, "sending PB-TNC %N batch (%d bytes) for Connection ID %u", + pb_tnc_batch_type_names, this->batch_type, data.len, + this->connection_id); + DBG3(DBG_TNC, "%B", &data); + + *buflen = data.len; + *msglen = 0; + memcpy(buf, data.ptr, *buflen); + batch->destroy(batch); + + msg_count = this->messages->get_count(this->messages); + if (msg_count) + { + DBG2(DBG_TNC, "queued %d PB-TNC message%s for next %N batch", + msg_count, (msg_count == 1) ? "" : "s", + pb_tnc_batch_type_names, this->batch_type); + } + else + { + this->batch_type = PB_BATCH_NONE; + } + + status = ALREADY_DONE; + } + else + { + change_batch_type(this, PB_BATCH_NONE); + status = INVALID_STATE; + } + } + else + { + DBG1(DBG_TNC, "no PB-TNC batch to send"); + status = INVALID_STATE; + } + this->mutex->unlock(this->mutex); + + return status; +} + +METHOD(tnccs_20_handler_t, begin_handshake, void, + private_tnccs_20_client_t *this, bool mutual) +{ + pb_tnc_msg_t *msg; + char *pref_lang; + + tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id, + TNC_CONNECTION_STATE_HANDSHAKE); + + /* Announce PB-TNC Mutual Capability if activated */ + this->sent_mutual_capability = mutual; + + if (!mutual && lib->settings->get_bool(lib->settings, + "%s.plugins.tnccs-20.mutual", FALSE, lib->ns)) + { + pb_tnc_mutual_protocol_type_t protocols; + + protocols = PB_MUTUAL_HALF_DUPLEX; + DBG2(DBG_TNC, "proposing PB-TNC mutual %N protocol", + pb_tnc_mutual_protocol_type_names, PB_MUTUAL_HALF_DUPLEX); + msg = pb_mutual_capability_msg_create(protocols); + this->mutex->lock(this->mutex); + this->messages->insert_last(this->messages, msg); + this->mutex->unlock(this->mutex); + this->sent_mutual_capability = TRUE; + } + + /* Create PB-TNC Language Preference message */ + pref_lang = tnc->imcs->get_preferred_language(tnc->imcs); + msg = pb_language_preference_msg_create(chunk_create(pref_lang, + strlen(pref_lang))); + this->mutex->lock(this->mutex); + this->messages->insert_last(this->messages, msg); + this->mutex->unlock(this->mutex); + + this->send_msg = TRUE; + tnc->imcs->begin_handshake(tnc->imcs, this->connection_id); + this->send_msg = FALSE; + + /* Send a PB-Noskip-Test message for testing purposes */ + if (lib->settings->get_bool(lib->settings, + "%s.plugins.tnccs-20.tests.pb_tnc_noskip", FALSE, lib->ns)) + { + msg = pb_noskip_test_msg_create(); + this->mutex->lock(this->mutex); + this->messages->insert_last(this->messages, msg); + this->mutex->unlock(this->mutex); + } +} + +METHOD(tnccs_20_handler_t, get_send_flag, bool, + private_tnccs_20_client_t *this) +{ + return this->send_msg; +} + +METHOD(tnccs_20_handler_t, get_mutual, bool, + private_tnccs_20_client_t *this) +{ + return this->mutual; +} + +METHOD(tnccs_20_handler_t, get_state, pb_tnc_state_t, + private_tnccs_20_client_t *this) +{ + return this->state_machine->get_state(this->state_machine); +} + +METHOD(tnccs_20_handler_t, add_msg, void, + private_tnccs_20_client_t *this, pb_tnc_msg_t *msg) +{ + /* adding PA message to CDATA batch only */ + this->mutex->lock(this->mutex); + if (this->batch_type == PB_BATCH_NONE) + { + this->batch_type = PB_BATCH_CDATA; + } + if (this->batch_type == PB_BATCH_CDATA) + { + this->messages->insert_last(this->messages, msg); + } + else + { + msg->destroy(msg); + } + this->mutex->unlock(this->mutex); +} + +METHOD(tnccs_20_handler_t, handle_errors, void, + private_tnccs_20_client_t *this, pb_tnc_batch_t *batch, + bool fatal_header_error) +{ + pb_tnc_msg_t *msg; + enumerator_t *enumerator; + + if (fatal_header_error || this->fatal_error) + { + this->mutex->lock(this->mutex); + change_batch_type(this, PB_BATCH_CLOSE); + this->mutex->unlock(this->mutex); + } + + enumerator = batch->create_error_enumerator(batch); + while (enumerator->enumerate(enumerator, &msg)) + { + this->mutex->lock(this->mutex); + this->messages->insert_last(this->messages, msg->get_ref(msg)); + this->mutex->unlock(this->mutex); + } + enumerator->destroy(enumerator); +} + +METHOD(tnccs_20_handler_t, destroy, void, + private_tnccs_20_client_t *this) +{ + if (this->connection_id) + { + tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id, FALSE); + } + this->state_machine->destroy(this->state_machine); + this->mutex->destroy(this->mutex); + this->messages->destroy_offset(this->messages, + offsetof(pb_tnc_msg_t, destroy)); + free(this->pdp_server.ptr); + free(this); +} + +METHOD(tnccs_20_client_t, get_pdp_server, chunk_t, + private_tnccs_20_client_t *this, u_int16_t *port) +{ + *port = this->pdp_port; + + return this->pdp_server; +} + +/** + * See header + */ +tnccs_20_handler_t* tnccs_20_client_create(tnccs_t *tnccs, + tnccs_send_message_t send_msg, + size_t max_batch_len, + size_t max_msg_len) +{ + private_tnccs_20_client_t *this; + + INIT(this, + .public = { + .handler = { + .process = _process, + .build = _build, + .begin_handshake = _begin_handshake, + .get_send_flag = _get_send_flag, + .get_mutual = _get_mutual, + .get_state = _get_state, + .add_msg = _add_msg, + .handle_errors = _handle_errors, + .destroy = _destroy, + }, + .get_pdp_server = _get_pdp_server, + }, + .state_machine = pb_tnc_state_machine_create(FALSE), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .messages = linked_list_create(), + .batch_type = PB_BATCH_CDATA, + .max_batch_len = max_batch_len, + ); + + this->connection_id = tnc->tnccs->create_connection(tnc->tnccs, + TNCCS_2_0, tnccs, send_msg, + &this->request_handshake_retry, + max_msg_len, NULL); + if (!this->connection_id) + { + destroy(this); + return NULL; + } + tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id, + TNC_CONNECTION_STATE_CREATE); + + return &this->public.handler; +} diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_client.h b/src/libtnccs/plugins/tnccs_20/tnccs_20_client.h new file mode 100644 index 000000000..7a5f33ebc --- /dev/null +++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_client.h @@ -0,0 +1,65 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_20_client_h tnccs_20_client + * @{ @ingroup tnccs_20 + */ + +#ifndef TNCCS_20_CLIENT_H_ +#define TNCCS_20_CLIENT_H_ + +#include + +#include + +#include "tnccs_20_handler.h" + +typedef struct tnccs_20_client_t tnccs_20_client_t; + +/** + * Interface for a TNC client + */ +struct tnccs_20_client_t { + + /** + * IF-TNCCS 2.0 protocol handler interface + */ + tnccs_20_handler_t handler; + + /** + * Get PDP server information if available + * + * @param port PT-TLS port of the PDP server + * @return FQDN of PDP server + */ + chunk_t (*get_pdp_server)(tnccs_20_client_t *this, u_int16_t *port); + +}; + +/** + * Create an instance of the TNC IF-TNCCS 2.0 client-side protocol handler. + * + * @param tnccs TNC IF-TNCCS 2.0 stack + * @param send_msg TNF IF-TNCCS 2.0 send message callback function + * @param max_batch_len Maximum PB-TNC batch size + * @param max_msg_len Maximum PA-TNC message size + */ +tnccs_20_handler_t* tnccs_20_client_create(tnccs_t *tnccs, + tnccs_send_message_t send_msg, + size_t max_batch_len, + size_t max_msg_len); + +#endif /** TNCCS_20_CLIENT_H_ @}*/ diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_handler.h b/src/libtnccs/plugins/tnccs_20/tnccs_20_handler.h new file mode 100644 index 000000000..5c4d7a7b4 --- /dev/null +++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_handler.h @@ -0,0 +1,105 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_20_handler_h tnccs_20_handler + * @{ @ingroup tnccs_20 + */ + +#ifndef TNCCS_20_HANDLER_H_ +#define TNCCS_20_HANDLER_H_ + +#include + +#include "batch/pb_tnc_batch.h" +#include "messages/pb_tnc_msg.h" + +typedef struct tnccs_20_handler_t tnccs_20_handler_t; + +/** + * Interface for an IF-TNCCS 2.0 protocol handler + */ +struct tnccs_20_handler_t { + + /** + * Process content of received PB-TNC batch + * + * @param batch PB-TNC batch to be processed + * @return status + */ + status_t (*process)(tnccs_20_handler_t *this, pb_tnc_batch_t *batch); + + /** + * Build PB-TNC batch to be sent + * + * @param buf buffer to write PB-TNC batch to + * @param buflen size of buffer, receives bytes written + * @param msglen receives size of all PB-TNCH batch + * @return status + */ + status_t (*build)(tnccs_20_handler_t *this, void *buf, size_t *buflen, + size_t *msglen); + + /** + * Put the IMCs or IMVs into the handshake state + * + * @param mutual TRUE if PB-TNC mutual mode is already established + */ + void (*begin_handshake)(tnccs_20_handler_t *this, bool mutual); + + /** + * Indicates if IMCs or IMVs are allowed to send PA-TNC messages + * + * @return TRUE if allowed to send + */ + bool (*get_send_flag)(tnccs_20_handler_t *this); + + /** + * Indicates if the PB-TNC mutual protocol has been enabled + * + * @return TRUE if enabled + */ + bool (*get_mutual)(tnccs_20_handler_t *this); + + /** + * Get state of the PB-TNC protocol + * + * @return PB-TNC state + */ + pb_tnc_state_t (*get_state)(tnccs_20_handler_t *this); + + /** + * Add a PB-PA message to the handler's message queue + * + * @param msg PB-PA message to be added + */ + void (*add_msg)(tnccs_20_handler_t *this, pb_tnc_msg_t *msg); + + /** + * Handle errors that occurred during PB-TNC batch header processing + * + * @param batch batch where a fatal error occurred + * @param fatal_header_error TRUE if fatal error in batch header + */ + void (*handle_errors)(tnccs_20_handler_t *this, pb_tnc_batch_t *batch, + bool fatal_header_error); + + /** + * Destroys a tnccs_20_handler_t object. + */ + void (*destroy)(tnccs_20_handler_t *this); +}; + +#endif /** TNCCS_20_HANDLER_H_ @}*/ diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_plugin.h b/src/libtnccs/plugins/tnccs_20/tnccs_20_plugin.h index 1c4ecf4c9..5073fbe7c 100644 --- a/src/libtnccs/plugins/tnccs_20/tnccs_20_plugin.h +++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_plugin.h @@ -15,7 +15,7 @@ /** * @defgroup tnccs_20 tnccs_20 - * @ingroup cplugins + * @ingroup tplugins * * @defgroup tnccs_20_plugin tnccs_20_plugin * @{ @ingroup tnccs_20 diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_server.c b/src/libtnccs/plugins/tnccs_20/tnccs_20_server.c new file mode 100644 index 000000000..038fc178b --- /dev/null +++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_server.c @@ -0,0 +1,693 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_20_server.h" +#include "messages/pb_tnc_msg.h" +#include "messages/ietf/pb_pa_msg.h" +#include "messages/ietf/pb_error_msg.h" +#include "messages/ietf/pb_assessment_result_msg.h" +#include "messages/ietf/pb_access_recommendation_msg.h" +#include "messages/ietf/pb_remediation_parameters_msg.h" +#include "messages/ietf/pb_reason_string_msg.h" +#include "messages/ietf/pb_language_preference_msg.h" +#include "messages/ita/pb_mutual_capability_msg.h" +#include "messages/ita/pb_noskip_test_msg.h" +#include "messages/tcg/pb_pdp_referral_msg.h" +#include "state_machine/pb_tnc_state_machine.h" + +#include +#include + +#include +#include +#include + +#include +#include +#include +#include + +typedef struct private_tnccs_20_server_t private_tnccs_20_server_t; + +/** + * Private data of a tnccs_20_server_t object. + */ +struct private_tnccs_20_server_t { + + /** + * Public tnccs_20_server_t interface. + */ + tnccs_20_server_t public; + + /** + * PB-TNC State Machine + */ + pb_tnc_state_machine_t *state_machine; + + /** + * Connection ID assigned to this TNCCS connection + */ + TNC_ConnectionID connection_id; + + /** + * PB-TNC messages to be sent + */ + linked_list_t *messages; + + /** + * Type of PB-TNC batch being constructed + */ + pb_tnc_batch_type_t batch_type; + + /** + * Maximum PB-TNC batch size + */ + size_t max_batch_len; + + /** + * Mutex locking the batch in construction + */ + mutex_t *mutex; + + /** + * Flag set while processing + */ + bool fatal_error; + + /** + * Flag set by IMC/IMV RequestHandshakeRetry() function + */ + bool request_handshake_retry; + + /** + * SendMessage() by IMV only allowed if flag is set + */ + bool send_msg; + + /** + * Set of IMV recommendations + */ + recommendations_t *recs; + + /** + * TNC IF-T transport protocol for EAP methods + */ + bool eap_transport; + + /** + * Mutual PB-TNC protocol enabled + */ + bool mutual; + + /** + * Mutual Capability message sent + */ + bool sent_mutual_capability; + +}; + +/** + * The following two functions are shared with the tnccs_20_server class + */ +extern void tnccs_20_handle_ietf_error_msg(pb_tnc_msg_t *msg, + bool *fatal_error); +extern bool tnccs_20_handle_ita_mutual_capability_msg(pb_tnc_msg_t *msg); + +/** + * If the batch type changes then delete all accumulated PB-TNC messages + */ +static void change_batch_type(private_tnccs_20_server_t *this, + pb_tnc_batch_type_t batch_type) +{ + pb_tnc_msg_t *msg; + + if (batch_type != this->batch_type) + { + if (this->batch_type != PB_BATCH_NONE) + { + DBG1(DBG_TNC, "cancelling PB-TNC %N batch", + pb_tnc_batch_type_names, this->batch_type); + + while (this->messages->remove_last(this->messages, + (void**)&msg) == SUCCESS) + { + msg->destroy(msg); + } + } + this->batch_type = batch_type; + } +} + +/** + * Handle a single PB-TNC IETF standard message according to its type + */ +static void handle_ietf_message(private_tnccs_20_server_t *this, pb_tnc_msg_t *msg) +{ + pen_type_t msg_type = msg->get_type(msg); + + switch (msg_type.type) + { + case PB_MSG_EXPERIMENTAL: + /* nothing to do */ + break; + case PB_MSG_PA: + { + pb_pa_msg_t *pa_msg; + pen_type_t msg_subtype; + u_int16_t imc_id, imv_id; + chunk_t msg_body; + bool excl; + enum_name_t *pa_subtype_names; + + pa_msg = (pb_pa_msg_t*)msg; + msg_subtype = pa_msg->get_subtype(pa_msg); + msg_body = pa_msg->get_body(pa_msg); + imc_id = pa_msg->get_collector_id(pa_msg); + imv_id = pa_msg->get_validator_id(pa_msg); + excl = pa_msg->get_exclusive_flag(pa_msg); + + pa_subtype_names = get_pa_subtype_names(msg_subtype.vendor_id); + if (pa_subtype_names) + { + DBG2(DBG_TNC, "handling PB-PA message type '%N/%N' 0x%06x/0x%08x", + pen_names, msg_subtype.vendor_id, pa_subtype_names, + msg_subtype.type, msg_subtype.vendor_id, msg_subtype.type); + } + else + { + DBG2(DBG_TNC, "handling PB-PA message type '%N' 0x%06x/0x%08x", + pen_names, msg_subtype.vendor_id, msg_subtype.vendor_id, + msg_subtype.type); + } + this->send_msg = TRUE; + tnc->imvs->receive_message(tnc->imvs, this->connection_id, + excl, msg_body.ptr, msg_body.len, + msg_subtype.vendor_id, + msg_subtype.type, imc_id, imv_id); + this->send_msg = FALSE; + break; + } + case PB_MSG_ERROR: + tnccs_20_handle_ietf_error_msg(msg, &this->fatal_error); + break; + case PB_MSG_LANGUAGE_PREFERENCE: + { + pb_language_preference_msg_t *lang_msg; + chunk_t lang; + + lang_msg = (pb_language_preference_msg_t*)msg; + lang = lang_msg->get_language_preference(lang_msg); + DBG2(DBG_TNC, "setting language preference to '%.*s'", + (int)lang.len, lang.ptr); + this->recs->set_preferred_language(this->recs, lang); + break; + } + default: + break; + } +} + +/** + * Handle a single PB-TNC ITA standard message according to its type + */ +static void handle_ita_message(private_tnccs_20_server_t *this, pb_tnc_msg_t *msg) +{ + pen_type_t msg_type = msg->get_type(msg); + + switch (msg_type.type) + { + case PB_ITA_MSG_MUTUAL_CAPABILITY: + this->mutual = tnccs_20_handle_ita_mutual_capability_msg(msg); + + /* Respond with PB-TNC Mutual Capability message if necessary */ + if (this->mutual && !this->sent_mutual_capability) + { + msg = pb_mutual_capability_msg_create(PB_MUTUAL_HALF_DUPLEX); + this->mutex->lock(this->mutex); + this->messages->insert_last(this->messages, msg); + this->mutex->unlock(this->mutex); + this->sent_mutual_capability = TRUE; + } + break; + default: + break; + } +} + +/** + * Handle a single PB-TNC message according to its type + */ +static void handle_message(private_tnccs_20_server_t *this, pb_tnc_msg_t *msg) +{ + pen_type_t msg_type = msg->get_type(msg); + + switch (msg_type.vendor_id) + { + case PEN_IETF: + handle_ietf_message(this, msg); + break; + case PEN_ITA: + handle_ita_message(this, msg); + break; + default: + break; + } +} + +/** + * Build an SRETRY batch + */ +static void build_retry_batch(private_tnccs_20_server_t *this) +{ + if (this->batch_type == PB_BATCH_SRETRY) + { + /* retry batch has already been selected */ + return; + } + change_batch_type(this, PB_BATCH_SRETRY); + + this->recs->clear_recommendation(this->recs); + tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id, + TNC_CONNECTION_STATE_HANDSHAKE); +} + +METHOD(tnccs_20_handler_t, process, status_t, + private_tnccs_20_server_t *this, pb_tnc_batch_t *batch) +{ + pb_tnc_batch_type_t batch_type; + status_t status; + + batch_type = batch->get_type(batch); + + DBG1(DBG_TNC, "processing PB-TNC %N batch for Connection ID %d", + pb_tnc_batch_type_names, batch_type, this->connection_id); + status = batch->process(batch, this->state_machine); + + if (status != FAILED) + { + enumerator_t *enumerator; + pb_tnc_msg_t *msg; + bool empty = TRUE; + + if (batch_type == PB_BATCH_CRETRY) + { + /* Send an SRETRY batch in response */ + this->mutex->lock(this->mutex); + build_retry_batch(this); + this->mutex->unlock(this->mutex); + } + + enumerator = batch->create_msg_enumerator(batch); + while (enumerator->enumerate(enumerator, &msg)) + { + handle_message(this, msg); + empty = FALSE; + } + enumerator->destroy(enumerator); + + /* received a CLOSE batch from PB-TNC client */ + if (batch_type == PB_BATCH_CLOSE) + { + return empty ? SUCCESS : FAILED; + } + + this->send_msg = TRUE; + tnc->imvs->batch_ending(tnc->imvs, this->connection_id); + this->send_msg = FALSE; + } + + switch (status) + { + case FAILED: + this->fatal_error = TRUE; + status = VERIFY_ERROR; + break; + case VERIFY_ERROR: + break; + case SUCCESS: + default: + status = NEED_MORE; + break; + } + + return status; +} + +/** + * Build a RESULT batch if a final recommendation is available + */ +static void check_and_build_recommendation(private_tnccs_20_server_t *this) +{ + TNC_IMV_Action_Recommendation rec; + TNC_IMV_Evaluation_Result eval; + TNC_ConnectionState state; + TNC_IMVID id; + chunk_t reason, language; + enumerator_t *enumerator; + pb_tnc_msg_t *msg; + pb_access_recommendation_code_t pb_rec; + + if (!this->recs->have_recommendation(this->recs, &rec, &eval)) + { + tnc->imvs->solicit_recommendation(tnc->imvs, this->connection_id); + } + if (this->recs->have_recommendation(this->recs, &rec, &eval)) + { + this->batch_type = PB_BATCH_RESULT; + + msg = pb_assessment_result_msg_create(eval); + this->messages->insert_last(this->messages, msg); + + /** + * Map IMV Action Recommendation codes to PB Access Recommendation codes + * and communicate Access Recommendation to IMVs + */ + switch (rec) + { + case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: + state = TNC_CONNECTION_STATE_ACCESS_ALLOWED; + pb_rec = PB_REC_ACCESS_ALLOWED; + break; + case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: + state = TNC_CONNECTION_STATE_ACCESS_ISOLATED; + pb_rec = PB_REC_QUARANTINED; + break; + case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: + case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: + default: + state = TNC_CONNECTION_STATE_ACCESS_NONE; + pb_rec = PB_REC_ACCESS_DENIED; + } + tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id, + state); + + msg = pb_access_recommendation_msg_create(pb_rec); + this->messages->insert_last(this->messages, msg); + + enumerator = this->recs->create_reason_enumerator(this->recs); + while (enumerator->enumerate(enumerator, &id, &reason, &language)) + { + msg = pb_reason_string_msg_create(reason, language); + this->messages->insert_last(this->messages, msg); + } + enumerator->destroy(enumerator); + } +} + +METHOD(tnccs_20_handler_t, build, status_t, + private_tnccs_20_server_t *this, void *buf, size_t *buflen, size_t *msglen) +{ + status_t status; + pb_tnc_state_t state; + + state = this->state_machine->get_state(this->state_machine); + + if (this->fatal_error && state == PB_STATE_END) + { + DBG1(DBG_TNC, "a fatal PB-TNC error occurred, terminating connection"); + return FAILED; + } + + /* Do not allow any asynchronous IMVs to add additional messages */ + this->mutex->lock(this->mutex); + + if (this->request_handshake_retry) + { + if (state != PB_STATE_INIT) + { + build_retry_batch(this); + } + + /* Reset the flag for the next handshake retry request */ + this->request_handshake_retry = FALSE; + } + + if (state == PB_STATE_SERVER_WORKING && + this->recs->have_recommendation(this->recs, NULL, NULL)) + { + check_and_build_recommendation(this); + } + + if (this->batch_type == PB_BATCH_NONE) + { + if (state == PB_STATE_SERVER_WORKING) + { + if (this->state_machine->get_empty_cdata(this->state_machine)) + { + check_and_build_recommendation(this); + } + else + { + DBG2(DBG_TNC, "no recommendation available yet, " + "sending empty PB-TNC SDATA batch"); + this->batch_type = PB_BATCH_SDATA; + } + } + } + + if (this->batch_type != PB_BATCH_NONE) + { + pb_tnc_batch_t *batch; + pb_tnc_msg_t *msg; + chunk_t data; + int msg_count; + enumerator_t *enumerator; + + if (this->state_machine->send_batch(this->state_machine, this->batch_type)) + { + batch = pb_tnc_batch_create(TRUE, this->batch_type, + min(this->max_batch_len, *buflen)); + + enumerator = this->messages->create_enumerator(this->messages); + while (enumerator->enumerate(enumerator, &msg)) + { + if (batch->add_msg(batch, msg)) + { + this->messages->remove_at(this->messages, enumerator); + } + else + { + break; + } + } + enumerator->destroy(enumerator); + + batch->build(batch); + data = batch->get_encoding(batch); + DBG1(DBG_TNC, "sending PB-TNC %N batch (%d bytes) for Connection ID %u", + pb_tnc_batch_type_names, this->batch_type, data.len, + this->connection_id); + DBG3(DBG_TNC, "%B", &data); + + *buflen = data.len; + *msglen = 0; + memcpy(buf, data.ptr, *buflen); + batch->destroy(batch); + + msg_count = this->messages->get_count(this->messages); + if (msg_count) + { + DBG2(DBG_TNC, "queued %d PB-TNC message%s for next %N batch", + msg_count, (msg_count == 1) ? "" : "s", + pb_tnc_batch_type_names, this->batch_type); + } + else + { + this->batch_type = PB_BATCH_NONE; + } + + status = ALREADY_DONE; + } + else + { + change_batch_type(this, PB_BATCH_NONE); + status = INVALID_STATE; + } + } + else + { + DBG1(DBG_TNC, "no PB-TNC batch to send"); + status = INVALID_STATE; + } + this->mutex->unlock(this->mutex); + + return status; +} + +METHOD(tnccs_20_handler_t, begin_handshake, void, + private_tnccs_20_server_t *this, bool mutual) +{ + pb_tnc_msg_t *msg; + identification_t *pdp_server; + u_int16_t *pdp_port; + + tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id, + TNC_CONNECTION_STATE_HANDSHAKE); + + /* Send a PB-TNC TCG PDP Referral message if PDP is known */ + pdp_server = (identification_t*)lib->get(lib, "pt-tls-server"); + pdp_port = (u_int16_t*)lib->get(lib, "pt-tls-port"); + + if (this->eap_transport && pdp_server && pdp_port) + { + msg = pb_pdp_referral_msg_create_from_fqdn( + pdp_server->get_encoding(pdp_server), *pdp_port); + this->mutex->lock(this->mutex); + this->messages->insert_last(this->messages, msg); + this->mutex->unlock(this->mutex); + } + + /* Send a PB-Noskip-Test message for testing purposes */ + if (lib->settings->get_bool(lib->settings, + "%s.plugins.tnccs-20.tests.pb_tnc_noskip", FALSE, lib->ns)) + { + msg = pb_noskip_test_msg_create(); + this->mutex->lock(this->mutex); + this->messages->insert_last(this->messages, msg); + this->mutex->unlock(this->mutex); + } +} + +METHOD(tnccs_20_handler_t, get_send_flag, bool, + private_tnccs_20_server_t *this) +{ + return this->send_msg; +} + +METHOD(tnccs_20_handler_t, get_mutual, bool, + private_tnccs_20_server_t *this) +{ + return this->mutual; +} + +METHOD(tnccs_20_handler_t, get_state, pb_tnc_state_t, + private_tnccs_20_server_t *this) +{ + return this->state_machine->get_state(this->state_machine); +} + +METHOD(tnccs_20_handler_t, add_msg, void, + private_tnccs_20_server_t *this, pb_tnc_msg_t *msg) +{ + /* adding PA message to SDATA batch only */ + this->mutex->lock(this->mutex); + if (this->batch_type == PB_BATCH_NONE) + { + this->batch_type = PB_BATCH_SDATA; + } + if (this->batch_type == PB_BATCH_SDATA) + { + this->messages->insert_last(this->messages, msg); + } + else + { + msg->destroy(msg); + } + this->mutex->unlock(this->mutex); +} + +METHOD(tnccs_20_handler_t, handle_errors, void, + private_tnccs_20_server_t *this, pb_tnc_batch_t *batch, + bool fatal_header_error) +{ + pb_tnc_msg_t *msg; + enumerator_t *enumerator; + + if (fatal_header_error || this->fatal_error) + { + this->mutex->lock(this->mutex); + change_batch_type(this, PB_BATCH_CLOSE); + this->mutex->unlock(this->mutex); + } + + enumerator = batch->create_error_enumerator(batch); + while (enumerator->enumerate(enumerator, &msg)) + { + this->mutex->lock(this->mutex); + this->messages->insert_last(this->messages, msg->get_ref(msg)); + this->mutex->unlock(this->mutex); + } + enumerator->destroy(enumerator); +} + +METHOD(tnccs_20_handler_t, destroy, void, + private_tnccs_20_server_t *this) +{ + if (this->connection_id) + { + tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id, TRUE); + } + this->state_machine->destroy(this->state_machine); + this->mutex->destroy(this->mutex); + this->messages->destroy_offset(this->messages, + offsetof(pb_tnc_msg_t, destroy)); + free(this); +} + +METHOD(tnccs_20_server_t, have_recommendation, bool, + private_tnccs_20_server_t *this, TNC_IMV_Action_Recommendation *rec, + TNC_IMV_Evaluation_Result *eval) +{ + return this->recs->have_recommendation(this->recs, rec, eval); +} + +/** + * See header + */ +tnccs_20_handler_t* tnccs_20_server_create(tnccs_t *tnccs, + tnccs_send_message_t send_msg, + size_t max_batch_len, + size_t max_msg_len, + bool eap_transport) +{ + private_tnccs_20_server_t *this; + + INIT(this, + .public = { + .handler = { + .process = _process, + .build = _build, + .begin_handshake = _begin_handshake, + .get_send_flag = _get_send_flag, + .get_mutual = _get_mutual, + .get_state = _get_state, + .add_msg = _add_msg, + .handle_errors = _handle_errors, + .destroy = _destroy, + }, + .have_recommendation = _have_recommendation, + }, + .state_machine = pb_tnc_state_machine_create(TRUE), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .messages = linked_list_create(), + .batch_type = PB_BATCH_SDATA, + .max_batch_len = max_batch_len, + .eap_transport = eap_transport, + ); + + this->connection_id = tnc->tnccs->create_connection(tnc->tnccs, + TNCCS_2_0, tnccs, send_msg, + &this->request_handshake_retry, + max_msg_len, &this->recs); + if (!this->connection_id) + { + destroy(this); + return NULL; + } + tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id, + TNC_CONNECTION_STATE_CREATE); + + return &this->public.handler; +} diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_server.h b/src/libtnccs/plugins/tnccs_20/tnccs_20_server.h new file mode 100644 index 000000000..5833d1132 --- /dev/null +++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_server.h @@ -0,0 +1,71 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_20_server_h tnccs_20_server + * @{ @ingroup tnccs_20 + */ + +#ifndef TNCCS_20_SERVER_H_ +#define TNCCS_20_SERVER_H_ + +#include + +#include + +#include "tnccs_20_handler.h" + +typedef struct tnccs_20_server_t tnccs_20_server_t; + +/** + * Interface for a TNC server + */ +struct tnccs_20_server_t { + + /** + * IF-TNCCS 2.0 protocol handler interface + */ + tnccs_20_handler_t handler; + + /** + * Check if an Action Recommendation is already available + * + * @param rec TNC Action Recommendation + * @param eval TNC Evaluation Result + * @return TRUE if Action Recommendation is + */ + bool (*have_recommendation)(tnccs_20_server_t *this, + TNC_IMV_Action_Recommendation *rec, + TNC_IMV_Evaluation_Result *eval); + +}; + +/** + * Create an instance of the TNC IF-TNCCS 2.0 server-side protocol handler. + * + * @param tnccs TNC IF-TNCCS 2.0 stack + * @param send_msg TNF IF-TNCCS 2.0 send message callback function + * @param max_batch_len Maximum PB-TNC batch size + * @param max_msg_len Maximum PA-TNC message size + * @param eap_transport TRUE if IF-T for EAP methods + */ +tnccs_20_handler_t* tnccs_20_server_create(tnccs_t *tnccs, + tnccs_send_message_t send_msg, + size_t max_batch_len, + size_t max_msg_len, + bool eap_transport); + + +#endif /** TNCCS_20_SERVER_H_ @}*/ diff --git a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in index 6a03df994..3f21a22d4 100644 --- a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in +++ b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in @@ -231,6 +231,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c index e08236eb7..44b804fb2 100644 --- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c +++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2013 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -34,12 +34,22 @@ struct private_tnccs_dynamic_t { /** * Server identity */ - identification_t *server; + identification_t *server_id; /** * Client identity */ - identification_t *peer; + identification_t *peer_id; + + /** + * Server IP address + */ + host_t *server_ip; + + /** + * Client IP address + */ + host_t *peer_ip; /** * Detected TNC IF-TNCCS stack @@ -109,8 +119,8 @@ METHOD(tls_t, process, status_t, DBG1(DBG_TNC, "%N protocol detected dynamically", tnccs_type_names, type); tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, TRUE, - this->server, this->peer, this->transport, - this->callback); + this->server_id, this->peer_id, this->server_ip, + this->peer_ip, this->transport, this->callback); if (!tnccs) { DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type); @@ -137,14 +147,14 @@ METHOD(tls_t, is_server, bool, METHOD(tls_t, get_server_id, identification_t*, private_tnccs_dynamic_t *this) { - return this->server; + return this->server_id; } METHOD(tls_t, set_peer_id, void, private_tnccs_dynamic_t *this, identification_t *id) { - DESTROY_IF(this->peer); - this->peer = id->clone(id); + DESTROY_IF(this->peer_id); + this->peer_id = id->clone(id); if (this->tls) { this->tls->set_peer_id(this->tls, id); @@ -154,7 +164,7 @@ METHOD(tls_t, set_peer_id, void, METHOD(tls_t, get_peer_id, identification_t*, private_tnccs_dynamic_t *this) { - return this->peer; + return this->peer_id; } METHOD(tls_t, get_purpose, tls_purpose_t, @@ -181,12 +191,26 @@ METHOD(tls_t, destroy, void, if (ref_put(&this->ref)) { DESTROY_IF(this->tls); - this->server->destroy(this->server); - this->peer->destroy(this->peer); + this->server_id->destroy(this->server_id); + this->peer_id->destroy(this->peer_id); + this->server_ip->destroy(this->server_ip); + this->peer_ip->destroy(this->peer_ip); free(this); } } +METHOD(tnccs_t, get_server_ip, host_t*, + private_tnccs_dynamic_t *this) +{ + return this->server_ip; +} + +METHOD(tnccs_t, get_peer_ip, host_t*, + private_tnccs_dynamic_t *this) +{ + return this->peer_ip; +} + METHOD(tnccs_t, get_transport, tnc_ift_type_t, private_tnccs_dynamic_t *this) { @@ -229,9 +253,10 @@ METHOD(tnccs_t, get_ref, tnccs_t*, /** * See header */ -tnccs_t* tnccs_dynamic_create(bool is_server, - identification_t *server, identification_t *peer, - tnc_ift_type_t transport, tnccs_cb_t cb) +tnccs_t* tnccs_dynamic_create(bool is_server, identification_t *server_id, + identification_t *peer_id, host_t *server_ip, + host_t *peer_ip, tnc_ift_type_t transport, + tnccs_cb_t cb) { private_tnccs_dynamic_t *this; @@ -249,6 +274,8 @@ tnccs_t* tnccs_dynamic_create(bool is_server, .get_eap_msk = _get_eap_msk, .destroy = _destroy, }, + .get_server_ip = _get_server_ip, + .get_peer_ip = _get_peer_ip, .get_transport = _get_transport, .set_transport = _set_transport, .get_auth_type = _get_auth_type, @@ -256,8 +283,10 @@ tnccs_t* tnccs_dynamic_create(bool is_server, .get_pdp_server = _get_pdp_server, .get_ref = _get_ref, }, - .server = server->clone(server), - .peer = peer->clone(peer), + .server_id = server_id->clone(server_id), + .peer_id = peer_id->clone(peer_id), + .server_ip = server_ip->clone(server_ip), + .peer_ip = peer_ip->clone(peer_ip), .transport = transport, .callback = cb, .ref = 1, diff --git a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h index cbdc80b83..2e1141780 100644 --- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h +++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2013 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -29,14 +29,17 @@ * Create an instance of a dynamic TNC IF-TNCCS protocol handler. * * @param is_server TRUE to act as TNC Server, FALSE for TNC Client - * @param server Server identity - * @param peer Client identity + * @param server_id Server identity + * @param peer_id Client identity + * @param server_ip Server IP address + * @param peer_ip Client IP address * @param transport Underlying IF-T transport protocol * @param cb Callback function if TNC Server, NULL if TNC Client * @return dynamic TNC IF-TNCCS protocol stack */ -tnccs_t* tnccs_dynamic_create(bool is_server, - identification_t *server, identification_t *peer, - tnc_ift_type_t transport, tnccs_cb_t cb); +tnccs_t* tnccs_dynamic_create(bool is_server, identification_t *server_id, + identification_t *peer_id, host_t *server_ip, + host_t *peer_ip, tnc_ift_type_t transport, + tnccs_cb_t cb); #endif /** TNCCS_DYNAMIC_H_ @}*/ diff --git a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h index b518e1278..97dd0df43 100644 --- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h +++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h @@ -15,7 +15,7 @@ /** * @defgroup tnccs_dynamic tnccs_dynamic - * @ingroup cplugins + * @ingroup tplugins * * @defgroup tnccs_dynamic_plugin tnccs_dynamic_plugin * @{ @ingroup tnccs_dynamic diff --git a/src/libtnccs/tnc/imc/imc.h b/src/libtnccs/tnc/imc/imc.h index 3ff7d5194..6d13f6bc5 100644 --- a/src/libtnccs/tnc/imc/imc.h +++ b/src/libtnccs/tnc/imc/imc.h @@ -15,7 +15,7 @@ /** * @defgroup imc imc - * @ingroup tnc + * @ingroup libtnccs * * @defgroup imct imc * @{ @ingroup imc diff --git a/src/libtnccs/tnc/imv/imv.h b/src/libtnccs/tnc/imv/imv.h index 3716532d6..fbc26a1e7 100644 --- a/src/libtnccs/tnc/imv/imv.h +++ b/src/libtnccs/tnc/imv/imv.h @@ -15,7 +15,7 @@ /** * @defgroup imv imv - * @ingroup tnc + * @ingroup libtnccs * * @defgroup imvt imv * @{ @ingroup imv diff --git a/src/libtnccs/tnc/tnc.h b/src/libtnccs/tnc/tnc.h index e5a4a2959..7bf8c84b7 100644 --- a/src/libtnccs/tnc/tnc.h +++ b/src/libtnccs/tnc/tnc.h @@ -14,9 +14,12 @@ */ /** - * @defgroup tnc tnc + * @defgroup libtnccs libtnccs * - * @addtogroup tnc + * @defgroup tplugins plugins + * @ingroup libtnccs + * + * @addtogroup libtnccs * @{ */ diff --git a/src/libtnccs/tnc/tnccs/tnccs.h b/src/libtnccs/tnc/tnccs/tnccs.h index eefd5565d..8ff295bcc 100644 --- a/src/libtnccs/tnc/tnccs/tnccs.h +++ b/src/libtnccs/tnc/tnccs/tnccs.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2013 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -15,7 +15,7 @@ /** * @defgroup tnccs tnccs - * @ingroup tnc + * @ingroup libtnccs * * @defgroup tnccst tnccs * @{ @ingroup tnccs @@ -86,6 +86,20 @@ struct tnccs_t { */ tls_t tls; + /** + * Get server IP address + * + * @return Server IP address + */ + host_t* (*get_server_ip)(tnccs_t *this); + + /** + * Get peer IP address + * + * @return Peer IP address + */ + host_t* (*get_peer_ip)(tnccs_t *this); + /** * Get underlying TNC IF-T transport protocol * @@ -135,15 +149,19 @@ struct tnccs_t { * Constructor definition for a pluggable TNCCS protocol implementation. * * @param is_server TRUE if TNC Server, FALSE if TNC Client - * @param server Server identity - * @param peer Client identity + * @param server_id Server identity + * @param peer_id Client identity + * @param server_ip Server IP address + * @param peer_ip Client IP address * @param transport Underlying TNC IF-T transport protocol used * @param cb Callback function if TNC Server, NULL if TNC Client * @return implementation of the tnccs_t interface */ typedef tnccs_t *(*tnccs_constructor_t)(bool is_server, - identification_t *server, - identification_t *peer, + identification_t *server_id, + identification_t *peer_id, + host_t *server_ip, + host_t *peer_ip, tnc_ift_type_t transport, tnccs_cb_t cb); diff --git a/src/libtnccs/tnc/tnccs/tnccs_manager.h b/src/libtnccs/tnc/tnccs/tnccs_manager.h index 791336ee1..b5c85f3c0 100644 --- a/src/libtnccs/tnc/tnccs/tnccs_manager.h +++ b/src/libtnccs/tnc/tnccs/tnccs_manager.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2013 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -56,16 +56,19 @@ struct tnccs_manager_t { * * @param type type of the TNCCS protocol * @param is_server TRUE if TNC Server, FALSE if TNC Client - * @param server Server identity - * @param peer Client identity + * @param server_id Server identity + * @param peer_id Client identity + * @param server_ip Server IP address + * @param peer_ip Client IP address * @param transport Underlying TNC IF-T transport protocol used * @param cb Callback function if TNC Server, NULL if TNC Client * @return TNCCS protocol instance, NULL if no constructor found */ tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type, - bool is_server, identification_t *server, - identification_t *peer, - tnc_ift_type_t transport, tnccs_cb_t cb); + bool is_server, identification_t *server_id, + identification_t *peer_id, host_t *server_ip, + host_t *peer_ip, tnc_ift_type_t transport, + tnccs_cb_t cb); /** * Create a TNCCS connection and assign a unique connection ID as well a diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in index efa06b927..010fadc42 100644 --- a/src/libtncif/Makefile.in +++ b/src/libtncif/Makefile.in @@ -193,6 +193,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -253,10 +254,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -330,6 +333,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libtncif/tncif_names.c b/src/libtncif/tncif_names.c index ac948c8ba..b348c548e 100644 --- a/src/libtncif/tncif_names.c +++ b/src/libtncif/tncif_names.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -46,6 +46,18 @@ ENUM(TNC_IMV_Evaluation_Result_names, "don't know" ); +ENUM(TNC_Identity_names, + TNC_ID_UNKNOWN, + TNC_ID_X500_DN, + "unknown", + "IPv4 address", + "IPv6 address", + "FQDN", + "email address", + "username", + "X.500 DN" +); + ENUM(TNC_Subject_names, TNC_SUBJECT_UNKNOWN, TNC_SUBJECT_USER, diff --git a/src/libtncif/tncif_names.h b/src/libtncif/tncif_names.h index 75458f960..64dd14fc2 100644 --- a/src/libtncif/tncif_names.h +++ b/src/libtncif/tncif_names.h @@ -1,5 +1,6 @@ /* - * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * Copyright (C) 2011-2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -30,6 +31,7 @@ extern enum_name_t *TNC_Connection_State_names; extern enum_name_t *TNC_IMV_Action_Recommendation_names; extern enum_name_t *TNC_IMV_Evaluation_Result_names; +extern enum_name_t *TNC_Identity_names; extern enum_name_t *TNC_Subject_names; extern enum_name_t *TNC_Authentication_names; diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in index 79ee9c7b8..500220a3a 100644 --- a/src/manager/Makefile.in +++ b/src/manager/Makefile.in @@ -245,6 +245,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -305,10 +306,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -382,6 +385,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in index 3de9153cf..7265457f1 100644 --- a/src/medsrv/Makefile.in +++ b/src/medsrv/Makefile.in @@ -234,6 +234,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -294,10 +295,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -371,6 +374,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am index 266802cf7..ab407e021 100644 --- a/src/pki/Makefile.am +++ b/src/pki/Makefile.am @@ -13,6 +13,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \ commands/signcrl.c \ commands/acert.c \ commands/pkcs7.c \ + commands/pkcs12.c \ commands/verify.c pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in index 5f7a1bc26..4205469fc 100644 --- a/src/pki/Makefile.in +++ b/src/pki/Makefile.in @@ -108,7 +108,7 @@ am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) \ commands/req.$(OBJEXT) commands/self.$(OBJEXT) \ commands/print.$(OBJEXT) commands/signcrl.$(OBJEXT) \ commands/acert.$(OBJEXT) commands/pkcs7.$(OBJEXT) \ - commands/verify.$(OBJEXT) + commands/pkcs12.$(OBJEXT) commands/verify.$(OBJEXT) pki_OBJECTS = $(am_pki_OBJECTS) pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la AM_V_lt = $(am__v_lt_@AM_V@) @@ -243,6 +243,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -303,10 +304,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -380,6 +383,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -450,6 +455,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \ commands/signcrl.c \ commands/acert.c \ commands/pkcs7.c \ + commands/pkcs12.c \ commands/verify.c pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la @@ -566,6 +572,8 @@ commands/acert.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/pkcs7.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) +commands/pkcs12.$(OBJEXT): commands/$(am__dirstamp) \ + commands/$(DEPDIR)/$(am__dirstamp) commands/verify.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) @@ -586,6 +594,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/gen.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/issue.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/keyid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/pkcs12.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/pkcs7.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/print.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/pub.Po@am__quote@ diff --git a/src/pki/command.h b/src/pki/command.h index 9cf036bf2..d49adda09 100644 --- a/src/pki/command.h +++ b/src/pki/command.h @@ -24,7 +24,7 @@ /** * Maximum number of commands (+1). */ -#define MAX_COMMANDS 12 +#define MAX_COMMANDS 13 /** * Maximum number of options in a command (+3) diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c index 185aa40b4..7099977f2 100644 --- a/src/pki/commands/acert.c +++ b/src/pki/commands/acert.c @@ -1,6 +1,7 @@ /* * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -31,7 +32,7 @@ static int acert() { cred_encoding_type_t form = CERT_ASN1_DER; - hash_algorithm_t digest = HASH_SHA1; + hash_algorithm_t digest = HASH_UNKNOWN; certificate_t *ac = NULL, *cert = NULL, *issuer =NULL; private_key_t *private = NULL; public_key_t *public = NULL; @@ -161,6 +162,10 @@ static int acert() error = "loading issuer private key failed"; goto end; } + if (digest == HASH_UNKNOWN) + { + digest = get_default_digest(private); + } if (!private->belongs_to(private, public)) { error = "issuer private key does not match issuer certificate"; @@ -286,7 +291,7 @@ static void __attribute__ ((constructor))reg() {"not-before", 'F', 1, "date/time the validity of the AC starts"}, {"not-after", 'T', 1, "date/time the validity of the AC ends"}, {"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"}, - {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c index ce28a0971..8b11854ad 100644 --- a/src/pki/commands/gen.c +++ b/src/pki/commands/gen.c @@ -1,6 +1,7 @@ /* * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2014-2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -43,6 +44,10 @@ static int gen() { type = KEY_ECDSA; } + else if (streq(arg, "bliss")) + { + type = KEY_BLISS; + } else { return command_usage("invalid key type"); @@ -96,6 +101,9 @@ static int gen() case KEY_ECDSA: size = 384; break; + case KEY_BLISS: + size = 1; + break; default: break; } @@ -151,12 +159,12 @@ static void __attribute__ ((constructor))reg() { command_register((command_t) { gen, 'g', "gen", "generate a new private key", - {" [--type rsa|ecdsa] [--size bits] [--safe-primes]", + {" [--type rsa|ecdsa|bliss] [--size bits] [--safe-primes]", "[--shares n] [--threshold l] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"type", 't', 1, "type of key, default: rsa"}, - {"size", 's', 1, "keylength in bits, default: rsa 2048, ecdsa 384"}, + {"size", 's', 1, "keylength in bits, default: rsa 2048, ecdsa 384, bliss 1"}, {"safe-primes", 'p', 0, "generate rsa safe primes"}, {"shares", 'n', 1, "number of private rsa key shares"}, {"threshold", 'l', 1, "minimum number of participating rsa key shares"}, diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index aaa2c2ff7..6a2d09d78 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -1,6 +1,7 @@ /* * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -59,7 +60,7 @@ static void destroy_cdp(x509_cdp_t *this) static int issue() { cred_encoding_type_t form = CERT_ASN1_DER; - hash_algorithm_t digest = HASH_SHA1; + hash_algorithm_t digest = HASH_UNKNOWN; certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL; private_key_t *private = NULL; public_key_t *public = NULL; @@ -287,6 +288,7 @@ static int issue() } break; } + if (!cacert) { error = "--cacert is required"; @@ -355,6 +357,10 @@ static int issue() error = "loading CA private key failed"; goto end; } + if (digest == HASH_UNKNOWN) + { + digest = get_default_digest(private); + } if (!private->belongs_to(private, public)) { error = "CA private key does not match CA certificate"; @@ -589,7 +595,7 @@ static void __attribute__ ((constructor))reg() {"crl", 'u', 1, "CRL distribution point URI to include"}, {"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"}, {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, - {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c index c3ac0c288..3bc62e74d 100644 --- a/src/pki/commands/keyid.c +++ b/src/pki/commands/keyid.c @@ -52,6 +52,11 @@ static int keyid() type = CRED_PRIVATE_KEY; subtype = KEY_ECDSA; } + else if (streq(arg, "bliss-priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_BLISS; + } else if (streq(arg, "pub")) { type = CRED_PUBLIC_KEY; @@ -164,7 +169,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { keyid, 'k', "keyid", "calculate key identifiers of a key/certificate", - {"[--in file] [--type rsa-priv|ecdsa-priv|pub|pkcs10|x509]"}, + {"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|pkcs10|x509]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "input file, default: stdin"}, diff --git a/src/pki/commands/pkcs12.c b/src/pki/commands/pkcs12.c new file mode 100644 index 000000000..dcd1496ba --- /dev/null +++ b/src/pki/commands/pkcs12.c @@ -0,0 +1,247 @@ +/* + * Copyright (C) 2014 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include "pki.h" + +#include +#include + +/** + * Show info about PKCS#12 container + */ +static int show(pkcs12_t *pkcs12) +{ + enumerator_t *enumerator; + certificate_t *cert; + private_key_t *key; + int index = 1; + + printf("Certificates:\n"); + enumerator = pkcs12->create_cert_enumerator(pkcs12); + while (enumerator->enumerate(enumerator, &cert)) + { + x509_t *x509 = (x509_t*)cert; + + if (x509->get_flags(x509) & X509_CA) + { + printf("[%2d] \"%Y\" (CA)\n", index++, cert->get_subject(cert)); + } + else + { + printf("[%2d] \"%Y\"\n", index++, cert->get_subject(cert)); + } + } + enumerator->destroy(enumerator); + + printf("Private keys:\n"); + enumerator = pkcs12->create_key_enumerator(pkcs12); + while (enumerator->enumerate(enumerator, &key)) + { + printf("[%2d] %N %d bits\n", index++, key_type_names, + key->get_type(key), key->get_keysize(key)); + } + enumerator->destroy(enumerator); + return 0; +} + +static int export(pkcs12_t *pkcs12, int index, char *outform) +{ + cred_encoding_type_t form; + enumerator_t *enumerator; + certificate_t *cert; + private_key_t *key; + chunk_t encoding; + int i = 1; + + enumerator = pkcs12->create_cert_enumerator(pkcs12); + while (enumerator->enumerate(enumerator, &cert)) + { + if (i++ == index) + { + form = CERT_ASN1_DER; + if (outform && !get_form(outform, &form, CRED_CERTIFICATE)) + { + enumerator->destroy(enumerator); + return command_usage("invalid output format"); + } + if (cert->get_encoding(cert, form, &encoding)) + { + set_file_mode(stdout, form); + if (fwrite(encoding.ptr, encoding.len, 1, stdout) == 1) + { + free(encoding.ptr); + enumerator->destroy(enumerator); + return 0; + } + free(encoding.ptr); + } + fprintf(stderr, "certificate export failed\n"); + enumerator->destroy(enumerator); + return 1; + } + } + enumerator->destroy(enumerator); + + enumerator = pkcs12->create_key_enumerator(pkcs12); + while (enumerator->enumerate(enumerator, &key)) + { + if (i++ == index) + { + form = PRIVKEY_ASN1_DER; + if (outform && !get_form(outform, &form, CRED_PRIVATE_KEY)) + { + enumerator->destroy(enumerator); + return command_usage("invalid output format"); + } + if (key->get_encoding(key, form, &encoding)) + { + set_file_mode(stdout, form); + if (fwrite(encoding.ptr, encoding.len, 1, stdout) == 1) + { + free(encoding.ptr); + enumerator->destroy(enumerator); + return 0; + } + free(encoding.ptr); + } + fprintf(stderr, "private key export failed\n"); + enumerator->destroy(enumerator); + return 0; + } + } + enumerator->destroy(enumerator); + + fprintf(stderr, "invalid index %d\n", index); + return 1; +} + + +/** + * Handle PKCs#12 containers + */ +static int pkcs12() +{ + char *arg, *file = NULL, *outform = NULL; + pkcs12_t *p12 = NULL; + int res = 1, index = 0; + enum { + OP_NONE, + OP_LIST, + OP_EXPORT, + } op = OP_NONE; + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + return command_usage(NULL); + case 'i': + file = arg; + continue; + case 'l': + if (op != OP_NONE) + { + goto invalid; + } + op = OP_LIST; + continue; + case 'e': + if (op != OP_NONE) + { + goto invalid; + } + op = OP_EXPORT; + index = atoi(arg); + continue; + case 'f': + outform = arg; + continue; + case EOF: + break; + default: + invalid: + return command_usage("invalid --pkcs12 option"); + } + break; + } + + if (file) + { + p12 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS12, + BUILD_FROM_FILE, file, BUILD_END); + } + else + { + chunk_t chunk; + + set_file_mode(stdin, CERT_ASN1_DER); + if (!chunk_from_fd(0, &chunk)) + { + fprintf(stderr, "reading input failed: %s\n", strerror(errno)); + return 1; + } + p12 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS12, + BUILD_BLOB, chunk, BUILD_END); + free(chunk.ptr); + } + + if (!p12) + { + fprintf(stderr, "reading input failed!\n"); + goto end; + } + + switch (op) + { + case OP_LIST: + res = show(p12); + break; + case OP_EXPORT: + res = export(p12, index, outform); + break; + default: + p12->container.destroy(&p12->container); + return command_usage(NULL); + } + +end: + if (p12) + { + p12->container.destroy(&p12->container); + } + return res; +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) { + pkcs12, 'u', "pkcs12", "PKCS#12 functions", + {"--export index|--list [--in file]", + "[--outform der|pem]"}, + { + {"help", 'h', 0, "show usage information"}, + {"in", 'i', 1, "input file, default: stdin"}, + {"list", 'l', 0, "list certificates and keys"}, + {"export", 'e', 1, "export the credential with the given index"}, + {"outform", 'f', 1, "encoding of exported credentials, default: der"}, + } + }); +} diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c index fb07169bf..fa69de133 100644 --- a/src/pki/commands/print.c +++ b/src/pki/commands/print.c @@ -32,9 +32,12 @@ static void print_pubkey(public_key_t *key) { chunk_t chunk; + key_type_t type; + + type = key->get_type(key); + printf("pubkey: %N %d bits%s\n", key_type_names, type, + key->get_keysize(key), (type == KEY_BLISS) ? " strength" : ""); - printf("pubkey: %N %d bits\n", key_type_names, key->get_type(key), - key->get_keysize(key)); if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk)) { printf("keyid: %#B\n", &chunk); @@ -65,6 +68,22 @@ static void print_key(private_key_t *key) } } +/** + * Get a prefix for a named constraint identity type + */ +static char* get_type_pfx(identification_t *id) +{ + switch (id->get_type(id)) + { + case ID_RFC822_ADDR: + return "email:"; + case ID_FQDN: + return "dns:"; + default: + return ""; + } +} + /** * Print X509 specific certificate information */ @@ -202,7 +221,7 @@ static void print_x509(x509_t *x509) printf("Permitted NameConstraints:\n"); first = FALSE; } - printf(" %Y\n", id); + printf(" %s%Y\n", get_type_pfx(id), id); } enumerator->destroy(enumerator); first = TRUE; @@ -214,7 +233,7 @@ static void print_x509(x509_t *x509) printf("Excluded NameConstraints:\n"); first = FALSE; } - printf(" %Y\n", id); + printf(" %s%Y\n", get_type_pfx(id), id); } enumerator->destroy(enumerator); @@ -580,6 +599,11 @@ static int print() type = CRED_PRIVATE_KEY; subtype = KEY_ECDSA; } + else if (streq(arg, "bliss-priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_BLISS; + } else { return command_usage( "invalid input type"); @@ -652,7 +676,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { print, 'a', "print", "print a credential in a human readable form", - {"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509|crl|ac]"}, + {"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|x509|crl|ac]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "input file, default: stdin"}, diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c index b8d2f701d..ccc3c4251 100644 --- a/src/pki/commands/pub.c +++ b/src/pki/commands/pub.c @@ -1,6 +1,7 @@ /* * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -53,6 +54,11 @@ static int pub() type = CRED_PRIVATE_KEY; subtype = KEY_ECDSA; } + else if (streq(arg, "bliss")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_BLISS; + } else if (streq(arg, "pub")) { type = CRED_PUBLIC_KEY; @@ -183,7 +189,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { pub, 'p', "pub", "extract the public key from a private key/certificate", - {"[--in file|--keyid hex] [--type rsa|ecdsa|pub|pkcs10|x509]", + {"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|pub|pkcs10|x509]", "[--outform der|pem|dnskey|sshkey]"}, { {"help", 'h', 0, "show usage information"}, diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index 023683569..da991b505 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -1,6 +1,7 @@ /* * Copyright (C) 2009 Martin Willi - * Copyright (C) 2009 Andreas Steffen + * Copyright (C) 2009-2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * HSR Hochschule fuer Technik Rapperswil * @@ -30,7 +31,7 @@ static int req() { cred_encoding_type_t form = CERT_ASN1_DER; key_type_t type = KEY_RSA; - hash_algorithm_t digest = HASH_SHA1; + hash_algorithm_t digest = HASH_UNKNOWN; certificate_t *cert = NULL; private_key_t *private = NULL; char *file = NULL, *dn = NULL, *error = NULL; @@ -57,6 +58,10 @@ static int req() { type = KEY_ECDSA; } + else if (streq(arg, "bliss")) + { + type = KEY_BLISS; + } else { error = "invalid input type"; @@ -134,6 +139,10 @@ static int req() error = "parsing private key failed"; goto end; } + if (digest == HASH_UNKNOWN) + { + digest = get_default_digest(private); + } cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, BUILD_SIGNING_KEY, private, BUILD_SUBJECT, id, @@ -185,7 +194,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { req, 'r', "req", "create a PKCS#10 certificate request", - {" [--in file] [--type rsa|ecdsa] --dn distinguished-name", + {" [--in file] [--type rsa|ecdsa|bliss] --dn distinguished-name", "[--san subjectAltName]+ [--password challengePassword]", "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { @@ -195,7 +204,7 @@ static void __attribute__ ((constructor))reg() {"dn", 'd', 1, "subject distinguished name"}, {"san", 'a', 1, "subjectAltName to include in cert request"}, {"password",'p', 1, "challengePassword to include in cert request"}, - {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, {"outform", 'f', 1, "encoding of generated request, default: der"}, } }); diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index daefcdc10..a785c2a0c 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -1,6 +1,7 @@ /* * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -49,7 +50,7 @@ static int self() { cred_encoding_type_t form = CERT_ASN1_DER; key_type_t type = KEY_RSA; - hash_algorithm_t digest = HASH_SHA1; + hash_algorithm_t digest = HASH_UNKNOWN; certificate_t *cert = NULL; private_key_t *private = NULL; public_key_t *public = NULL; @@ -57,7 +58,8 @@ static int self() identification_t *id = NULL; linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings; int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT; - int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT; + int inhibit_mapping = X509_NO_CONSTRAINT; + int require_explicit = X509_NO_CONSTRAINT; chunk_t serial = chunk_empty; chunk_t encoding = chunk_empty; time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60; @@ -88,6 +90,10 @@ static int self() { type = KEY_ECDSA; } + else if (streq(arg, "bliss")) + { + type = KEY_BLISS; + } else { error = "invalid input type"; @@ -308,6 +314,10 @@ static int self() error = "loading private key failed"; goto end; } + if (digest == HASH_UNKNOWN) + { + digest = get_default_digest(private); + } public = private->get_public_key(private); if (!public) { @@ -407,7 +417,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { self, 's', "self", "create a self signed certificate", - {" [--in file|--keyid hex] [--type rsa|ecdsa]", + {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss]", " --dn distinguished-name [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+", "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+", @@ -441,7 +451,7 @@ static void __attribute__ ((constructor))reg() {"policy-any", 'A', 1, "inhibitAnyPolicy constraint"}, {"flag", 'e', 1, "include extendedKeyUsage flag"}, {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, - {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index e5f49efe2..720dfd8a9 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -117,7 +117,7 @@ static int sign_crl() certificate_t *ca = NULL, *crl = NULL; crl_t *lastcrl = NULL; x509_t *x509; - hash_algorithm_t digest = HASH_SHA1; + hash_algorithm_t digest = HASH_UNKNOWN; char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL; char *basecrl = NULL; char serial[512], *keyid = NULL; @@ -330,6 +330,10 @@ static int sign_crl() error = "loading CA private key failed"; goto error; } + if (digest == HASH_UNKNOWN) + { + digest = get_default_digest(private); + } if (!private->belongs_to(private, public)) { error = "CA private key does not match CA certificate"; @@ -465,7 +469,7 @@ static void __attribute__ ((constructor))reg() {"serial", 's', 1, "hex encoded certificate serial number to revoke"}, {"reason", 'r', 1, "reason for certificate revocation"}, {"date", 'd', 1, "revocation date as unix timestamp, default: now"}, - {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, {"outform", 'f', 1, "encoding of generated crl, default: der"}, } }); diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in index c288015de..45355bacd 100644 --- a/src/pki/man/Makefile.in +++ b/src/pki/man/Makefile.in @@ -81,10 +81,11 @@ subdir = src/pki/man DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(srcdir)/pki.1.in $(srcdir)/pki---gen.1.in \ $(srcdir)/pki---issue.1.in $(srcdir)/pki---keyid.1.in \ - $(srcdir)/pki---pkcs7.1.in $(srcdir)/pki---print.1.in \ - $(srcdir)/pki---pub.1.in $(srcdir)/pki---req.1.in \ - $(srcdir)/pki---self.1.in $(srcdir)/pki---signcrl.1.in \ - $(srcdir)/pki---acert.1.in $(srcdir)/pki---verify.1.in + $(srcdir)/pki---pkcs7.1.in $(srcdir)/pki---pkcs12.1.in \ + $(srcdir)/pki---print.1.in $(srcdir)/pki---pub.1.in \ + $(srcdir)/pki---req.1.in $(srcdir)/pki---self.1.in \ + $(srcdir)/pki---signcrl.1.in $(srcdir)/pki---acert.1.in \ + $(srcdir)/pki---verify.1.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/ltoptions.m4 \ @@ -101,8 +102,9 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = pki.1 pki---gen.1 pki---issue.1 pki---keyid.1 \ - pki---pkcs7.1 pki---print.1 pki---pub.1 pki---req.1 \ - pki---self.1 pki---signcrl.1 pki---acert.1 pki---verify.1 + pki---pkcs7.1 pki---pkcs12.1 pki---print.1 pki---pub.1 \ + pki---req.1 pki---self.1 pki---signcrl.1 pki---acert.1 \ + pki---verify.1 CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) @@ -181,6 +183,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -241,10 +244,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -318,6 +323,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -434,6 +441,8 @@ pki---keyid.1: $(top_builddir)/config.status $(srcdir)/pki---keyid.1.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ pki---pkcs7.1: $(top_builddir)/config.status $(srcdir)/pki---pkcs7.1.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +pki---pkcs12.1: $(top_builddir)/config.status $(srcdir)/pki---pkcs12.1.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ pki---print.1: $(top_builddir)/config.status $(srcdir)/pki---print.1.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ pki---pub.1: $(top_builddir)/config.status $(srcdir)/pki---pub.1.in diff --git a/src/pki/man/pki---acert.1.in b/src/pki/man/pki---acert.1.in index ec1d8be6e..d7460fd1f 100644 --- a/src/pki/man/pki---acert.1.in +++ b/src/pki/man/pki---acert.1.in @@ -99,8 +99,8 @@ Serial number in hex. It is randomly allocated by default. .TP .BI "\-g, \-\-digest " digest Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, -\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to -\fIsha1\fR. +\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is +determined based on the type and size of the signature key. .TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in index 375cb2fe4..3a89059c8 100644 --- a/src/pki/man/pki---issue.1.in +++ b/src/pki/man/pki---issue.1.in @@ -122,8 +122,8 @@ Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR, .TP .BI "\-g, \-\-digest " digest Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, -\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to -\fIsha1\fR. +\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is +determined based on the type and size of the signature key. .TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or @@ -147,10 +147,22 @@ times. Set path length constraint. .TP .BI "\-n, \-\-nc-permitted " name -Add permitted NameConstraint extension to certificate. +Add permitted NameConstraint extension to certificate. For DNS or email +constraints, the identity type is not always detectable by the given name. Use +the +.B dns: +or +.B email: +prefix to force a constraint type. .TP .BI "\-N, \-\-nc-excluded " name -Add excluded NameConstraint extension to certificate. +Add excluded NameConstraint extension to certificate. For DNS or email +constraints, the identity type is not always detectable by the given name. Use +the +.B dns: +or +.B email: +prefix to force a constraint type. .TP .BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid Add policyMapping from issuer to subject OID. diff --git a/src/pki/man/pki---pkcs12.1.in b/src/pki/man/pki---pkcs12.1.in new file mode 100644 index 000000000..470a66389 --- /dev/null +++ b/src/pki/man/pki---pkcs12.1.in @@ -0,0 +1,62 @@ +.TH "PKI \-\-PKCS12" 1 "2014-10-17" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-pkcs12 \- Provides PKCS#12 functions +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-pkcs12 +.BR \-\-list +.OP \-\-in file +.OP \-\-debug level +.YS +. +.SY pki\ \-\-pkcs12 +.BI \-\-export\~ index +.OP \-\-in file +.OP \-\-outform encoding +.OP \-\-debug level +.YS +. +.SY pki\ \-\-pkcs12 +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-pkcs12" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR pki (1) +provides functions to work with PKCS#12 containers. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-l, \-\-list" +List certificates and keys contained in a PKCS#12 container. +.TP +.BI "\-e, \-\-export " index +Export the credential with the given \fIindex\fR. Use \fI\-\-list\fR to +determine the index of certificates and keys. +.TP +.BI "\-i, \-\-in " file +PKCS#12 input file. If not given the input is read from \fISTDIN\fR. +. +.SH "SEE ALSO" +. +.BR pki (1) \ No newline at end of file diff --git a/src/pki/man/pki---req.1.in b/src/pki/man/pki---req.1.in index ab144ce2a..a6f6a480a 100644 --- a/src/pki/man/pki---req.1.in +++ b/src/pki/man/pki---req.1.in @@ -62,8 +62,8 @@ The challengePassword to include in the certificate request. .TP .BI "\-g, \-\-digest " digest Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, -\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to -\fIsha1\fR. +\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is +determined based on the type and size of the signature key. .TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in index 5e6e78bd0..53f53f816 100644 --- a/src/pki/man/pki---self.1.in +++ b/src/pki/man/pki---self.1.in @@ -109,8 +109,8 @@ Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR, .TP .BI "\-g, \-\-digest " digest Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, -\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to -\fIsha1\fR. +\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is +determined based on the type and size of the signature key. .TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or @@ -127,10 +127,22 @@ times. Set path length constraint. .TP .BI "\-n, \-\-nc-permitted " name -Add permitted NameConstraint extension to certificate. +Add permitted NameConstraint extension to certificate. For DNS or email +constraints, the identity type is not always detectable by the given name. Use +the +.B dns: +or +.B email: +prefix to force a constraint type. .TP .BI "\-N, \-\-nc-excluded " name -Add excluded NameConstraint extension to certificate. +Add excluded NameConstraint extension to certificate. For DNS or email +constraints, the identity type is not always detectable by the given name. Use +the +.B dns: +or +.B email: +prefix to force a constraint type. .TP .BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid Add policyMapping from issuer to subject OID. diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in index bd6cba547..b930bfa3c 100644 --- a/src/pki/man/pki---signcrl.1.in +++ b/src/pki/man/pki---signcrl.1.in @@ -98,8 +98,8 @@ Freshest delta CRL URI to include in CRL. Can be used multiple times. .TP .BI "\-g, \-\-digest " digest Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, -\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to -\fIsha1\fR. +\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is +determined based on the type and size of the signature key. .TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or diff --git a/src/pki/pki.c b/src/pki/pki.c index 434287de6..472704945 100644 --- a/src/pki/pki.c +++ b/src/pki/pki.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2012-2014 Tobias Brunner * Copyright (C) 2009 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -22,6 +23,7 @@ #include #include +#include #include /** @@ -235,11 +237,39 @@ void set_file_mode(FILE *stream, cred_encoding_type_t enc) #endif } +/* + * Described in header + */ +hash_algorithm_t get_default_digest(private_key_t *private) +{ + enumerator_t *enumerator; + signature_scheme_t scheme; + hash_algorithm_t alg = HASH_UNKNOWN; + + enumerator = signature_schemes_for_key(private->get_type(private), + private->get_keysize(private)); + if (enumerator->enumerate(enumerator, &scheme)) + { + alg = hasher_from_signature_scheme(scheme); + } + enumerator->destroy(enumerator); + + /* default to SHA-256 */ + return alg == HASH_UNKNOWN ? HASH_SHA256 : alg; +} + /** * Callback credential set pki uses */ static callback_cred_t *cb_set; +/** + * Credential set to cache entered secrets + */ +static mem_cred_t *cb_creds; + +static shared_key_type_t prompted; + /** * Callback function to receive credentials */ @@ -248,7 +278,12 @@ static shared_key_t* cb(void *data, shared_key_type_t type, id_match_t *match_me, id_match_t *match_other) { char buf[64], *label, *secret = NULL; + shared_key_t *shared; + if (prompted == type) + { + return NULL; + } switch (type) { case SHARED_PIN: @@ -266,6 +301,7 @@ static shared_key_t* cb(void *data, shared_key_type_t type, #endif if (secret && strlen(secret)) { + prompted = type; if (match_me) { *match_me = ID_MATCH_PERFECT; @@ -274,8 +310,10 @@ static shared_key_t* cb(void *data, shared_key_type_t type, { *match_other = ID_MATCH_NONE; } - return shared_key_create(type, - chunk_clone(chunk_create(secret, strlen(secret)))); + shared = shared_key_create(type, chunk_clone(chunk_from_str(secret))); + /* cache password in case it is required more than once */ + cb_creds->add_shared(cb_creds, shared, NULL); + return shared->get_ref(shared); } return NULL; } @@ -287,6 +325,8 @@ static void add_callback() { cb_set = callback_cred_create_shared(cb, NULL); lib->credmgr->add_set(lib->credmgr, &cb_set->set); + cb_creds = mem_cred_create(); + lib->credmgr->add_set(lib->credmgr, &cb_creds->set); } /** @@ -294,6 +334,8 @@ static void add_callback() */ static void remove_callback() { + lib->credmgr->remove_set(lib->credmgr, &cb_creds->set); + cb_creds->destroy(cb_creds); lib->credmgr->remove_set(lib->credmgr, &cb_set->set); cb_set->destroy(cb_set); } diff --git a/src/pki/pki.h b/src/pki/pki.h index 1f0827733..017e61df6 100644 --- a/src/pki/pki.h +++ b/src/pki/pki.h @@ -55,4 +55,12 @@ bool calculate_lifetime(char *format, char *nbstr, char *nastr, time_t span, */ void set_file_mode(FILE *stream, cred_encoding_type_t enc); +/** + * Select default digest for signatures with the given key + * + * @param private private key + * @return hash algorithm + */ +hash_algorithm_t get_default_digest(private_key_t *private); + #endif /** PKI_H_ @}*/ diff --git a/src/pool/Makefile.am b/src/pool/Makefile.am index b8d662e57..5ae624b88 100644 --- a/src/pool/Makefile.am +++ b/src/pool/Makefile.am @@ -11,11 +11,13 @@ pool.o : $(top_builddir)/config.status AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon \ -DPLUGINS=\""${pool_plugins}\"" pool_LDADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ - $(top_builddir)/src/libhydra/libhydra.la + $(top_builddir)/src/libhydra/libhydra.la \ + $(top_builddir)/src/libcharon/libcharon.la endif USE_ATTR_SQL diff --git a/src/pool/Makefile.in b/src/pool/Makefile.in index 4f753a0bb..b9557547a 100644 --- a/src/pool/Makefile.in +++ b/src/pool/Makefile.in @@ -109,7 +109,8 @@ am__pool_SOURCES_DIST = pool.c pool_attributes.c pool_attributes.h \ @USE_ATTR_SQL_TRUE@ pool_usage.$(OBJEXT) pool_OBJECTS = $(am_pool_OBJECTS) @USE_ATTR_SQL_TRUE@pool_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la \ -@USE_ATTR_SQL_TRUE@ $(top_builddir)/src/libhydra/libhydra.la +@USE_ATTR_SQL_TRUE@ $(top_builddir)/src/libhydra/libhydra.la \ +@USE_ATTR_SQL_TRUE@ $(top_builddir)/src/libcharon/libcharon.la AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent @@ -228,6 +229,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -288,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -365,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -430,11 +436,13 @@ xml_LIBS = @xml_LIBS@ @USE_ATTR_SQL_TRUE@AM_CPPFLAGS = \ @USE_ATTR_SQL_TRUE@ -I$(top_srcdir)/src/libstrongswan \ @USE_ATTR_SQL_TRUE@ -I$(top_srcdir)/src/libhydra \ +@USE_ATTR_SQL_TRUE@ -I$(top_srcdir)/src/libcharon \ @USE_ATTR_SQL_TRUE@ -DPLUGINS=\""${pool_plugins}\"" @USE_ATTR_SQL_TRUE@pool_LDADD = \ @USE_ATTR_SQL_TRUE@ $(top_builddir)/src/libstrongswan/libstrongswan.la \ -@USE_ATTR_SQL_TRUE@ $(top_builddir)/src/libhydra/libhydra.la +@USE_ATTR_SQL_TRUE@ $(top_builddir)/src/libhydra/libhydra.la \ +@USE_ATTR_SQL_TRUE@ $(top_builddir)/src/libcharon/libcharon.la templatesdir = $(pkgdatadir)/templates/database/sql dist_templates_DATA = mysql.sql sqlite.sql diff --git a/src/pt-tls-client/Makefile.in b/src/pt-tls-client/Makefile.in index 7ee25c007..a02db98f2 100644 --- a/src/pt-tls-client/Makefile.in +++ b/src/pt-tls-client/Makefile.in @@ -198,6 +198,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -258,10 +259,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -335,6 +338,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/pt-tls-client/pt-tls-client.c b/src/pt-tls-client/pt-tls-client.c index a8d45b54f..3a179af17 100644 --- a/src/pt-tls-client/pt-tls-client.c +++ b/src/pt-tls-client/pt-tls-client.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2010-2013 Martin Willi, revosec AG - * Copyright (C) 2013-2014 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule für Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -54,32 +54,44 @@ static int client(char *address, u_int16_t port, char *identity) { pt_tls_client_t *assessment; tls_t *tnccs; - identification_t *server, *client; - host_t *host; + identification_t *server_id, *client_id; + host_t *server_ip, *client_ip; status_t status; - host = host_create_from_dns(address, AF_UNSPEC, port); - if (!host) + server_ip = host_create_from_dns(address, AF_UNSPEC, port); + if (!server_ip) { return 1; } - server = identification_create_from_string(address); - client = identification_create_from_string(identity); + + client_ip = host_create_any(server_ip->get_family(server_ip)); + if (!client_ip) + { + server_ip->destroy(server_ip); + return 1; + } + server_id = identification_create_from_string(address); + client_id = identification_create_from_string(identity); + tnccs = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, FALSE, - server, client, TNC_IFT_TLS_2_0, NULL); + server_id, client_id, server_ip, client_ip, + TNC_IFT_TLS_2_0, NULL); + client_ip->destroy(client_ip); + if (!tnccs) { fprintf(stderr, "loading TNCCS failed: %s\n", PLUGINS); - host->destroy(host); - server->destroy(server); - client->destroy(client); + server_ip->destroy(server_ip); + server_id->destroy(server_id); + client_id->destroy(client_id); return 1; } - assessment = pt_tls_client_create(host, server, client); + assessment = pt_tls_client_create(server_ip, server_id, client_id); status = assessment->run_assessment(assessment, (tnccs_t*)tnccs); assessment->destroy(assessment); tnccs->destroy(tnccs); - return status; + + return (status != SUCCESS); } @@ -258,6 +270,7 @@ int main(int argc, char *argv[]) {"port", required_argument, NULL, 'p' }, {"cert", required_argument, NULL, 'x' }, {"key", required_argument, NULL, 'k' }, + {"mutual", no_argument, NULL, 'm' }, {"quiet", no_argument, NULL, 'q' }, {"debug", required_argument, NULL, 'd' }, {"optionsfrom", required_argument, NULL, '+' }, @@ -299,6 +312,10 @@ int main(int argc, char *argv[]) case 'p': /* --port */ port = atoi(optarg); continue; + case 'm': /* --mutual */ + lib->settings->set_bool(lib->settings, + "%s.plugins.tnccs-20.mutual", TRUE, lib->ns); + continue; case 'q': /* --quiet */ log_to_stderr = FALSE; continue; diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in index 6a947efa6..bcc70cb1b 100644 --- a/src/scepclient/Makefile.in +++ b/src/scepclient/Makefile.in @@ -225,6 +225,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -285,10 +286,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -362,6 +365,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index 88d362f6c..ee68adc21 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -271,6 +271,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -331,10 +332,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -408,6 +411,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/starter/cmp.c b/src/starter/cmp.c index cea864a4a..aee55d94c 100644 --- a/src/starter/cmp.c +++ b/src/starter/cmp.c @@ -45,7 +45,7 @@ bool starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2) VARCMP(mark_in.value); VARCMP(mark_in.mask); VARCMP(mark_out.value); - VARCMP(mark_in.mask); + VARCMP(mark_out.mask); VARCMP(tfc); VARCMP(sa_keying_tries); diff --git a/src/starter/parser/lexer.c b/src/starter/parser/lexer.c index 157b89c31..cebf5a06c 100644 --- a/src/starter/parser/lexer.c +++ b/src/starter/parser/lexer.c @@ -456,8 +456,8 @@ static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner ); yyg->yy_c_buf_p = yy_cp; /* %% [4.0] data tables for the DFA and the user's section 1 definitions go here */ -#define YY_NUM_RULES 28 -#define YY_END_OF_BUFFER 29 +#define YY_NUM_RULES 29 +#define YY_END_OF_BUFFER 30 /* This struct is not used in this scanner, but its presence is necessary. */ struct yy_trans_info @@ -465,34 +465,35 @@ struct yy_trans_info flex_int32_t yy_verify; flex_int32_t yy_nxt; }; -static yyconst flex_int16_t yy_accept[81] = +static yyconst flex_int16_t yy_accept[83] = { 0, - 0, 0, 0, 0, 0, 0, 29, 12, 3, 5, + 0, 0, 0, 0, 0, 0, 30, 12, 3, 5, 11, 4, 6, 12, 12, 2, 12, 12, 17, 13, - 14, 15, 27, 19, 18, 20, 12, 3, 4, 4, - 0, 12, 2, 0, 9, 12, 12, 17, 16, 27, - 26, 24, 25, 21, 22, 23, 12, 0, 12, 12, - 12, 0, 12, 8, 12, 12, 0, 12, 12, 12, - 0, 12, 12, 12, 0, 0, 12, 0, 0, 0, - 12, 0, 1, 10, 10, 0, 0, 0, 7, 0 + 14, 15, 28, 19, 18, 20, 12, 3, 4, 4, + 0, 12, 2, 0, 9, 12, 12, 17, 16, 28, + 27, 26, 27, 24, 25, 21, 22, 23, 12, 0, + 12, 12, 12, 0, 12, 8, 12, 12, 0, 12, + 12, 12, 0, 12, 12, 12, 0, 0, 12, 0, + 0, 0, 12, 0, 1, 10, 10, 0, 0, 0, + 7, 0 } ; static yyconst flex_int32_t yy_ec[256] = { 0, 1, 1, 1, 1, 1, 1, 1, 1, 2, 3, + 1, 1, 4, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 5, 1, 6, 7, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 4, 1, 5, 6, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 8, 1, 1, 9, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 7, 1, 1, 8, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 9, 1, 1, 1, 1, 10, 11, 12, 13, + 1, 10, 1, 1, 1, 1, 11, 12, 13, 14, - 14, 15, 16, 1, 17, 1, 1, 18, 1, 19, - 20, 21, 1, 22, 23, 24, 25, 26, 1, 1, - 1, 1, 1, 1, 27, 1, 1, 1, 1, 1, + 15, 16, 17, 1, 18, 1, 1, 19, 1, 20, + 21, 22, 1, 23, 24, 25, 26, 27, 1, 1, + 1, 1, 1, 1, 28, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, @@ -509,106 +510,110 @@ static yyconst flex_int32_t yy_ec[256] = 1, 1, 1, 1, 1 } ; -static yyconst flex_int32_t yy_meta[28] = +static yyconst flex_int32_t yy_meta[29] = { 0, - 1, 2, 3, 2, 4, 2, 5, 1, 6, 1, + 1, 2, 3, 1, 2, 4, 2, 5, 1, 6, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1 + 1, 1, 1, 1, 1, 1, 1, 1 } ; -static yyconst flex_int16_t yy_base[92] = +static yyconst flex_int16_t yy_base[94] = { 0, - 0, 16, 41, 49, 6, 7, 141, 0, 23, 172, - 172, 0, 172, 134, 120, 30, 20, 120, 0, 172, - 172, 33, 0, 172, 172, 50, 0, 60, 0, 0, - 0, 118, 69, 115, 0, 109, 105, 0, 172, 0, - 172, 172, 172, 172, 172, 172, 76, 71, 16, 69, - 66, 67, 72, 0, 71, 74, 69, 69, 64, 69, - 62, 77, 61, 55, 60, 54, 94, 66, 64, 49, - 100, 46, 172, 172, 74, 24, 16, 5, 172, 172, - 107, 113, 119, 125, 131, 137, 142, 147, 153, 159, - 165 + 0, 17, 43, 52, 7, 26, 102, 0, 9, 189, + 189, 0, 189, 93, 79, 36, 10, 83, 0, 189, + 189, 59, 0, 189, 189, 85, 0, 32, 0, 0, + 0, 83, 65, 80, 0, 74, 70, 0, 189, 0, + 189, 189, 88, 189, 189, 189, 189, 189, 71, 63, + 31, 61, 58, 59, 64, 0, 63, 66, 61, 61, + 56, 60, 53, 64, 41, 10, 40, 32, 109, 66, + 49, 27, 116, 37, 189, 189, 71, 8, 2, 5, + 189, 189, 124, 130, 136, 142, 148, 154, 159, 164, + 170, 176, 182 } ; -static yyconst flex_int16_t yy_def[92] = +static yyconst flex_int16_t yy_def[94] = { 0, - 81, 81, 82, 82, 83, 83, 80, 84, 80, 80, - 80, 85, 80, 84, 84, 80, 84, 84, 86, 80, - 80, 80, 87, 80, 80, 88, 84, 80, 85, 85, - 84, 84, 80, 80, 84, 84, 84, 86, 80, 87, - 80, 80, 80, 80, 80, 80, 84, 80, 84, 84, - 84, 80, 84, 84, 84, 84, 80, 84, 84, 84, - 80, 84, 84, 84, 80, 80, 89, 90, 91, 80, - 89, 91, 80, 80, 90, 80, 80, 80, 80, 0, - 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, - 80 + 83, 83, 84, 84, 85, 85, 82, 86, 82, 82, + 82, 87, 82, 86, 86, 82, 86, 86, 88, 82, + 82, 82, 89, 82, 82, 90, 86, 82, 87, 87, + 86, 86, 82, 82, 86, 86, 86, 88, 82, 89, + 82, 82, 82, 82, 82, 82, 82, 82, 86, 82, + 86, 86, 86, 82, 86, 86, 86, 86, 82, 86, + 86, 86, 82, 86, 86, 86, 82, 82, 91, 92, + 93, 82, 91, 93, 82, 82, 92, 82, 82, 82, + 82, 0, 82, 82, 82, 82, 82, 82, 82, 82, + 82, 82, 82 } ; -static yyconst flex_int16_t yy_nxt[200] = +static yyconst flex_int16_t yy_nxt[218] = { 0, - 80, 9, 10, 9, 11, 12, 13, 14, 24, 24, - 25, 25, 80, 80, 26, 26, 15, 16, 10, 16, - 11, 12, 13, 14, 28, 79, 28, 17, 29, 35, - 53, 33, 15, 33, 54, 29, 39, 39, 39, 36, - 78, 18, 20, 20, 20, 21, 20, 77, 73, 22, - 20, 20, 20, 21, 20, 34, 68, 22, 68, 39, - 42, 28, 76, 28, 43, 29, 73, 75, 44, 75, - 33, 45, 33, 46, 29, 75, 70, 75, 69, 67, - 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, - 56, 55, 52, 51, 34, 72, 73, 72, 72, 72, - - 72, 72, 73, 72, 72, 72, 72, 8, 8, 8, - 8, 8, 8, 19, 19, 19, 19, 19, 19, 23, - 23, 23, 23, 23, 23, 27, 50, 49, 48, 47, - 27, 30, 30, 37, 30, 30, 30, 38, 32, 31, - 80, 38, 40, 40, 80, 80, 40, 41, 41, 41, - 41, 41, 41, 71, 71, 71, 71, 71, 71, 74, - 74, 74, 74, 80, 74, 72, 72, 72, 72, 72, - 72, 7, 80, 80, 80, 80, 80, 80, 80, 80, - 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, - 80, 80, 80, 80, 80, 80, 80, 80, 80 - + 82, 9, 10, 82, 9, 11, 12, 13, 14, 24, + 28, 70, 25, 28, 70, 29, 26, 15, 16, 10, + 35, 16, 11, 12, 13, 14, 81, 80, 24, 17, + 36, 25, 79, 28, 15, 26, 28, 33, 29, 75, + 33, 78, 29, 18, 20, 20, 55, 20, 21, 20, + 56, 75, 22, 20, 20, 72, 20, 21, 20, 71, + 69, 22, 34, 39, 39, 39, 33, 77, 68, 33, + 77, 29, 77, 67, 66, 77, 65, 64, 63, 62, + 61, 60, 59, 58, 57, 54, 39, 42, 43, 53, + 42, 34, 52, 51, 50, 49, 44, 37, 32, 31, + + 45, 82, 82, 82, 46, 82, 82, 47, 82, 48, + 74, 75, 82, 74, 74, 74, 74, 74, 75, 82, + 74, 74, 74, 74, 8, 8, 8, 8, 8, 8, + 19, 19, 19, 19, 19, 19, 23, 23, 23, 23, + 23, 23, 27, 82, 82, 82, 82, 27, 30, 30, + 82, 30, 30, 30, 38, 82, 82, 82, 38, 40, + 40, 82, 82, 40, 41, 41, 41, 41, 41, 41, + 73, 73, 73, 73, 73, 73, 76, 76, 76, 76, + 82, 76, 74, 74, 74, 74, 74, 74, 7, 82, + 82, 82, 82, 82, 82, 82, 82, 82, 82, 82, + + 82, 82, 82, 82, 82, 82, 82, 82, 82, 82, + 82, 82, 82, 82, 82, 82, 82 } ; -static yyconst flex_int16_t yy_chk[200] = +static yyconst flex_int16_t yy_chk[218] = { 0, - 0, 1, 1, 1, 1, 1, 1, 1, 5, 6, - 5, 6, 0, 0, 5, 6, 1, 2, 2, 2, - 2, 2, 2, 2, 9, 78, 9, 2, 9, 17, - 49, 16, 2, 16, 49, 16, 22, 22, 22, 17, - 77, 2, 3, 3, 3, 3, 3, 76, 72, 3, - 4, 4, 4, 4, 4, 16, 64, 4, 64, 22, - 26, 28, 70, 28, 26, 28, 69, 68, 26, 68, - 33, 26, 33, 26, 33, 75, 66, 75, 65, 63, - 62, 61, 60, 59, 58, 57, 56, 55, 53, 52, - 51, 50, 48, 47, 33, 67, 67, 67, 67, 67, - - 67, 71, 71, 71, 71, 71, 71, 81, 81, 81, - 81, 81, 81, 82, 82, 82, 82, 82, 82, 83, - 83, 83, 83, 83, 83, 84, 37, 36, 34, 32, - 84, 85, 85, 18, 85, 85, 85, 86, 15, 14, - 7, 86, 87, 87, 0, 0, 87, 88, 88, 88, - 88, 88, 88, 89, 89, 89, 89, 89, 89, 90, - 90, 90, 90, 0, 90, 91, 91, 91, 91, 91, - 91, 80, 80, 80, 80, 80, 80, 80, 80, 80, - 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, - 80, 80, 80, 80, 80, 80, 80, 80, 80 - + 0, 1, 1, 0, 1, 1, 1, 1, 1, 5, + 9, 66, 5, 9, 66, 9, 5, 1, 2, 2, + 17, 2, 2, 2, 2, 2, 80, 79, 6, 2, + 17, 6, 78, 28, 2, 6, 28, 16, 28, 74, + 16, 72, 16, 2, 3, 3, 51, 3, 3, 3, + 51, 71, 3, 4, 4, 68, 4, 4, 4, 67, + 65, 4, 16, 22, 22, 22, 33, 70, 64, 33, + 70, 33, 77, 63, 62, 77, 61, 60, 59, 58, + 57, 55, 54, 53, 52, 50, 22, 26, 26, 49, + 43, 33, 37, 36, 34, 32, 26, 18, 15, 14, + + 26, 7, 0, 0, 26, 0, 0, 26, 0, 26, + 69, 69, 0, 69, 69, 69, 69, 73, 73, 0, + 73, 73, 73, 73, 83, 83, 83, 83, 83, 83, + 84, 84, 84, 84, 84, 84, 85, 85, 85, 85, + 85, 85, 86, 0, 0, 0, 0, 86, 87, 87, + 0, 87, 87, 87, 88, 0, 0, 0, 88, 89, + 89, 0, 0, 89, 90, 90, 90, 90, 90, 90, + 91, 91, 91, 91, 91, 91, 92, 92, 92, 92, + 0, 92, 93, 93, 93, 93, 93, 93, 82, 82, + 82, 82, 82, 82, 82, 82, 82, 82, 82, 82, + + 82, 82, 82, 82, 82, 82, 82, 82, 82, 82, + 82, 82, 82, 82, 82, 82, 82 } ; /* Table of booleans, true if rule could match eol. */ -static yyconst flex_int32_t yy_rule_can_match_eol[29] = +static yyconst flex_int32_t yy_rule_can_match_eol[30] = { 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, - 1, 0, 0, 0, 0, 0, 1, 0, 0, }; + 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, }; -static yyconst flex_int16_t yy_rule_linenum[28] = +static yyconst flex_int16_t yy_rule_linenum[29] = { 0, 60, 61, 62, 63, 65, 67, 68, 69, 70, 72, 77, 82, 90, 109, 112, 115, 118, 124, 126, 127, - 150, 151, 152, 153, 154, 155, 158 + 150, 151, 152, 153, 154, 155, 156, 157 } ; /* The intent behind this definition is that it'll catch @@ -657,7 +662,7 @@ static void include_files(parser_helper_t *ctx); /* state used to scan quoted strings */ -#line 661 "parser/lexer.c" +#line 666 "parser/lexer.c" #define INITIAL 0 #define inc 1 @@ -972,7 +977,7 @@ YY_DECL #line 58 "parser/lexer.l" -#line 976 "parser/lexer.c" +#line 981 "parser/lexer.c" yylval = yylval_param; @@ -1038,13 +1043,13 @@ yy_match: while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { yy_current_state = (int) yy_def[yy_current_state]; - if ( yy_current_state >= 81 ) + if ( yy_current_state >= 83 ) yy_c = yy_meta[(unsigned int) yy_c]; } yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; ++yy_cp; } - while ( yy_base[yy_current_state] != 172 ); + while ( yy_base[yy_current_state] != 189 ); yy_find_action: /* %% [10.0] code to find the action number goes here */ @@ -1079,13 +1084,13 @@ do_action: /* This label is used only to access EOF actions. */ { if ( yy_act == 0 ) fprintf( stderr, "--scanner backing up\n" ); - else if ( yy_act < 28 ) + else if ( yy_act < 29 ) fprintf( stderr, "--accepting rule at line %ld (\"%s\")\n", (long)yy_rule_linenum[yy_act], yytext ); - else if ( yy_act == 28 ) + else if ( yy_act == 29 ) fprintf( stderr, "--accepting default rule (\"%s\")\n", yytext ); - else if ( yy_act == 29 ) + else if ( yy_act == 30 ) fprintf( stderr, "--(end of buffer or a NUL)\n" ); else fprintf( stderr, "--EOF (start condition %d)\n", YY_START ); @@ -1300,20 +1305,23 @@ case 26: /* rule 26 can match eol */ YY_RULE_SETUP #line 155 "parser/lexer.l" -{ - yyextra->string_add(yyextra, yytext+1); - } +/* merge lines that end with EOL characters */ YY_BREAK case 27: YY_RULE_SETUP -#line 158 "parser/lexer.l" +#line 156 "parser/lexer.l" +yyextra->string_add(yyextra, yytext+1); + YY_BREAK +case 28: +YY_RULE_SETUP +#line 157 "parser/lexer.l" { yyextra->string_add(yyextra, yytext); } YY_BREAK case YY_STATE_EOF(INITIAL): -#line 163 "parser/lexer.l" +#line 162 "parser/lexer.l" { conf_parser_pop_buffer_state(yyscanner); if (!conf_parser_open_next_file(yyextra) && !YY_CURRENT_BUFFER) @@ -1322,12 +1330,12 @@ case YY_STATE_EOF(INITIAL): } } YY_BREAK -case 28: +case 29: YY_RULE_SETUP -#line 171 "parser/lexer.l" +#line 170 "parser/lexer.l" YY_FATAL_ERROR( "flex scanner jammed" ); YY_BREAK -#line 1331 "parser/lexer.c" +#line 1339 "parser/lexer.c" case YY_END_OF_BUFFER: { @@ -1641,7 +1649,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { yy_current_state = (int) yy_def[yy_current_state]; - if ( yy_current_state >= 81 ) + if ( yy_current_state >= 83 ) yy_c = yy_meta[(unsigned int) yy_c]; } yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; @@ -1675,11 +1683,11 @@ static int yy_get_next_buffer (yyscan_t yyscanner) while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { yy_current_state = (int) yy_def[yy_current_state]; - if ( yy_current_state >= 81 ) + if ( yy_current_state >= 83 ) yy_c = yy_meta[(unsigned int) yy_c]; } yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; - yy_is_jam = (yy_current_state == 80); + yy_is_jam = (yy_current_state == 82); return yy_is_jam ? 0 : yy_current_state; } @@ -2697,7 +2705,7 @@ void conf_parser_free (void * ptr , yyscan_t yyscanner) /* %ok-for-header */ -#line 171 "parser/lexer.l" +#line 170 "parser/lexer.l" diff --git a/src/starter/parser/lexer.l b/src/starter/parser/lexer.l index a88cbe809..d967e745b 100644 --- a/src/starter/parser/lexer.l +++ b/src/starter/parser/lexer.l @@ -152,9 +152,8 @@ static void include_files(parser_helper_t *ctx); \\t yyextra->string_add(yyextra, "\t"); \\b yyextra->string_add(yyextra, "\b"); \\f yyextra->string_add(yyextra, "\f"); - \\(.|\n) { - yyextra->string_add(yyextra, yytext+1); - } + \\\r?\n /* merge lines that end with EOL characters */ + \\. yyextra->string_add(yyextra, yytext+1); [^\\\n"]+ { yyextra->string_add(yyextra, yytext); } diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 1e305db8b..6e1f1605d 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -35,10 +35,16 @@ static char* push_string(stroke_msg_t *msg, char *string) { unsigned long string_start = msg->length; - if (string == NULL || msg->length + strlen(string) >= sizeof(stroke_msg_t)) + if (string == NULL) { return NULL; } + else if ((size_t)msg->length + strlen(string) >= sizeof(stroke_msg_t)) + { + /* set invalid length to fail during message send */ + msg->length = ~0; + return NULL; + } else { msg->length += strlen(string) + 1; @@ -53,6 +59,12 @@ static int send_stroke_msg (stroke_msg_t *msg) char *uri, buffer[64]; int count; + if (msg->length > sizeof(stroke_msg_t)) + { + DBG1(DBG_APP, "stroke message exceeds buffer size"); + return -1; + } + /* starter is not called from commandline, and therefore absolutely silent */ msg->output_verbosity = -1; diff --git a/src/starter/tests/Makefile.in b/src/starter/tests/Makefile.in index d42a0d286..b26125501 100644 --- a/src/starter/tests/Makefile.in +++ b/src/starter/tests/Makefile.in @@ -223,6 +223,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -283,10 +284,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -360,6 +363,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in index 9c041dfbf..c32ebf905 100644 --- a/src/stroke/Makefile.in +++ b/src/stroke/Makefile.in @@ -197,6 +197,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -257,10 +258,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -334,6 +337,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index 60886cf7f..c2b923f6d 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -32,7 +32,7 @@ */ #define STROKE_SOCKET IPSEC_PIDDIR "/charon.ctl" -#define STROKE_BUF_LEN 2048 +#define STROKE_BUF_LEN 4096 typedef enum list_flag_t list_flag_t; diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am index b84d70587..f4f9fdf7e 100644 --- a/src/swanctl/Makefile.am +++ b/src/swanctl/Makefile.am @@ -65,4 +65,5 @@ install-data-local: swanctl.conf test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true test -e "$(DESTDIR)$(swanctldir)/pkcs8" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs8" || true + test -e "$(DESTDIR)$(swanctldir)/pkcs12" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs12" || true test -e "$(DESTDIR)$(swanctldir)/swanctl.conf" || $(INSTALL) -m 640 $(srcdir)/swanctl.conf $(DESTDIR)$(swanctldir)/swanctl.conf || true diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in index 649e6d8ae..f981bb1f3 100644 --- a/src/swanctl/Makefile.in +++ b/src/swanctl/Makefile.in @@ -238,6 +238,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -298,10 +299,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -375,6 +378,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -991,6 +996,7 @@ install-data-local: swanctl.conf test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true test -e "$(DESTDIR)$(swanctldir)/pkcs8" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs8" || true + test -e "$(DESTDIR)$(swanctldir)/pkcs12" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs12" || true test -e "$(DESTDIR)$(swanctldir)/swanctl.conf" || $(INSTALL) -m 640 $(srcdir)/swanctl.conf $(DESTDIR)$(swanctldir)/swanctl.conf || true # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/src/swanctl/commands/list_conns.c b/src/swanctl/commands/list_conns.c index 31ab9c40a..019c88888 100644 --- a/src/swanctl/commands/list_conns.c +++ b/src/swanctl/commands/list_conns.c @@ -103,7 +103,7 @@ CALLBACK(conn_sn, int, { return vici_parse_cb(res, children_sn, NULL, NULL, NULL); } - if (streq(name, "local") || streq(name, "remote")) + if (strpfx(name, "local") || strpfx(name, "remote")) { hashtable_t *auth; @@ -112,7 +112,8 @@ CALLBACK(conn_sn, int, if (ret == 0) { printf(" %s %s authentication:\n", - name, auth->get(auth, "class") ?: "unspecified"); + strpfx(name, "local") ? "local" : "remote", + auth->get(auth, "class") ?: "unspecified"); if (auth->get(auth, "id")) { printf(" id: %s\n", auth->get(auth, "id")); diff --git a/src/swanctl/commands/list_sas.c b/src/swanctl/commands/list_sas.c index 35e7469a9..81e1b7cca 100644 --- a/src/swanctl/commands/list_sas.c +++ b/src/swanctl/commands/list_sas.c @@ -86,8 +86,8 @@ CALLBACK(child_sas, int, ret = vici_parse_cb(res, NULL, sa_values, sa_list, child); if (ret == 0) { - printf(" %s: #%s, %s, %s%s, %s:", - name, child->get(child, "reqid"), + printf(" %s: #%s, reqid %s, %s, %s%s, %s:", + name, child->get(child, "uniqueid"), child->get(child, "reqid"), child->get(child, "state"), child->get(child, "mode"), child->get(child, "encap") ? "-in-UDP" : "", child->get(child, "protocol")); @@ -122,7 +122,7 @@ CALLBACK(child_sas, int, } if (child->get(child, "esn")) { - printf("/%s", child->get(child, "esn")); + printf("/ESN"); } printf("\n"); diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c index de30d8eb4..6ee8b8785 100644 --- a/src/swanctl/commands/load_conns.c +++ b/src/swanctl/commands/load_conns.c @@ -93,11 +93,12 @@ static void add_list_key(vici_req_t *req, char *key, char *value) /** * Add a vici list of blobs from a comma separated file list */ -static void add_file_list_key(vici_req_t *req, char *key, char *value) +static bool add_file_list_key(vici_req_t *req, char *key, char *value) { enumerator_t *enumerator; chunk_t *map; char *token, buf[PATH_MAX]; + bool ret = TRUE; vici_begin_list(req, key); enumerator = enumerator_create_token(value, ",", " "); @@ -127,21 +128,26 @@ static void add_file_list_key(vici_req_t *req, char *key, char *value) } else { - fprintf(stderr, "loading certificate '%s' failed: %s\n", - token, strerror(errno)); + fprintf(stderr, "loading %s certificate '%s' failed: %s\n", + key, token, strerror(errno)); + ret = FALSE; + break; } } enumerator->destroy(enumerator); vici_end_list(req); + + return ret; } /** * Translate setting key/values from a section into vici key-values/lists */ -static void add_key_values(vici_req_t *req, settings_t *cfg, char *section) +static bool add_key_values(vici_req_t *req, settings_t *cfg, char *section) { enumerator_t *enumerator; char *key, *value; + bool ret = TRUE; enumerator = cfg->create_key_value_enumerator(cfg, section); while (enumerator->enumerate(enumerator, &key, &value)) @@ -152,34 +158,51 @@ static void add_key_values(vici_req_t *req, settings_t *cfg, char *section) } else if (is_file_list_key(key)) { - add_file_list_key(req, key, value); + ret = add_file_list_key(req, key, value); } else { vici_add_key_valuef(req, key, "%s", value); } + if (!ret) + { + break; + } } enumerator->destroy(enumerator); + + return ret; } /** * Translate a settings section to a vici section */ -static void add_sections(vici_req_t *req, settings_t *cfg, char *section) +static bool add_sections(vici_req_t *req, settings_t *cfg, char *section) { enumerator_t *enumerator; char *name, buf[256]; + bool ret = TRUE; enumerator = cfg->create_section_enumerator(cfg, section); while (enumerator->enumerate(enumerator, &name)) { vici_begin_section(req, name); snprintf(buf, sizeof(buf), "%s.%s", section, name); - add_key_values(req, cfg, buf); - add_sections(req, cfg, buf); + ret = add_key_values(req, cfg, buf); + if (!ret) + { + break; + } + ret = add_sections(req, cfg, buf); + if (!ret) + { + break; + } vici_end_section(req); } enumerator->destroy(enumerator); + + return ret; } /** @@ -198,8 +221,12 @@ static bool load_conn(vici_conn_t *conn, settings_t *cfg, req = vici_begin("load-conn"); vici_begin_section(req, section); - add_key_values(req, cfg, buf); - add_sections(req, cfg, buf); + if (!add_key_values(req, cfg, buf) || + !add_sections(req, cfg, buf)) + { + vici_free_req(req); + return FALSE; + } vici_end_section(req); res = vici_submit(req, conn); diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c index 86ee3c179..d2ebc22eb 100644 --- a/src/swanctl/commands/load_creds.c +++ b/src/swanctl/commands/load_creds.c @@ -25,6 +25,7 @@ #include #include +#include /** * Load a single certificate over vici @@ -60,7 +61,7 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format, } else { - printf("loaded %s certificate '%s'\n", type, dir); + printf("loaded %s certificate from '%s'\n", type, dir); } vici_free_res(res); return ret; @@ -113,7 +114,14 @@ static bool load_key(vici_conn_t *conn, command_format_options_t format, req = vici_begin("load-key"); - vici_add_key_valuef(req, "type", "%s", type); + if (streq(type, "pkcs8")) + { /* as used by vici */ + vici_add_key_valuef(req, "type", "any"); + } + else + { + vici_add_key_valuef(req, "type", "%s", type); + } vici_add_key_value(req, "data", data.ptr, data.len); res = vici_submit(req, conn); @@ -135,20 +143,59 @@ static bool load_key(vici_conn_t *conn, command_format_options_t format, } else { - printf("loaded %s key '%s'\n", type, dir); + printf("loaded %s key from '%s'\n", type, dir); } vici_free_res(res); return ret; } +/** + * Load a private key of any type to vici + */ +static bool load_key_anytype(vici_conn_t *conn, command_format_options_t format, + char *path, private_key_t *private) +{ + bool loaded = FALSE; + chunk_t encoding; + + if (!private->get_encoding(private, PRIVKEY_ASN1_DER, &encoding)) + { + fprintf(stderr, "encoding private key from '%s' failed\n", path); + return FALSE; + } + switch (private->get_type(private)) + { + case KEY_RSA: + loaded = load_key(conn, format, path, "rsa", encoding); + break; + case KEY_ECDSA: + loaded = load_key(conn, format, path, "ecdsa", encoding); + break; + default: + fprintf(stderr, "unsupported key type in '%s'\n", path); + break; + } + chunk_clear(&encoding); + return loaded; +} + +/** + * Data passed to password callback + */ +typedef struct { + char prompt[128]; + mem_cred_t *cache; +} cb_data_t; + /** * Callback function to prompt for private key passwords */ CALLBACK(password_cb, shared_key_t*, - char *prompt, shared_key_type_t type, + cb_data_t *data, shared_key_type_t type, identification_t *me, identification_t *other, id_match_t *match_me, id_match_t *match_other) { + shared_key_t *shared; char *pwd = NULL; if (type != SHARED_PRIVATE_KEY_PASS) @@ -156,7 +203,7 @@ CALLBACK(password_cb, shared_key_t*, return NULL; } #ifdef HAVE_GETPASS - pwd = getpass(prompt); + pwd = getpass(data->prompt); #endif if (!pwd || strlen(pwd) == 0) { @@ -170,65 +217,94 @@ CALLBACK(password_cb, shared_key_t*, { *match_other = ID_MATCH_PERFECT; } - return shared_key_create(type, chunk_clone(chunk_from_str(pwd))); + shared = shared_key_create(type, chunk_clone(chunk_from_str(pwd))); + /* cache secret if it is required more than once (PKCS#12) */ + data->cache->add_shared(data->cache, shared, NULL); + return shared->get_ref(shared); } /** - * Try to parse a potentially encrypted private key using password prompt + * Determine credential type and subtype from a type string */ -static private_key_t* decrypt_key(char *name, char *type, chunk_t encoding) +static bool determine_credtype(char *type, credential_type_t *credtype, + int *subtype) { - key_type_t kt = KEY_ANY; - private_key_t *private; - callback_cred_t *cb; - char buf[128]; + struct { + char *type; + credential_type_t credtype; + int subtype; + } map[] = { + { "pkcs8", CRED_PRIVATE_KEY, KEY_ANY, }, + { "rsa", CRED_PRIVATE_KEY, KEY_RSA, }, + { "ecdsa", CRED_PRIVATE_KEY, KEY_ECDSA, }, + { "pkcs12", CRED_CONTAINER, CONTAINER_PKCS12, }, + }; + int i; - if (streq(type, "rsa")) + for (i = 0; i < countof(map); i++) { - kt = KEY_RSA; + if (streq(map[i].type, type)) + { + *credtype = map[i].credtype; + *subtype = map[i].subtype; + return TRUE; + } } - else if (streq(type, "ecdsa")) + return FALSE; +} + +/** + * Try to parse a potentially encrypted credential using password prompt + */ +static void* decrypt(char *name, char *type, chunk_t encoding) +{ + credential_type_t credtype; + int subtype; + void *cred; + callback_cred_t *cb; + cb_data_t data; + + if (!determine_credtype(type, &credtype, &subtype)) { - kt = KEY_ECDSA; + return NULL; } - snprintf(buf, sizeof(buf), "Password for '%s': ", name); + snprintf(data.prompt, sizeof(data.prompt), "Password for %s file '%s': ", + type, name); - cb = callback_cred_create_shared(password_cb, buf); + data.cache = mem_cred_create(); + lib->credmgr->add_set(lib->credmgr, &data.cache->set); + cb = callback_cred_create_shared(password_cb, &data); lib->credmgr->add_set(lib->credmgr, &cb->set); - private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, kt, - BUILD_BLOB_PEM, encoding, BUILD_END); + cred = lib->creds->create(lib->creds, credtype, subtype, + BUILD_BLOB_PEM, encoding, BUILD_END); + lib->credmgr->remove_set(lib->credmgr, &data.cache->set); + data.cache->destroy(data.cache); lib->credmgr->remove_set(lib->credmgr, &cb->set); cb->destroy(cb); - return private; + return cred; } /** - * Try to parse a potentially encrypted private key using configured secret + * Try to parse a potentially encrypted credential using configured secret */ -static private_key_t* decrypt_key_with_config(settings_t *cfg, char *name, - char *type, chunk_t encoding) -{ key_type_t kt = KEY_ANY; +static void* decrypt_with_config(settings_t *cfg, char *name, char *type, + chunk_t encoding) +{ + credential_type_t credtype; + int subtype; enumerator_t *enumerator, *secrets; char *section, *key, *value, *file, buf[128]; shared_key_t *shared; - private_key_t *private = NULL; + void *cred = NULL; mem_cred_t *mem = NULL; - if (streq(type, "rsa")) - { - kt = KEY_RSA; - } - else if (streq(type, "ecdsa")) - { - kt = KEY_ECDSA; - } - else + if (!determine_credtype(type, &credtype, &subtype)) { - type = "pkcs8"; + return NULL; } /* load all secrets for this key type */ @@ -265,12 +341,12 @@ static private_key_t* decrypt_key_with_config(settings_t *cfg, char *name, { lib->credmgr->add_local_set(lib->credmgr, &mem->set, FALSE); - private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, kt, - BUILD_BLOB_PEM, encoding, BUILD_END); + cred = lib->creds->create(lib->creds, credtype, subtype, + BUILD_BLOB_PEM, encoding, BUILD_END); lib->credmgr->remove_local_set(lib->credmgr, &mem->set); - if (!private) + if (!cred) { fprintf(stderr, "configured decryption secret for '%s' invalid\n", name); @@ -279,7 +355,7 @@ static private_key_t* decrypt_key_with_config(settings_t *cfg, char *name, mem->destroy(mem); } - return private; + return cred; } /** @@ -292,30 +368,15 @@ static bool load_encrypted_key(vici_conn_t *conn, { private_key_t *private; bool loaded = FALSE; - chunk_t encoding; - private = decrypt_key_with_config(cfg, rel, type, data); + private = decrypt_with_config(cfg, rel, type, data); if (!private && !noprompt) { - private = decrypt_key(rel, type, data); + private = decrypt(rel, type, data); } if (private) { - if (private->get_encoding(private, PRIVKEY_ASN1_DER, &encoding)) - { - switch (private->get_type(private)) - { - case KEY_RSA: - loaded = load_key(conn, format, path, "rsa", encoding); - break; - case KEY_ECDSA: - loaded = load_key(conn, format, path, "ecdsa", encoding); - break; - default: - break; - } - chunk_clear(&encoding); - } + loaded = load_key_anytype(conn, format, path, private); private->destroy(private); } return loaded; @@ -360,6 +421,114 @@ static void load_keys(vici_conn_t *conn, command_format_options_t format, } } +/** + * Load credentials from a PKCS#12 container over vici + */ +static bool load_pkcs12(vici_conn_t *conn, command_format_options_t format, + char *path, pkcs12_t *p12) +{ + enumerator_t *enumerator; + certificate_t *cert; + private_key_t *private; + chunk_t encoding; + bool loaded = TRUE; + + enumerator = p12->create_cert_enumerator(p12); + while (loaded && enumerator->enumerate(enumerator, &cert)) + { + loaded = FALSE; + if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding)) + { + loaded = load_cert(conn, format, path, "x509", encoding); + if (loaded) + { + fprintf(stderr, " %Y\n", cert->get_subject(cert)); + } + free(encoding.ptr); + } + else + { + fprintf(stderr, "encoding certificate from '%s' failed\n", path); + } + } + enumerator->destroy(enumerator); + + enumerator = p12->create_key_enumerator(p12); + while (loaded && enumerator->enumerate(enumerator, &private)) + { + loaded = load_key_anytype(conn, format, path, private); + } + enumerator->destroy(enumerator); + + return loaded; +} + +/** + * Try to decrypt and load credentials from a container + */ +static bool load_encrypted_container(vici_conn_t *conn, + command_format_options_t format, settings_t *cfg, char *rel, + char *path, char *type, bool noprompt, chunk_t data) +{ + container_t *container; + bool loaded = FALSE; + + container = decrypt_with_config(cfg, rel, type, data); + if (!container && !noprompt) + { + container = decrypt(rel, type, data); + } + if (container) + { + switch (container->get_type(container)) + { + case CONTAINER_PKCS12: + loaded = load_pkcs12(conn, format, path, (pkcs12_t*)container); + break; + default: + break; + } + container->destroy(container); + } + return loaded; +} + +/** + * Load credential containers from a directory + */ +static void load_containers(vici_conn_t *conn, command_format_options_t format, + bool noprompt, settings_t *cfg, char *type, char *dir) +{ + enumerator_t *enumerator; + struct stat st; + chunk_t *map; + char *path, *rel; + + enumerator = enumerator_create_directory(dir); + if (enumerator) + { + while (enumerator->enumerate(enumerator, &rel, &path, &st)) + { + if (S_ISREG(st.st_mode)) + { + map = chunk_map(path, FALSE); + if (map) + { + load_encrypted_container(conn, format, cfg, rel, path, + type, noprompt, *map); + chunk_unmap(map); + } + else + { + fprintf(stderr, "mapping '%s' failed: %s, skipped\n", + path, strerror(errno)); + } + } + } + enumerator->destroy(enumerator); + } +} + /** * Load a single secret over VICI */ @@ -380,6 +549,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg, "rsa", "ecdsa", "pkcs8", + "pkcs12", }; for (i = 0; i < countof(types); i++) @@ -510,7 +680,9 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format, load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR); load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR); - load_keys(conn, format, noprompt, cfg, "any", SWANCTL_PKCS8DIR); + load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR); + + load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR); enumerator = cfg->create_section_enumerator(cfg, "secrets"); while (enumerator->enumerate(enumerator, §ion)) diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf index 0808cf58b..faafecc44 100644 --- a/src/swanctl/swanctl.conf +++ b/src/swanctl/swanctl.conf @@ -286,6 +286,18 @@ # } + # PKCS#12 decryption passphrase for a container in the pkcs12 folder. + # pkcs12 { + + # File name in the pkcs12 folder for which this passphrase should be + # used. + # file = + + # Value of decryption passphrase for PKCS#12 container. + # secret = + + # } + # } # Section defining named pools. @@ -294,7 +306,7 @@ # Section defining a single pool with a unique name. # { - # Subnet defining addresses allocated in pool. + # Addresses allocated in pool. # addrs = # Comma separated list of additional attributes from type . diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main index 8943b62db..a770b28b1 100644 --- a/src/swanctl/swanctl.conf.5.main +++ b/src/swanctl/swanctl.conf.5.main @@ -251,7 +251,12 @@ performs a reauthentication procedure instead. With the default value IKE rekeying is scheduled every 4 hours, minus the configured .RB "" "rand_time" "." - +If a +.RB "" "reauth_time" "" +is configured, +.RB "" "rekey_time" "" +defaults to zero disabling rekeying; explicitly set both to enforce rekeying and +reauthentication. .TP .BR connections..over_time " [10% of rekey_time/reauth_time]" @@ -363,6 +368,37 @@ IKE identity to use for authentication round. When using certificate authentication, the IKE identity must be contained in the certificate, either as subject or as subjectAltName. +The identity can be an IP address, a fully\-qualified domain name, an email +address or a Distinguished Name for which the ID type is determined +automatically and the string is converted to the appropriate encoding. To +enforce a specific identity type, a prefix may be used, followed by a colon (:). +If the number sign (#) follows the colon, the remaining data is interpreted as +hex encoding, otherwise the string is used as\-is as the identification data. +Note that this implies that no conversion is performed for non\-string +identities. For example, +.RI "" "ipv4:10.0.0.1" "" +does not create a valid ID_IPV4_ADDR +IKE identity, as it does not get converted to binary 0x0a000001. Instead, one +could use +.RI "" "ipv4:#0a000001" "" +to get a valid identity, but just using the implicit +type with automatic conversion is usually simpler. The same applies to the ASN1 +encoded types. The following prefixes are known: +.RI "" "ipv4" "," +.RI "" "ipv6" "," +.RI "" "rfc822" "," +.RI "" "email" "," +.RI "" "userfqdn" "," +.RI "" "fqdn" "," +.RI "" "dns" "," +.RI "" "asn1dn" "," +.RI "" "asn1gn" "" +and +.RI "" "keyid" "." +Custom type +prefixes may be specified by surrounding the numerical type value by curly +brackets. + .TP .BR connections..local.eap_id " [id]" Client EAP\-Identity to use in EAP\-Identity exchange and the EAP method. @@ -397,9 +433,10 @@ omitted. .TP .BR connections..remote.id " [%any]" -IKE identity to expect for authentication round. When using certificate -authentication, the IKE identity must be contained in the certificate, either as -subject or as subjectAltName. +IKE identity to expect for authentication round. Refer to the +.RI "" "local" "" +.RI "" "id" "" +section for details. .TP .BR connections..remote.groups " []" @@ -725,9 +762,11 @@ uses dynamic reqids, allocated incrementally. .TP .BR connections..children..mark_in " [0/0x00000000]" -Netfilter mark and mask for input traffic. On Linux Netfilter may apply marks to -each packet coming from a tunnel having that option set. The mark may then be -used by Netfilter to match rules. +Netfilter mark and mask for input traffic. On Linux Netfilter may require marks +on each packet to match an SA having that option set. This allows Netfilter +rules to select specific tunnels for incoming traffic. The special value +.RI "" "%unique" "" +sets a unique mark on each CHILD_SA instance. An additional mask may be appended to the mark, separated by _/_. The default mask if omitted is 0xffffffff. @@ -736,7 +775,9 @@ mask if omitted is 0xffffffff. .BR connections..children..mark_out " [0/0x00000000]" Netfilter mark and mask for output traffic. On Linux Netfilter may require marks on each packet to match a policy having that option set. This allows Netfilter -rules to select specific tunnels for outgoing traffic. +rules to select specific tunnels for outgoing traffic. The special value +.RI "" "%unique" "" +sets a unique mark on each CHILD_SA instance. An additional mask may be appended to the mark, separated by _/_. The default mask if omitted is 0xffffffff. @@ -924,6 +965,23 @@ folder for which this passphrase should be used. .BR secrets.pkcs8.secret " []" Value of decryption passphrase for PKCS#8 key. +.TP +.B secrets.pkcs12 +.br +PKCS#12 decryption passphrase for a container in the +.RI "" "pkcs12" "" +folder. + +.TP +.BR secrets.pkcs12.file " []" +File name in the +.RI "" "pkcs12" "" +folder for which this passphrase should be used. + +.TP +.BR secrets.pkcs12.secret " []" +Value of decryption passphrase for PKCS#12 container. + .TP .B pools .br @@ -939,9 +997,9 @@ Section defining a single pool with a unique name. .TP .BR pools..addrs " []" -Subnet defining addresses allocated in pool. Accepts a single CIDR subnet -defining the pool to allocate addresses from. Pools must be unique and -non\-overlapping. +Subnet or range defining addresses allocated in pool. Accepts a single CIDR +subnet defining the pool to allocate addresses from, or an address range +(\-). Pools must be unique and non\-overlapping. .TP .BR pools.. " []" diff --git a/src/swanctl/swanctl.h b/src/swanctl/swanctl.h index bd7e00378..cb570cd34 100644 --- a/src/swanctl/swanctl.h +++ b/src/swanctl/swanctl.h @@ -66,4 +66,9 @@ */ #define SWANCTL_PKCS8DIR SWANCTLDIR "/pkcs8" +/** + * Directory for PKCS#12 containers + */ +#define SWANCTL_PKCS12DIR SWANCTLDIR "/pkcs12" + #endif /** SWANCTL_H_ @}*/ diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index f1e47a9e4..b6ef17546 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -220,7 +220,9 @@ connections..rekey_time = 4h IKEv1 performs a reauthentication procedure instead. With the default value IKE rekeying is scheduled every 4 hours, minus the - configured **rand_time**. + configured **rand_time**. If a **reauth_time** is configured, **rekey_time** + defaults to zero disabling rekeying; explicitly set both to enforce + rekeying and reauthentication. connections..over_time = 10% of rekey_time/reauth_time Hard IKE_SA lifetime if rekey/reauth does not complete, as time. @@ -303,6 +305,22 @@ connections..local.id = authentication, the IKE identity must be contained in the certificate, either as subject or as subjectAltName. + The identity can be an IP address, a fully-qualified domain name, an email + address or a Distinguished Name for which the ID type is determined + automatically and the string is converted to the appropriate encoding. To + enforce a specific identity type, a prefix may be used, followed by a colon + (:). If the number sign (#) follows the colon, the remaining data is + interpreted as hex encoding, otherwise the string is used as-is as the + identification data. Note that this implies that no conversion is performed + for non-string identities. For example, _ipv4:10.0.0.1_ does not create a + valid ID_IPV4_ADDR IKE identity, as it does not get converted to binary + 0x0a000001. Instead, one could use _ipv4:#0a000001_ to get a valid identity, + but just using the implicit type with automatic conversion is usually + simpler. The same applies to the ASN1 encoded types. The following prefixes + are known: _ipv4_, _ipv6_, _rfc822_, _email_, _userfqdn_, _fqdn_, _dns_, + _asn1dn_, _asn1gn_ and _keyid_. Custom type prefixes may be specified by + surrounding the numerical type value by curly brackets. + connections..local.eap_id = id Client EAP-Identity to use in EAP-Identity exchange and the EAP method. @@ -335,9 +353,8 @@ connections..remote {} connections..remote.id = %any IKE identity to expect for authentication round. - IKE identity to expect for authentication round. When using certificate - authentication, the IKE identity must be contained in the certificate, - either as subject or as subjectAltName. + IKE identity to expect for authentication round. Refer to the _local_ _id_ + section for details. connections..remote.groups = Authorization group memberships to require. @@ -607,9 +624,10 @@ connections..children..reqid = 0 connections..children..mark_in = 0/0x00000000 Netfilter mark and mask for input traffic. - Netfilter mark and mask for input traffic. On Linux Netfilter may apply - marks to each packet coming from a tunnel having that option set. The - mark may then be used by Netfilter to match rules. + Netfilter mark and mask for input traffic. On Linux Netfilter may require + marks on each packet to match an SA having that option set. This allows + Netfilter rules to select specific tunnels for incoming traffic. The + special value _%unique_ sets a unique mark on each CHILD_SA instance. An additional mask may be appended to the mark, separated by _/_. The default mask if omitted is 0xffffffff. @@ -619,7 +637,8 @@ connections..children..mark_out = 0/0x00000000 Netfilter mark and mask for output traffic. On Linux Netfilter may require marks on each packet to match a policy having that option set. This allows - Netfilter rules to select specific tunnels for outgoing traffic. + Netfilter rules to select specific tunnels for outgoing traffic. The + special value _%unique_ sets a unique mark on each CHILD_SA instance. An additional mask may be appended to the mark, separated by _/_. The default mask if omitted is 0xffffffff. @@ -756,6 +775,15 @@ secrets.pkcs8.file = secrets.pkcs8.secret Value of decryption passphrase for PKCS#8 key. +secrets.pkcs12 { # } + PKCS#12 decryption passphrase for a container in the _pkcs12_ folder. + +secrets.pkcs12.file = + File name in the _pkcs12_ folder for which this passphrase should be used. + +secrets.pkcs12.secret + Value of decryption passphrase for PKCS#12 container. + pools { # } Section defining named pools. @@ -767,11 +795,11 @@ pools. { # } Section defining a single pool with a unique name. pools..addrs = - Subnet defining addresses allocated in pool. + Addresses allocated in pool. - Subnet defining addresses allocated in pool. Accepts a single CIDR subnet - defining the pool to allocate addresses from. Pools must be unique and - non-overlapping. + Subnet or range defining addresses allocated in pool. Accepts a single CIDR + subnet defining the pool to allocate addresses from, or an address range + (-). Pools must be unique and non-overlapping. pools.. = Comma separated list of additional attributes from type . diff --git a/testing/Makefile.in b/testing/Makefile.in index c151a87d3..b66c2be76 100644 --- a/testing/Makefile.in +++ b/testing/Makefile.in @@ -142,6 +142,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -202,10 +203,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -279,6 +282,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/testing/config/kernel/config-3.18 b/testing/config/kernel/config-3.18 new file mode 100644 index 000000000..345d4f52f --- /dev/null +++ b/testing/config/kernel/config-3.18 @@ -0,0 +1,2165 @@ +# +# Automatically generated file; DO NOT EDIT. +# Linux/x86 3.18.0 Kernel Configuration +# +CONFIG_64BIT=y +CONFIG_X86_64=y +CONFIG_X86=y +CONFIG_INSTRUCTION_DECODER=y +CONFIG_PERF_EVENTS_INTEL_UNCORE=y +CONFIG_OUTPUT_FORMAT="elf64-x86-64" +CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig" +CONFIG_LOCKDEP_SUPPORT=y +CONFIG_STACKTRACE_SUPPORT=y +CONFIG_HAVE_LATENCYTOP_SUPPORT=y +CONFIG_MMU=y +CONFIG_NEED_DMA_MAP_STATE=y +CONFIG_NEED_SG_DMA_LENGTH=y +CONFIG_GENERIC_ISA_DMA=y +CONFIG_GENERIC_BUG=y +CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y +CONFIG_GENERIC_HWEIGHT=y +CONFIG_ARCH_MAY_HAVE_PC_FDC=y +CONFIG_RWSEM_XCHGADD_ALGORITHM=y +CONFIG_GENERIC_CALIBRATE_DELAY=y +CONFIG_ARCH_HAS_CPU_RELAX=y +CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y +CONFIG_HAVE_SETUP_PER_CPU_AREA=y +CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y +CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y +CONFIG_ARCH_HIBERNATION_POSSIBLE=y +CONFIG_ARCH_SUSPEND_POSSIBLE=y +CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y +CONFIG_ARCH_WANT_GENERAL_HUGETLB=y +CONFIG_ZONE_DMA32=y +CONFIG_AUDIT_ARCH=y +CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y +CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y +CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11" +CONFIG_ARCH_SUPPORTS_UPROBES=y +CONFIG_FIX_EARLYCON_MEM=y +CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" +CONFIG_IRQ_WORK=y +CONFIG_BUILDTIME_EXTABLE_SORT=y + +# +# General setup +# +CONFIG_BROKEN_ON_SMP=y +CONFIG_INIT_ENV_ARG_LIMIT=32 +CONFIG_CROSS_COMPILE="" +# CONFIG_COMPILE_TEST is not set +CONFIG_LOCALVERSION="" +CONFIG_LOCALVERSION_AUTO=y +CONFIG_HAVE_KERNEL_GZIP=y +CONFIG_HAVE_KERNEL_BZIP2=y +CONFIG_HAVE_KERNEL_LZMA=y +CONFIG_HAVE_KERNEL_XZ=y +CONFIG_HAVE_KERNEL_LZO=y +CONFIG_HAVE_KERNEL_LZ4=y +CONFIG_KERNEL_GZIP=y +# CONFIG_KERNEL_BZIP2 is not set +# CONFIG_KERNEL_LZMA is not set +# CONFIG_KERNEL_XZ is not set +# CONFIG_KERNEL_LZO is not set +# CONFIG_KERNEL_LZ4 is not set +CONFIG_DEFAULT_HOSTNAME="(none)" +CONFIG_SWAP=y +CONFIG_SYSVIPC=y +CONFIG_SYSVIPC_SYSCTL=y +CONFIG_POSIX_MQUEUE=y +CONFIG_POSIX_MQUEUE_SYSCTL=y +CONFIG_CROSS_MEMORY_ATTACH=y +# CONFIG_FHANDLE is not set +CONFIG_USELIB=y +# CONFIG_AUDIT is not set +CONFIG_HAVE_ARCH_AUDITSYSCALL=y + +# +# IRQ subsystem +# +CONFIG_GENERIC_IRQ_PROBE=y +CONFIG_GENERIC_IRQ_SHOW=y +CONFIG_GENERIC_IRQ_LEGACY_ALLOC_HWIRQ=y +CONFIG_IRQ_DOMAIN=y +CONFIG_IRQ_FORCED_THREADING=y +CONFIG_SPARSE_IRQ=y +CONFIG_CLOCKSOURCE_WATCHDOG=y +CONFIG_ARCH_CLOCKSOURCE_DATA=y +CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y +CONFIG_GENERIC_TIME_VSYSCALL=y +CONFIG_GENERIC_CLOCKEVENTS=y +CONFIG_GENERIC_CLOCKEVENTS_BUILD=y +CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y +CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y +CONFIG_GENERIC_CMOS_UPDATE=y + +# +# Timers subsystem +# +CONFIG_TICK_ONESHOT=y +CONFIG_NO_HZ_COMMON=y +# CONFIG_HZ_PERIODIC is not set +CONFIG_NO_HZ_IDLE=y +CONFIG_NO_HZ=y +CONFIG_HIGH_RES_TIMERS=y + +# +# CPU/Task time and stats accounting +# +CONFIG_TICK_CPU_ACCOUNTING=y +# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set +# CONFIG_IRQ_TIME_ACCOUNTING is not set +CONFIG_BSD_PROCESS_ACCT=y +# CONFIG_BSD_PROCESS_ACCT_V3 is not set +# CONFIG_TASKSTATS is not set + +# +# RCU Subsystem +# +CONFIG_TINY_RCU=y +# CONFIG_PREEMPT_RCU is not set +# CONFIG_TASKS_RCU is not set +# CONFIG_RCU_STALL_COMMON is not set +# CONFIG_TREE_RCU_TRACE is not set +CONFIG_BUILD_BIN2C=y +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y +CONFIG_LOG_BUF_SHIFT=14 +CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y +CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y +CONFIG_ARCH_SUPPORTS_INT128=y +# CONFIG_CGROUPS is not set +# CONFIG_CHECKPOINT_RESTORE is not set +CONFIG_NAMESPACES=y +# CONFIG_UTS_NS is not set +# CONFIG_IPC_NS is not set +# CONFIG_USER_NS is not set +# CONFIG_PID_NS is not set +# CONFIG_NET_NS is not set +# CONFIG_SCHED_AUTOGROUP is not set +# CONFIG_SYSFS_DEPRECATED is not set +# CONFIG_RELAY is not set +# CONFIG_BLK_DEV_INITRD is not set +CONFIG_CC_OPTIMIZE_FOR_SIZE=y +CONFIG_SYSCTL=y +CONFIG_ANON_INODES=y +CONFIG_SYSCTL_EXCEPTION_TRACE=y +CONFIG_HAVE_PCSPKR_PLATFORM=y +CONFIG_BPF=y +# CONFIG_EXPERT is not set +CONFIG_SGETMASK_SYSCALL=y +CONFIG_SYSFS_SYSCALL=y +# CONFIG_SYSCTL_SYSCALL is not set +CONFIG_KALLSYMS=y +# CONFIG_KALLSYMS_ALL is not set +CONFIG_PRINTK=y +CONFIG_BUG=y +CONFIG_ELF_CORE=y +CONFIG_PCSPKR_PLATFORM=y +CONFIG_BASE_FULL=y +CONFIG_FUTEX=y +CONFIG_EPOLL=y +CONFIG_SIGNALFD=y +CONFIG_TIMERFD=y +CONFIG_EVENTFD=y +# CONFIG_BPF_SYSCALL is not set +CONFIG_SHMEM=y +CONFIG_AIO=y +CONFIG_ADVISE_SYSCALLS=y +CONFIG_PCI_QUIRKS=y +# CONFIG_EMBEDDED is not set +CONFIG_HAVE_PERF_EVENTS=y + +# +# Kernel Performance Events And Counters +# +CONFIG_PERF_EVENTS=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_VM_EVENT_COUNTERS=y +CONFIG_COMPAT_BRK=y +CONFIG_SLAB=y +# CONFIG_SLUB is not set +# CONFIG_PROFILING is not set +CONFIG_HAVE_OPROFILE=y +CONFIG_OPROFILE_NMI_TIMER=y +# CONFIG_JUMP_LABEL is not set +# CONFIG_UPROBES is not set +# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set +CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y +CONFIG_ARCH_USE_BUILTIN_BSWAP=y +CONFIG_HAVE_IOREMAP_PROT=y +CONFIG_HAVE_KPROBES=y +CONFIG_HAVE_KRETPROBES=y +CONFIG_HAVE_OPTPROBES=y +CONFIG_HAVE_KPROBES_ON_FTRACE=y +CONFIG_HAVE_ARCH_TRACEHOOK=y +CONFIG_HAVE_DMA_ATTRS=y +CONFIG_HAVE_DMA_CONTIGUOUS=y +CONFIG_GENERIC_SMP_IDLE_THREAD=y +CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y +CONFIG_HAVE_DMA_API_DEBUG=y +CONFIG_HAVE_HW_BREAKPOINT=y +CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y +CONFIG_HAVE_USER_RETURN_NOTIFIER=y +CONFIG_HAVE_PERF_EVENTS_NMI=y +CONFIG_HAVE_PERF_REGS=y +CONFIG_HAVE_PERF_USER_STACK_DUMP=y +CONFIG_HAVE_ARCH_JUMP_LABEL=y +CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y +CONFIG_HAVE_CMPXCHG_LOCAL=y +CONFIG_HAVE_CMPXCHG_DOUBLE=y +CONFIG_HAVE_ARCH_SECCOMP_FILTER=y +CONFIG_SECCOMP_FILTER=y +CONFIG_HAVE_CC_STACKPROTECTOR=y +CONFIG_CC_STACKPROTECTOR=y +# CONFIG_CC_STACKPROTECTOR_NONE is not set +CONFIG_CC_STACKPROTECTOR_REGULAR=y +# CONFIG_CC_STACKPROTECTOR_STRONG is not set +CONFIG_HAVE_CONTEXT_TRACKING=y +CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y +CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y +CONFIG_HAVE_ARCH_SOFT_DIRTY=y +CONFIG_MODULES_USE_ELF_RELA=y +CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y + +# +# GCOV-based kernel profiling +# +# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set +CONFIG_SLABINFO=y +CONFIG_RT_MUTEXES=y +CONFIG_BASE_SMALL=0 +# CONFIG_MODULES is not set +CONFIG_BLOCK=y +# CONFIG_BLK_DEV_BSG is not set +# CONFIG_BLK_DEV_BSGLIB is not set +# CONFIG_BLK_DEV_INTEGRITY is not set +# CONFIG_BLK_CMDLINE_PARSER is not set + +# +# Partition Types +# +# CONFIG_PARTITION_ADVANCED is not set +CONFIG_MSDOS_PARTITION=y +CONFIG_EFI_PARTITION=y + +# +# IO Schedulers +# +CONFIG_IOSCHED_NOOP=y +CONFIG_IOSCHED_DEADLINE=y +CONFIG_IOSCHED_CFQ=y +# CONFIG_DEFAULT_DEADLINE is not set +CONFIG_DEFAULT_CFQ=y +# CONFIG_DEFAULT_NOOP is not set +CONFIG_DEFAULT_IOSCHED="cfq" +CONFIG_INLINE_SPIN_UNLOCK_IRQ=y +CONFIG_INLINE_READ_UNLOCK=y +CONFIG_INLINE_READ_UNLOCK_IRQ=y +CONFIG_INLINE_WRITE_UNLOCK=y +CONFIG_INLINE_WRITE_UNLOCK_IRQ=y +CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y +CONFIG_ARCH_USE_QUEUE_RWLOCK=y +CONFIG_FREEZER=y + +# +# Processor type and features +# +CONFIG_ZONE_DMA=y +# CONFIG_SMP is not set +CONFIG_X86_FEATURE_NAMES=y +CONFIG_X86_MPPARSE=y +CONFIG_X86_EXTENDED_PLATFORM=y +# CONFIG_X86_GOLDFISH is not set +# CONFIG_X86_INTEL_LPSS is not set +CONFIG_IOSF_MBI=y +CONFIG_SCHED_OMIT_FRAME_POINTER=y +# CONFIG_HYPERVISOR_GUEST is not set +CONFIG_NO_BOOTMEM=y +# CONFIG_MEMTEST is not set +# CONFIG_MK8 is not set +# CONFIG_MPSC is not set +CONFIG_MCORE2=y +# CONFIG_MATOM is not set +# CONFIG_GENERIC_CPU is not set +CONFIG_X86_INTERNODE_CACHE_SHIFT=6 +CONFIG_X86_L1_CACHE_SHIFT=6 +CONFIG_X86_INTEL_USERCOPY=y +CONFIG_X86_USE_PPRO_CHECKSUM=y +CONFIG_X86_P6_NOP=y +CONFIG_X86_TSC=y +CONFIG_X86_CMPXCHG64=y +CONFIG_X86_CMOV=y +CONFIG_X86_MINIMUM_CPU_FAMILY=64 +CONFIG_X86_DEBUGCTLMSR=y +CONFIG_CPU_SUP_INTEL=y +CONFIG_CPU_SUP_AMD=y +CONFIG_CPU_SUP_CENTAUR=y +CONFIG_HPET_TIMER=y +CONFIG_DMI=y +CONFIG_GART_IOMMU=y +# CONFIG_CALGARY_IOMMU is not set +CONFIG_SWIOTLB=y +CONFIG_IOMMU_HELPER=y +CONFIG_NR_CPUS=1 +CONFIG_PREEMPT_NONE=y +# CONFIG_PREEMPT_VOLUNTARY is not set +# CONFIG_PREEMPT is not set +CONFIG_X86_LOCAL_APIC=y +CONFIG_X86_IO_APIC=y +# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set +# CONFIG_X86_MCE is not set +CONFIG_X86_16BIT=y +CONFIG_X86_ESPFIX64=y +# CONFIG_I8K is not set +# CONFIG_MICROCODE is not set +# CONFIG_MICROCODE_INTEL_EARLY is not set +# CONFIG_MICROCODE_AMD_EARLY is not set +# CONFIG_X86_MSR is not set +# CONFIG_X86_CPUID is not set +CONFIG_ARCH_PHYS_ADDR_T_64BIT=y +CONFIG_ARCH_DMA_ADDR_T_64BIT=y +CONFIG_DIRECT_GBPAGES=y +CONFIG_ARCH_SPARSEMEM_ENABLE=y +CONFIG_ARCH_SPARSEMEM_DEFAULT=y +CONFIG_ARCH_SELECT_MEMORY_MODEL=y +CONFIG_ARCH_MEMORY_PROBE=y +CONFIG_ARCH_PROC_KCORE_TEXT=y +CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 +CONFIG_SELECT_MEMORY_MODEL=y +CONFIG_SPARSEMEM_MANUAL=y +CONFIG_SPARSEMEM=y +CONFIG_HAVE_MEMORY_PRESENT=y +CONFIG_SPARSEMEM_EXTREME=y +CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y +CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y +CONFIG_SPARSEMEM_VMEMMAP=y +CONFIG_HAVE_MEMBLOCK=y +CONFIG_HAVE_MEMBLOCK_NODE_MAP=y +CONFIG_ARCH_DISCARD_MEMBLOCK=y +CONFIG_MEMORY_ISOLATION=y +CONFIG_HAVE_BOOTMEM_INFO_NODE=y +CONFIG_MEMORY_HOTPLUG=y +CONFIG_MEMORY_HOTPLUG_SPARSE=y +CONFIG_MEMORY_HOTREMOVE=y +CONFIG_PAGEFLAGS_EXTENDED=y +CONFIG_SPLIT_PTLOCK_CPUS=4 +CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y +CONFIG_MEMORY_BALLOON=y +# CONFIG_COMPACTION is not set +CONFIG_MIGRATION=y +CONFIG_PHYS_ADDR_T_64BIT=y +CONFIG_ZONE_DMA_FLAG=1 +CONFIG_BOUNCE=y +CONFIG_VIRT_TO_BUS=y +# CONFIG_KSM is not set +CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 +# CONFIG_TRANSPARENT_HUGEPAGE is not set +CONFIG_NEED_PER_CPU_KM=y +# CONFIG_CLEANCACHE is not set +# CONFIG_FRONTSWAP is not set +# CONFIG_CMA is not set +# CONFIG_ZPOOL is not set +# CONFIG_ZBUD is not set +# CONFIG_ZSMALLOC is not set +CONFIG_GENERIC_EARLY_IOREMAP=y +# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set +CONFIG_X86_RESERVE_LOW=64 +CONFIG_MTRR=y +CONFIG_MTRR_SANITIZER=y +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 +CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 +CONFIG_X86_PAT=y +CONFIG_ARCH_USES_PG_UNCACHED=y +CONFIG_ARCH_RANDOM=y +CONFIG_X86_SMAP=y +# CONFIG_EFI is not set +CONFIG_SECCOMP=y +# CONFIG_HZ_100 is not set +CONFIG_HZ_250=y +# CONFIG_HZ_300 is not set +# CONFIG_HZ_1000 is not set +CONFIG_HZ=250 +CONFIG_SCHED_HRTICK=y +# CONFIG_KEXEC is not set +# CONFIG_CRASH_DUMP is not set +CONFIG_PHYSICAL_START=0x1000000 +CONFIG_RELOCATABLE=y +# CONFIG_RANDOMIZE_BASE is not set +CONFIG_PHYSICAL_ALIGN=0x1000000 +# CONFIG_CMDLINE_BOOL is not set +CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y + +# +# Power management and ACPI options +# +CONFIG_SUSPEND=y +CONFIG_SUSPEND_FREEZER=y +# CONFIG_HIBERNATION is not set +CONFIG_PM_SLEEP=y +# CONFIG_PM_AUTOSLEEP is not set +# CONFIG_PM_WAKELOCKS is not set +# CONFIG_PM_RUNTIME is not set +CONFIG_PM=y +# CONFIG_PM_DEBUG is not set +# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set +CONFIG_ACPI=y +CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y +CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y +CONFIG_ACPI_SLEEP=y +# CONFIG_ACPI_PROCFS_POWER is not set +# CONFIG_ACPI_EC_DEBUGFS is not set +CONFIG_ACPI_AC=y +CONFIG_ACPI_BATTERY=y +CONFIG_ACPI_BUTTON=y +CONFIG_ACPI_FAN=y +# CONFIG_ACPI_DOCK is not set +CONFIG_ACPI_PROCESSOR=y +# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set +CONFIG_ACPI_THERMAL=y +# CONFIG_ACPI_CUSTOM_DSDT is not set +# CONFIG_ACPI_DEBUG is not set +# CONFIG_ACPI_PCI_SLOT is not set +CONFIG_X86_PM_TIMER=y +# CONFIG_ACPI_CONTAINER is not set +# CONFIG_ACPI_HOTPLUG_MEMORY is not set +# CONFIG_ACPI_SBS is not set +# CONFIG_ACPI_HED is not set +# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set +CONFIG_HAVE_ACPI_APEI=y +CONFIG_HAVE_ACPI_APEI_NMI=y +# CONFIG_ACPI_APEI is not set +# CONFIG_SFI is not set + +# +# CPU Frequency scaling +# +# CONFIG_CPU_FREQ is not set + +# +# CPU Idle +# +CONFIG_CPU_IDLE=y +CONFIG_CPU_IDLE_GOV_LADDER=y +CONFIG_CPU_IDLE_GOV_MENU=y +# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set +# CONFIG_INTEL_IDLE is not set + +# +# Memory power savings +# +# CONFIG_I7300_IDLE is not set + +# +# Bus options (PCI etc.) +# +CONFIG_PCI=y +CONFIG_PCI_DIRECT=y +# CONFIG_PCI_MMCONFIG is not set +CONFIG_PCI_DOMAINS=y +# CONFIG_PCIEPORTBUS is not set +CONFIG_PCI_MSI=y +# CONFIG_PCI_DEBUG is not set +# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set +# CONFIG_PCI_STUB is not set +CONFIG_HT_IRQ=y +# CONFIG_PCI_IOV is not set +# CONFIG_PCI_PRI is not set +# CONFIG_PCI_PASID is not set +# CONFIG_PCI_IOAPIC is not set +CONFIG_PCI_LABEL=y + +# +# PCI host controller drivers +# +CONFIG_ISA_DMA_API=y +CONFIG_AMD_NB=y +# CONFIG_PCCARD is not set +# CONFIG_HOTPLUG_PCI is not set +# CONFIG_RAPIDIO is not set +# CONFIG_X86_SYSFB is not set + +# +# Executable file formats / Emulations +# +CONFIG_BINFMT_ELF=y +CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y +# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set +CONFIG_BINFMT_SCRIPT=y +# CONFIG_HAVE_AOUT is not set +# CONFIG_BINFMT_MISC is not set +CONFIG_COREDUMP=y +# CONFIG_IA32_EMULATION is not set +CONFIG_X86_DEV_DMA_OPS=y +CONFIG_PMC_ATOM=y +CONFIG_NET=y + +# +# Networking options +# +CONFIG_PACKET=y +# CONFIG_PACKET_DIAG is not set +CONFIG_UNIX=y +# CONFIG_UNIX_DIAG is not set +CONFIG_XFRM=y +CONFIG_XFRM_ALGO=y +CONFIG_XFRM_USER=y +CONFIG_XFRM_SUB_POLICY=y +CONFIG_XFRM_MIGRATE=y +CONFIG_XFRM_STATISTICS=y +CONFIG_XFRM_IPCOMP=y +CONFIG_NET_KEY=y +CONFIG_NET_KEY_MIGRATE=y +CONFIG_INET=y +# CONFIG_IP_MULTICAST is not set +CONFIG_IP_ADVANCED_ROUTER=y +# CONFIG_IP_FIB_TRIE_STATS is not set +CONFIG_IP_MULTIPLE_TABLES=y +# CONFIG_IP_ROUTE_MULTIPATH is not set +# CONFIG_IP_ROUTE_VERBOSE is not set +CONFIG_IP_ROUTE_CLASSID=y +# CONFIG_IP_PNP is not set +# CONFIG_NET_IPIP is not set +# CONFIG_NET_IPGRE_DEMUX is not set +CONFIG_NET_IP_TUNNEL=y +# CONFIG_SYN_COOKIES is not set +# CONFIG_NET_IPVTI is not set +CONFIG_NET_UDP_TUNNEL=y +# CONFIG_NET_FOU is not set +# CONFIG_GENEVE is not set +CONFIG_INET_AH=y +CONFIG_INET_ESP=y +CONFIG_INET_IPCOMP=y +CONFIG_INET_XFRM_TUNNEL=y +CONFIG_INET_TUNNEL=y +CONFIG_INET_XFRM_MODE_TRANSPORT=y +CONFIG_INET_XFRM_MODE_TUNNEL=y +CONFIG_INET_XFRM_MODE_BEET=y +# CONFIG_INET_LRO is not set +CONFIG_INET_DIAG=y +CONFIG_INET_TCP_DIAG=y +# CONFIG_INET_UDP_DIAG is not set +# CONFIG_TCP_CONG_ADVANCED is not set +CONFIG_TCP_CONG_CUBIC=y +CONFIG_DEFAULT_TCP_CONG="cubic" +# CONFIG_TCP_MD5SIG is not set +CONFIG_IPV6=y +# CONFIG_IPV6_ROUTER_PREF is not set +CONFIG_IPV6_OPTIMISTIC_DAD=y +CONFIG_INET6_AH=y +CONFIG_INET6_ESP=y +CONFIG_INET6_IPCOMP=y +CONFIG_IPV6_MIP6=y +CONFIG_INET6_XFRM_TUNNEL=y +CONFIG_INET6_TUNNEL=y +CONFIG_INET6_XFRM_MODE_TRANSPORT=y +CONFIG_INET6_XFRM_MODE_TUNNEL=y +CONFIG_INET6_XFRM_MODE_BEET=y +# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set +# CONFIG_IPV6_VTI is not set +# CONFIG_IPV6_SIT is not set +CONFIG_IPV6_TUNNEL=y +CONFIG_IPV6_GRE=y +CONFIG_IPV6_MULTIPLE_TABLES=y +CONFIG_IPV6_SUBTREES=y +# CONFIG_IPV6_MROUTE is not set +# CONFIG_NETWORK_SECMARK is not set +# CONFIG_NET_PTP_CLASSIFY is not set +# CONFIG_NETWORK_PHY_TIMESTAMPING is not set +CONFIG_NETFILTER=y +# CONFIG_NETFILTER_DEBUG is not set +CONFIG_NETFILTER_ADVANCED=y + +# +# Core Netfilter Configuration +# +CONFIG_NETFILTER_NETLINK=y +# CONFIG_NETFILTER_NETLINK_ACCT is not set +CONFIG_NETFILTER_NETLINK_QUEUE=y +CONFIG_NETFILTER_NETLINK_LOG=y +CONFIG_NF_CONNTRACK=y +CONFIG_NF_LOG_COMMON=y +CONFIG_NF_CONNTRACK_MARK=y +# CONFIG_NF_CONNTRACK_ZONES is not set +CONFIG_NF_CONNTRACK_PROCFS=y +CONFIG_NF_CONNTRACK_EVENTS=y +# CONFIG_NF_CONNTRACK_TIMEOUT is not set +# CONFIG_NF_CONNTRACK_TIMESTAMP is not set +# CONFIG_NF_CT_PROTO_DCCP is not set +# CONFIG_NF_CT_PROTO_SCTP is not set +CONFIG_NF_CT_PROTO_UDPLITE=y +# CONFIG_NF_CONNTRACK_AMANDA is not set +# CONFIG_NF_CONNTRACK_FTP is not set +# CONFIG_NF_CONNTRACK_H323 is not set +# CONFIG_NF_CONNTRACK_IRC is not set +# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set +# CONFIG_NF_CONNTRACK_SNMP is not set +# CONFIG_NF_CONNTRACK_PPTP is not set +CONFIG_NF_CONNTRACK_SANE=y +# CONFIG_NF_CONNTRACK_SIP is not set +# CONFIG_NF_CONNTRACK_TFTP is not set +CONFIG_NF_CT_NETLINK=y +# CONFIG_NF_CT_NETLINK_TIMEOUT is not set +# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set +CONFIG_NF_NAT=y +CONFIG_NF_NAT_NEEDED=y +CONFIG_NF_NAT_PROTO_UDPLITE=y +# CONFIG_NF_NAT_AMANDA is not set +# CONFIG_NF_NAT_FTP is not set +# CONFIG_NF_NAT_IRC is not set +# CONFIG_NF_NAT_SIP is not set +# CONFIG_NF_NAT_TFTP is not set +# CONFIG_NF_TABLES is not set +CONFIG_NETFILTER_XTABLES=y + +# +# Xtables combined modules +# +CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_CONNMARK=y +CONFIG_NETFILTER_XT_SET=y + +# +# Xtables targets +# +# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set +CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y +CONFIG_NETFILTER_XT_TARGET_CONNMARK=y +CONFIG_NETFILTER_XT_TARGET_CT=y +CONFIG_NETFILTER_XT_TARGET_DSCP=y +CONFIG_NETFILTER_XT_TARGET_HL=y +# CONFIG_NETFILTER_XT_TARGET_HMARK is not set +# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set +CONFIG_NETFILTER_XT_TARGET_LOG=y +CONFIG_NETFILTER_XT_TARGET_MARK=y +CONFIG_NETFILTER_XT_NAT=y +CONFIG_NETFILTER_XT_TARGET_NETMAP=y +CONFIG_NETFILTER_XT_TARGET_NFLOG=y +CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y +CONFIG_NETFILTER_XT_TARGET_NOTRACK=y +# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set +CONFIG_NETFILTER_XT_TARGET_REDIRECT=y +# CONFIG_NETFILTER_XT_TARGET_TEE is not set +# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set +CONFIG_NETFILTER_XT_TARGET_TRACE=y +CONFIG_NETFILTER_XT_TARGET_TCPMSS=y +# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set + +# +# Xtables matches +# +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +# CONFIG_NETFILTER_XT_MATCH_BPF is not set +CONFIG_NETFILTER_XT_MATCH_CLUSTER=y +CONFIG_NETFILTER_XT_MATCH_COMMENT=y +CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y +# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set +CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y +CONFIG_NETFILTER_XT_MATCH_CONNMARK=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +# CONFIG_NETFILTER_XT_MATCH_CPU is not set +CONFIG_NETFILTER_XT_MATCH_DCCP=y +CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y +CONFIG_NETFILTER_XT_MATCH_DSCP=y +CONFIG_NETFILTER_XT_MATCH_ECN=y +CONFIG_NETFILTER_XT_MATCH_ESP=y +CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y +CONFIG_NETFILTER_XT_MATCH_HELPER=y +CONFIG_NETFILTER_XT_MATCH_HL=y +# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set +# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set +CONFIG_NETFILTER_XT_MATCH_L2TP=y +CONFIG_NETFILTER_XT_MATCH_LENGTH=y +CONFIG_NETFILTER_XT_MATCH_LIMIT=y +CONFIG_NETFILTER_XT_MATCH_MAC=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y +# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set +# CONFIG_NETFILTER_XT_MATCH_OSF is not set +# CONFIG_NETFILTER_XT_MATCH_OWNER is not set +CONFIG_NETFILTER_XT_MATCH_POLICY=y +CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y +CONFIG_NETFILTER_XT_MATCH_QUOTA=y +# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set +CONFIG_NETFILTER_XT_MATCH_REALM=y +# CONFIG_NETFILTER_XT_MATCH_RECENT is not set +CONFIG_NETFILTER_XT_MATCH_SCTP=y +# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set +CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_MATCH_STATISTIC=y +CONFIG_NETFILTER_XT_MATCH_STRING=y +CONFIG_NETFILTER_XT_MATCH_TCPMSS=y +# CONFIG_NETFILTER_XT_MATCH_TIME is not set +CONFIG_NETFILTER_XT_MATCH_U32=y +CONFIG_IP_SET=y +CONFIG_IP_SET_MAX=256 +CONFIG_IP_SET_BITMAP_IP=y +CONFIG_IP_SET_BITMAP_IPMAC=y +CONFIG_IP_SET_BITMAP_PORT=y +CONFIG_IP_SET_HASH_IP=y +# CONFIG_IP_SET_HASH_IPMARK is not set +CONFIG_IP_SET_HASH_IPPORT=y +CONFIG_IP_SET_HASH_IPPORTIP=y +CONFIG_IP_SET_HASH_IPPORTNET=y +# CONFIG_IP_SET_HASH_MAC is not set +# CONFIG_IP_SET_HASH_NETPORTNET is not set +CONFIG_IP_SET_HASH_NET=y +# CONFIG_IP_SET_HASH_NETNET is not set +CONFIG_IP_SET_HASH_NETPORT=y +# CONFIG_IP_SET_HASH_NETIFACE is not set +CONFIG_IP_SET_LIST_SET=y +# CONFIG_IP_VS is not set + +# +# IP: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV4=y +CONFIG_NF_CONNTRACK_IPV4=y +CONFIG_NF_CONNTRACK_PROC_COMPAT=y +# CONFIG_NF_LOG_ARP is not set +CONFIG_NF_LOG_IPV4=y +CONFIG_NF_REJECT_IPV4=y +CONFIG_NF_NAT_IPV4=y +CONFIG_NF_NAT_MASQUERADE_IPV4=y +# CONFIG_NF_NAT_PPTP is not set +# CONFIG_NF_NAT_H323 is not set +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_MATCH_AH=y +CONFIG_IP_NF_MATCH_ECN=y +# CONFIG_IP_NF_MATCH_RPFILTER is not set +CONFIG_IP_NF_MATCH_TTL=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_TARGET_REJECT=y +# CONFIG_IP_NF_TARGET_SYNPROXY is not set +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_NETMAP=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_TARGET_CLUSTERIP=y +CONFIG_IP_NF_TARGET_ECN=y +CONFIG_IP_NF_TARGET_TTL=y +CONFIG_IP_NF_RAW=y +CONFIG_IP_NF_ARPTABLES=y +CONFIG_IP_NF_ARPFILTER=y +CONFIG_IP_NF_ARP_MANGLE=y + +# +# IPv6: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV6=y +CONFIG_NF_CONNTRACK_IPV6=y +CONFIG_NF_REJECT_IPV6=y +CONFIG_NF_LOG_IPV6=y +CONFIG_NF_NAT_IPV6=y +CONFIG_NF_NAT_MASQUERADE_IPV6=y +CONFIG_IP6_NF_IPTABLES=y +CONFIG_IP6_NF_MATCH_AH=y +CONFIG_IP6_NF_MATCH_EUI64=y +CONFIG_IP6_NF_MATCH_FRAG=y +CONFIG_IP6_NF_MATCH_OPTS=y +CONFIG_IP6_NF_MATCH_HL=y +CONFIG_IP6_NF_MATCH_IPV6HEADER=y +CONFIG_IP6_NF_MATCH_MH=y +# CONFIG_IP6_NF_MATCH_RPFILTER is not set +CONFIG_IP6_NF_MATCH_RT=y +CONFIG_IP6_NF_TARGET_HL=y +CONFIG_IP6_NF_FILTER=y +CONFIG_IP6_NF_TARGET_REJECT=y +# CONFIG_IP6_NF_TARGET_SYNPROXY is not set +CONFIG_IP6_NF_MANGLE=y +CONFIG_IP6_NF_RAW=y +# CONFIG_IP6_NF_NAT is not set +# CONFIG_IP_DCCP is not set +# CONFIG_IP_SCTP is not set +# CONFIG_RDS is not set +# CONFIG_TIPC is not set +# CONFIG_ATM is not set +CONFIG_L2TP=y +# CONFIG_L2TP_V3 is not set +# CONFIG_BRIDGE is not set +CONFIG_HAVE_NET_DSA=y +# CONFIG_VLAN_8021Q is not set +# CONFIG_DECNET is not set +# CONFIG_LLC2 is not set +# CONFIG_IPX is not set +# CONFIG_ATALK is not set +# CONFIG_X25 is not set +# CONFIG_LAPB is not set +# CONFIG_PHONET is not set +# CONFIG_6LOWPAN is not set +# CONFIG_IEEE802154 is not set +# CONFIG_NET_SCHED is not set +# CONFIG_DCB is not set +# CONFIG_BATMAN_ADV is not set +# CONFIG_OPENVSWITCH is not set +# CONFIG_VSOCKETS is not set +# CONFIG_NETLINK_MMAP is not set +# CONFIG_NETLINK_DIAG is not set +# CONFIG_NET_MPLS_GSO is not set +# CONFIG_HSR is not set +CONFIG_NET_RX_BUSY_POLL=y +CONFIG_BQL=y + +# +# Network testing +# +# CONFIG_NET_PKTGEN is not set +# CONFIG_HAMRADIO is not set +# CONFIG_CAN is not set +# CONFIG_IRDA is not set +# CONFIG_BT is not set +# CONFIG_AF_RXRPC is not set +CONFIG_FIB_RULES=y +CONFIG_WIRELESS=y +# CONFIG_CFG80211 is not set +# CONFIG_LIB80211 is not set + +# +# CFG80211 needs to be enabled for MAC80211 +# +# CONFIG_WIMAX is not set +# CONFIG_RFKILL is not set +CONFIG_NET_9P=y +CONFIG_NET_9P_VIRTIO=y +# CONFIG_NET_9P_DEBUG is not set +# CONFIG_CAIF is not set +# CONFIG_CEPH_LIB is not set +# CONFIG_NFC is not set +CONFIG_HAVE_BPF_JIT=y + +# +# Device Drivers +# + +# +# Generic Driver Options +# +CONFIG_UEVENT_HELPER=y +CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug" +# CONFIG_DEVTMPFS is not set +CONFIG_STANDALONE=y +CONFIG_PREVENT_FIRMWARE_BUILD=y +CONFIG_FW_LOADER=y +CONFIG_FIRMWARE_IN_KERNEL=y +CONFIG_EXTRA_FIRMWARE="" +# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set +CONFIG_ALLOW_DEV_COREDUMP=y +# CONFIG_DEBUG_DRIVER is not set +# CONFIG_DEBUG_DEVRES is not set +# CONFIG_SYS_HYPERVISOR is not set +# CONFIG_GENERIC_CPU_DEVICES is not set +CONFIG_GENERIC_CPU_AUTOPROBE=y +# CONFIG_DMA_SHARED_BUFFER is not set + +# +# Bus devices +# +# CONFIG_CONNECTOR is not set +# CONFIG_MTD is not set +CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y +# CONFIG_PARPORT is not set +CONFIG_PNP=y +CONFIG_PNP_DEBUG_MESSAGES=y + +# +# Protocols +# +CONFIG_PNPACPI=y +CONFIG_BLK_DEV=y +# CONFIG_BLK_DEV_NULL_BLK is not set +# CONFIG_BLK_DEV_FD is not set +# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set +# CONFIG_BLK_CPQ_CISS_DA is not set +# CONFIG_BLK_DEV_DAC960 is not set +# CONFIG_BLK_DEV_UMEM is not set +# CONFIG_BLK_DEV_COW_COMMON is not set +CONFIG_BLK_DEV_LOOP=y +CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 +# CONFIG_BLK_DEV_CRYPTOLOOP is not set +# CONFIG_BLK_DEV_DRBD is not set +CONFIG_BLK_DEV_NBD=y +# CONFIG_BLK_DEV_NVME is not set +# CONFIG_BLK_DEV_SKD is not set +# CONFIG_BLK_DEV_SX8 is not set +# CONFIG_BLK_DEV_RAM is not set +# CONFIG_CDROM_PKTCDVD is not set +# CONFIG_ATA_OVER_ETH is not set +CONFIG_VIRTIO_BLK=y +# CONFIG_BLK_DEV_HD is not set +# CONFIG_BLK_DEV_RBD is not set +# CONFIG_BLK_DEV_RSXX is not set + +# +# Misc devices +# +# CONFIG_SENSORS_LIS3LV02D is not set +# CONFIG_DUMMY_IRQ is not set +# CONFIG_IBM_ASM is not set +# CONFIG_PHANTOM is not set +# CONFIG_SGI_IOC4 is not set +# CONFIG_TIFM_CORE is not set +# CONFIG_ENCLOSURE_SERVICES is not set +# CONFIG_HP_ILO is not set +# CONFIG_SRAM is not set +# CONFIG_C2PORT is not set + +# +# EEPROM support +# +# CONFIG_EEPROM_93CX6 is not set +# CONFIG_CB710_CORE is not set + +# +# Texas Instruments shared transport line discipline +# + +# +# Altera FPGA firmware download module +# +# CONFIG_VMWARE_VMCI is not set + +# +# Intel MIC Bus Driver +# +# CONFIG_INTEL_MIC_BUS is not set + +# +# Intel MIC Host Driver +# + +# +# Intel MIC Card Driver +# +# CONFIG_GENWQE is not set +# CONFIG_ECHO is not set +# CONFIG_CXL_BASE is not set +CONFIG_HAVE_IDE=y +# CONFIG_IDE is not set + +# +# SCSI device support +# +CONFIG_SCSI_MOD=y +# CONFIG_RAID_ATTRS is not set +# CONFIG_SCSI is not set +# CONFIG_SCSI_DMA is not set +# CONFIG_SCSI_NETLINK is not set +# CONFIG_ATA is not set +# CONFIG_MD is not set +# CONFIG_FUSION is not set + +# +# IEEE 1394 (FireWire) support +# +# CONFIG_FIREWIRE is not set +# CONFIG_FIREWIRE_NOSY is not set +# CONFIG_I2O is not set +# CONFIG_MACINTOSH_DRIVERS is not set +CONFIG_NETDEVICES=y +CONFIG_NET_CORE=y +# CONFIG_BONDING is not set +CONFIG_DUMMY=y +# CONFIG_EQUALIZER is not set +# CONFIG_NET_TEAM is not set +# CONFIG_MACVLAN is not set +# CONFIG_VXLAN is not set +# CONFIG_NETCONSOLE is not set +# CONFIG_NETPOLL is not set +# CONFIG_NET_POLL_CONTROLLER is not set +CONFIG_TUN=y +# CONFIG_VETH is not set +CONFIG_VIRTIO_NET=y +# CONFIG_NLMON is not set +# CONFIG_ARCNET is not set + +# +# CAIF transport drivers +# +# CONFIG_VHOST_NET is not set + +# +# Distributed Switch Architecture drivers +# +# CONFIG_NET_DSA_MV88E6XXX is not set +# CONFIG_NET_DSA_MV88E6060 is not set +# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set +# CONFIG_NET_DSA_MV88E6131 is not set +# CONFIG_NET_DSA_MV88E6123_61_65 is not set +# CONFIG_NET_DSA_MV88E6171 is not set +# CONFIG_NET_DSA_BCM_SF2 is not set +CONFIG_ETHERNET=y +CONFIG_NET_VENDOR_3COM=y +# CONFIG_VORTEX is not set +# CONFIG_TYPHOON is not set +CONFIG_NET_VENDOR_ADAPTEC=y +# CONFIG_ADAPTEC_STARFIRE is not set +CONFIG_NET_VENDOR_AGERE=y +# CONFIG_ET131X is not set +CONFIG_NET_VENDOR_ALTEON=y +# CONFIG_ACENIC is not set +# CONFIG_ALTERA_TSE is not set +CONFIG_NET_VENDOR_AMD=y +# CONFIG_AMD8111_ETH is not set +# CONFIG_PCNET32 is not set +# CONFIG_NET_XGENE is not set +# CONFIG_NET_VENDOR_ARC is not set +CONFIG_NET_VENDOR_ATHEROS=y +# CONFIG_ATL2 is not set +# CONFIG_ATL1 is not set +# CONFIG_ATL1E is not set +# CONFIG_ATL1C is not set +# CONFIG_ALX is not set +CONFIG_NET_VENDOR_BROADCOM=y +# CONFIG_B44 is not set +# CONFIG_BNX2 is not set +# CONFIG_CNIC is not set +# CONFIG_TIGON3 is not set +# CONFIG_BNX2X is not set +CONFIG_NET_VENDOR_BROCADE=y +# CONFIG_BNA is not set +CONFIG_NET_VENDOR_CHELSIO=y +# CONFIG_CHELSIO_T1 is not set +# CONFIG_CHELSIO_T3 is not set +# CONFIG_CHELSIO_T4 is not set +# CONFIG_CHELSIO_T4VF is not set +CONFIG_NET_VENDOR_CISCO=y +# CONFIG_ENIC is not set +# CONFIG_CX_ECAT is not set +# CONFIG_DNET is not set +CONFIG_NET_VENDOR_DEC=y +# CONFIG_NET_TULIP is not set +CONFIG_NET_VENDOR_DLINK=y +# CONFIG_DL2K is not set +# CONFIG_SUNDANCE is not set +CONFIG_NET_VENDOR_EMULEX=y +# CONFIG_BE2NET is not set +CONFIG_NET_VENDOR_EXAR=y +# CONFIG_S2IO is not set +# CONFIG_VXGE is not set +CONFIG_NET_VENDOR_HP=y +# CONFIG_HP100 is not set +CONFIG_NET_VENDOR_INTEL=y +# CONFIG_E100 is not set +# CONFIG_E1000 is not set +# CONFIG_E1000E is not set +# CONFIG_IGB is not set +# CONFIG_IGBVF is not set +# CONFIG_IXGB is not set +# CONFIG_IXGBE is not set +# CONFIG_IXGBEVF is not set +# CONFIG_I40E is not set +# CONFIG_I40EVF is not set +# CONFIG_FM10K is not set +CONFIG_NET_VENDOR_I825XX=y +# CONFIG_IP1000 is not set +# CONFIG_JME is not set +CONFIG_NET_VENDOR_MARVELL=y +# CONFIG_MVMDIO is not set +# CONFIG_SKGE is not set +# CONFIG_SKY2 is not set +CONFIG_NET_VENDOR_MELLANOX=y +# CONFIG_MLX4_EN is not set +# CONFIG_MLX4_CORE is not set +# CONFIG_MLX5_CORE is not set +CONFIG_NET_VENDOR_MICREL=y +# CONFIG_KS8851_MLL is not set +# CONFIG_KSZ884X_PCI is not set +CONFIG_NET_VENDOR_MYRI=y +# CONFIG_MYRI10GE is not set +# CONFIG_FEALNX is not set +CONFIG_NET_VENDOR_NATSEMI=y +# CONFIG_NATSEMI is not set +# CONFIG_NS83820 is not set +CONFIG_NET_VENDOR_8390=y +# CONFIG_NE2K_PCI is not set +CONFIG_NET_VENDOR_NVIDIA=y +# CONFIG_FORCEDETH is not set +CONFIG_NET_VENDOR_OKI=y +# CONFIG_ETHOC is not set +CONFIG_NET_PACKET_ENGINE=y +# CONFIG_HAMACHI is not set +# CONFIG_YELLOWFIN is not set +CONFIG_NET_VENDOR_QLOGIC=y +# CONFIG_QLA3XXX is not set +# CONFIG_QLCNIC is not set +# CONFIG_QLGE is not set +# CONFIG_NETXEN_NIC is not set +CONFIG_NET_VENDOR_QUALCOMM=y +CONFIG_NET_VENDOR_REALTEK=y +# CONFIG_8139CP is not set +# CONFIG_8139TOO is not set +# CONFIG_R8169 is not set +CONFIG_NET_VENDOR_RDC=y +# CONFIG_R6040 is not set +CONFIG_NET_VENDOR_SAMSUNG=y +# CONFIG_SXGBE_ETH is not set +CONFIG_NET_VENDOR_SEEQ=y +CONFIG_NET_VENDOR_SILAN=y +# CONFIG_SC92031 is not set +CONFIG_NET_VENDOR_SIS=y +# CONFIG_SIS900 is not set +# CONFIG_SIS190 is not set +# CONFIG_SFC is not set +CONFIG_NET_VENDOR_SMSC=y +# CONFIG_EPIC100 is not set +# CONFIG_SMSC911X is not set +# CONFIG_SMSC9420 is not set +CONFIG_NET_VENDOR_STMICRO=y +# CONFIG_STMMAC_ETH is not set +CONFIG_NET_VENDOR_SUN=y +# CONFIG_HAPPYMEAL is not set +# CONFIG_SUNGEM is not set +# CONFIG_CASSINI is not set +# CONFIG_NIU is not set +CONFIG_NET_VENDOR_TEHUTI=y +# CONFIG_TEHUTI is not set +CONFIG_NET_VENDOR_TI=y +# CONFIG_TLAN is not set +CONFIG_NET_VENDOR_VIA=y +# CONFIG_VIA_RHINE is not set +# CONFIG_VIA_VELOCITY is not set +CONFIG_NET_VENDOR_WIZNET=y +# CONFIG_WIZNET_W5100 is not set +# CONFIG_WIZNET_W5300 is not set +# CONFIG_FDDI is not set +# CONFIG_HIPPI is not set +# CONFIG_NET_SB1000 is not set +# CONFIG_PHYLIB is not set +# CONFIG_PPP is not set +# CONFIG_SLIP is not set + +# +# Host-side USB support is needed for USB Network Adapter support +# +CONFIG_WLAN=y +# CONFIG_PRISM54 is not set +# CONFIG_HOSTAP is not set +# CONFIG_WL_TI is not set + +# +# Enable WiMAX (Networking options) to see the WiMAX drivers +# +# CONFIG_WAN is not set +# CONFIG_VMXNET3 is not set +# CONFIG_ISDN is not set + +# +# Input device support +# +CONFIG_INPUT=y +# CONFIG_INPUT_FF_MEMLESS is not set +# CONFIG_INPUT_POLLDEV is not set +# CONFIG_INPUT_SPARSEKMAP is not set +# CONFIG_INPUT_MATRIXKMAP is not set + +# +# Userland interfaces +# +CONFIG_INPUT_MOUSEDEV=y +CONFIG_INPUT_MOUSEDEV_PSAUX=y +CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 +CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 +# CONFIG_INPUT_JOYDEV is not set +CONFIG_INPUT_EVDEV=y +# CONFIG_INPUT_EVBUG is not set + +# +# Input Device Drivers +# +CONFIG_INPUT_KEYBOARD=y +CONFIG_KEYBOARD_ATKBD=y +# CONFIG_KEYBOARD_LKKBD is not set +# CONFIG_KEYBOARD_NEWTON is not set +# CONFIG_KEYBOARD_OPENCORES is not set +# CONFIG_KEYBOARD_STOWAWAY is not set +# CONFIG_KEYBOARD_SUNKBD is not set +# CONFIG_KEYBOARD_XTKBD is not set +CONFIG_INPUT_MOUSE=y +CONFIG_MOUSE_PS2=y +CONFIG_MOUSE_PS2_ALPS=y +CONFIG_MOUSE_PS2_LOGIPS2PP=y +CONFIG_MOUSE_PS2_SYNAPTICS=y +CONFIG_MOUSE_PS2_CYPRESS=y +CONFIG_MOUSE_PS2_LIFEBOOK=y +CONFIG_MOUSE_PS2_TRACKPOINT=y +# CONFIG_MOUSE_PS2_ELANTECH is not set +# CONFIG_MOUSE_PS2_SENTELIC is not set +# CONFIG_MOUSE_PS2_TOUCHKIT is not set +# CONFIG_MOUSE_SERIAL is not set +# CONFIG_MOUSE_APPLETOUCH is not set +# CONFIG_MOUSE_BCM5974 is not set +# CONFIG_MOUSE_VSXXXAA is not set +# CONFIG_MOUSE_SYNAPTICS_USB is not set +# CONFIG_INPUT_JOYSTICK is not set +# CONFIG_INPUT_TABLET is not set +# CONFIG_INPUT_TOUCHSCREEN is not set +# CONFIG_INPUT_MISC is not set + +# +# Hardware I/O ports +# +CONFIG_SERIO=y +CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y +CONFIG_SERIO_I8042=y +CONFIG_SERIO_SERPORT=y +# CONFIG_SERIO_CT82C710 is not set +# CONFIG_SERIO_PCIPS2 is not set +CONFIG_SERIO_LIBPS2=y +# CONFIG_SERIO_RAW is not set +# CONFIG_SERIO_ALTERA_PS2 is not set +# CONFIG_SERIO_PS2MULT is not set +# CONFIG_SERIO_ARC_PS2 is not set +# CONFIG_GAMEPORT is not set + +# +# Character devices +# +CONFIG_TTY=y +CONFIG_VT=y +CONFIG_CONSOLE_TRANSLATIONS=y +CONFIG_VT_CONSOLE=y +CONFIG_VT_CONSOLE_SLEEP=y +CONFIG_HW_CONSOLE=y +# CONFIG_VT_HW_CONSOLE_BINDING is not set +CONFIG_UNIX98_PTYS=y +# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set +CONFIG_LEGACY_PTYS=y +CONFIG_LEGACY_PTY_COUNT=256 +# CONFIG_SERIAL_NONSTANDARD is not set +# CONFIG_NOZOMI is not set +# CONFIG_N_GSM is not set +# CONFIG_TRACE_SINK is not set +CONFIG_DEVKMEM=y + +# +# Serial drivers +# +# CONFIG_SERIAL_8250 is not set + +# +# Non-8250 serial port support +# +# CONFIG_SERIAL_MFD_HSU is not set +# CONFIG_SERIAL_JSM is not set +# CONFIG_SERIAL_SCCNXP is not set +# CONFIG_SERIAL_ALTERA_JTAGUART is not set +# CONFIG_SERIAL_ALTERA_UART is not set +# CONFIG_SERIAL_ARC is not set +# CONFIG_SERIAL_RP2 is not set +# CONFIG_SERIAL_FSL_LPUART is not set +CONFIG_HVC_DRIVER=y +CONFIG_VIRTIO_CONSOLE=y +# CONFIG_IPMI_HANDLER is not set +# CONFIG_HW_RANDOM is not set +# CONFIG_NVRAM is not set +# CONFIG_R3964 is not set +# CONFIG_APPLICOM is not set +# CONFIG_MWAVE is not set +# CONFIG_RAW_DRIVER is not set +# CONFIG_HPET is not set +# CONFIG_HANGCHECK_TIMER is not set +# CONFIG_TCG_TPM is not set +# CONFIG_TELCLOCK is not set +CONFIG_DEVPORT=y +# CONFIG_XILLYBUS is not set + +# +# I2C support +# +# CONFIG_I2C is not set +# CONFIG_SPI is not set +# CONFIG_SPMI is not set +# CONFIG_HSI is not set + +# +# PPS support +# +# CONFIG_PPS is not set + +# +# PPS generators support +# + +# +# PTP clock support +# +# CONFIG_PTP_1588_CLOCK is not set + +# +# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks. +# +CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y +# CONFIG_GPIOLIB is not set +# CONFIG_W1 is not set +CONFIG_POWER_SUPPLY=y +# CONFIG_POWER_SUPPLY_DEBUG is not set +# CONFIG_PDA_POWER is not set +# CONFIG_TEST_POWER is not set +# CONFIG_BATTERY_DS2780 is not set +# CONFIG_BATTERY_DS2781 is not set +# CONFIG_BATTERY_BQ27x00 is not set +# CONFIG_CHARGER_MAX8903 is not set +# CONFIG_POWER_RESET is not set +# CONFIG_POWER_AVS is not set +CONFIG_HWMON=y +# CONFIG_HWMON_VID is not set +# CONFIG_HWMON_DEBUG_CHIP is not set + +# +# Native drivers +# +# CONFIG_SENSORS_ABITUGURU is not set +# CONFIG_SENSORS_ABITUGURU3 is not set +# CONFIG_SENSORS_K8TEMP is not set +# CONFIG_SENSORS_K10TEMP is not set +# CONFIG_SENSORS_FAM15H_POWER is not set +# CONFIG_SENSORS_APPLESMC is not set +# CONFIG_SENSORS_I5K_AMB is not set +# CONFIG_SENSORS_F71805F is not set +# CONFIG_SENSORS_F71882FG is not set +# CONFIG_SENSORS_CORETEMP is not set +# CONFIG_SENSORS_IT87 is not set +# CONFIG_SENSORS_MAX197 is not set +# CONFIG_SENSORS_PC87360 is not set +# CONFIG_SENSORS_PC87427 is not set +# CONFIG_SENSORS_NTC_THERMISTOR is not set +# CONFIG_SENSORS_NCT6683 is not set +# CONFIG_SENSORS_NCT6775 is not set +# CONFIG_SENSORS_SIS5595 is not set +# CONFIG_SENSORS_SMSC47M1 is not set +# CONFIG_SENSORS_SMSC47B397 is not set +# CONFIG_SENSORS_SCH56XX_COMMON is not set +# CONFIG_SENSORS_VIA_CPUTEMP is not set +# CONFIG_SENSORS_VIA686A is not set +# CONFIG_SENSORS_VT1211 is not set +# CONFIG_SENSORS_VT8231 is not set +# CONFIG_SENSORS_W83627HF is not set +# CONFIG_SENSORS_W83627EHF is not set + +# +# ACPI drivers +# +# CONFIG_SENSORS_ACPI_POWER is not set +# CONFIG_SENSORS_ATK0110 is not set +CONFIG_THERMAL=y +CONFIG_THERMAL_HWMON=y +CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y +# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set +# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set +# CONFIG_THERMAL_GOV_FAIR_SHARE is not set +CONFIG_THERMAL_GOV_STEP_WISE=y +# CONFIG_THERMAL_GOV_BANG_BANG is not set +# CONFIG_THERMAL_GOV_USER_SPACE is not set +# CONFIG_THERMAL_EMULATION is not set +# CONFIG_INTEL_POWERCLAMP is not set +# CONFIG_INTEL_SOC_DTS_THERMAL is not set +# CONFIG_INT340X_THERMAL is not set + +# +# Texas Instruments thermal drivers +# +# CONFIG_WATCHDOG is not set +CONFIG_SSB_POSSIBLE=y + +# +# Sonics Silicon Backplane +# +# CONFIG_SSB is not set +CONFIG_BCMA_POSSIBLE=y + +# +# Broadcom specific AMBA +# +# CONFIG_BCMA is not set + +# +# Multifunction device drivers +# +# CONFIG_MFD_CORE is not set +# CONFIG_MFD_CROS_EC is not set +# CONFIG_HTC_PASIC3 is not set +# CONFIG_LPC_ICH is not set +# CONFIG_LPC_SCH is not set +# CONFIG_MFD_JANZ_CMODIO is not set +# CONFIG_MFD_KEMPLD is not set +# CONFIG_MFD_RDC321X is not set +# CONFIG_MFD_RTSX_PCI is not set +# CONFIG_MFD_SM501 is not set +# CONFIG_ABX500_CORE is not set +# CONFIG_MFD_SYSCON is not set +# CONFIG_MFD_TI_AM335X_TSCADC is not set +# CONFIG_MFD_TMIO is not set +# CONFIG_MFD_VX855 is not set +# CONFIG_REGULATOR is not set +# CONFIG_MEDIA_SUPPORT is not set + +# +# Graphics support +# +# CONFIG_AGP is not set +CONFIG_VGA_ARB=y +CONFIG_VGA_ARB_MAX_GPUS=16 +# CONFIG_VGA_SWITCHEROO is not set + +# +# Direct Rendering Manager +# +# CONFIG_DRM is not set + +# +# Frame buffer Devices +# +# CONFIG_FB is not set +# CONFIG_BACKLIGHT_LCD_SUPPORT is not set +# CONFIG_VGASTATE is not set + +# +# Console display driver support +# +CONFIG_VGA_CONSOLE=y +# CONFIG_VGACON_SOFT_SCROLLBACK is not set +CONFIG_DUMMY_CONSOLE=y +CONFIG_SOUND=y +# CONFIG_SOUND_OSS_CORE is not set +# CONFIG_SND is not set +# CONFIG_SOUND_PRIME is not set + +# +# HID support +# +CONFIG_HID=y +# CONFIG_HID_BATTERY_STRENGTH is not set +# CONFIG_HIDRAW is not set +# CONFIG_UHID is not set +CONFIG_HID_GENERIC=y + +# +# Special HID drivers +# +CONFIG_HID_A4TECH=y +# CONFIG_HID_ACRUX is not set +CONFIG_HID_APPLE=y +# CONFIG_HID_AUREAL is not set +CONFIG_HID_BELKIN=y +CONFIG_HID_CHERRY=y +CONFIG_HID_CHICONY=y +CONFIG_HID_CYPRESS=y +# CONFIG_HID_DRAGONRISE is not set +# CONFIG_HID_EMS_FF is not set +# CONFIG_HID_ELECOM is not set +CONFIG_HID_EZKEY=y +# CONFIG_HID_KEYTOUCH is not set +# CONFIG_HID_KYE is not set +# CONFIG_HID_UCLOGIC is not set +# CONFIG_HID_WALTOP is not set +# CONFIG_HID_GYRATION is not set +# CONFIG_HID_ICADE is not set +# CONFIG_HID_TWINHAN is not set +CONFIG_HID_KENSINGTON=y +# CONFIG_HID_LCPOWER is not set +# CONFIG_HID_LENOVO is not set +CONFIG_HID_LOGITECH=y +# CONFIG_LOGITECH_FF is not set +# CONFIG_LOGIRUMBLEPAD2_FF is not set +# CONFIG_LOGIG940_FF is not set +# CONFIG_LOGIWHEELS_FF is not set +# CONFIG_HID_MAGICMOUSE is not set +CONFIG_HID_MICROSOFT=y +CONFIG_HID_MONTEREY=y +# CONFIG_HID_MULTITOUCH is not set +# CONFIG_HID_ORTEK is not set +# CONFIG_HID_PANTHERLORD is not set +# CONFIG_HID_PETALYNX is not set +# CONFIG_HID_PICOLCD is not set +# CONFIG_HID_PRIMAX is not set +# CONFIG_HID_SAITEK is not set +# CONFIG_HID_SAMSUNG is not set +# CONFIG_HID_SPEEDLINK is not set +# CONFIG_HID_STEELSERIES is not set +# CONFIG_HID_SUNPLUS is not set +# CONFIG_HID_RMI is not set +# CONFIG_HID_GREENASIA is not set +# CONFIG_HID_SMARTJOYPLUS is not set +# CONFIG_HID_TIVO is not set +# CONFIG_HID_TOPSEED is not set +# CONFIG_HID_THRUSTMASTER is not set +# CONFIG_HID_WACOM is not set +# CONFIG_HID_XINMO is not set +# CONFIG_HID_ZEROPLUS is not set +# CONFIG_HID_ZYDACRON is not set +# CONFIG_HID_SENSOR_HUB is not set +CONFIG_USB_OHCI_LITTLE_ENDIAN=y +CONFIG_USB_SUPPORT=y +CONFIG_USB_ARCH_HAS_HCD=y +# CONFIG_USB is not set + +# +# USB port drivers +# + +# +# USB Physical Layer drivers +# +# CONFIG_USB_PHY is not set +# CONFIG_NOP_USB_XCEIV is not set +# CONFIG_USB_GADGET is not set +# CONFIG_UWB is not set +# CONFIG_MMC is not set +# CONFIG_MEMSTICK is not set +# CONFIG_NEW_LEDS is not set +# CONFIG_ACCESSIBILITY is not set +# CONFIG_INFINIBAND is not set +# CONFIG_EDAC is not set +CONFIG_RTC_LIB=y +# CONFIG_RTC_CLASS is not set +# CONFIG_DMADEVICES is not set +# CONFIG_AUXDISPLAY is not set +# CONFIG_UIO is not set +# CONFIG_VIRT_DRIVERS is not set +CONFIG_VIRTIO=y + +# +# Virtio drivers +# +CONFIG_VIRTIO_PCI=y +CONFIG_VIRTIO_BALLOON=y +CONFIG_VIRTIO_MMIO=y +# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set + +# +# Microsoft Hyper-V guest support +# +# CONFIG_STAGING is not set +CONFIG_X86_PLATFORM_DEVICES=y +# CONFIG_ACERHDF is not set +# CONFIG_ASUS_LAPTOP is not set +# CONFIG_DELL_SMO8800 is not set +# CONFIG_FUJITSU_TABLET is not set +# CONFIG_HP_ACCEL is not set +# CONFIG_HP_WIRELESS is not set +# CONFIG_THINKPAD_ACPI is not set +# CONFIG_SENSORS_HDAPS is not set +# CONFIG_INTEL_MENLOW is not set +# CONFIG_ACPI_WMI is not set +# CONFIG_TOPSTAR_LAPTOP is not set +# CONFIG_TOSHIBA_BT_RFKILL is not set +# CONFIG_TOSHIBA_HAPS is not set +# CONFIG_ACPI_CMPC is not set +# CONFIG_INTEL_IPS is not set +# CONFIG_IBM_RTL is not set +# CONFIG_SAMSUNG_Q10 is not set +# CONFIG_INTEL_RST is not set +# CONFIG_INTEL_SMARTCONNECT is not set +# CONFIG_PVPANIC is not set +# CONFIG_CHROME_PLATFORMS is not set + +# +# SOC (System On Chip) specific Drivers +# +# CONFIG_SOC_TI is not set + +# +# Hardware Spinlock drivers +# + +# +# Clock Source drivers +# +CONFIG_CLKEVT_I8253=y +CONFIG_I8253_LOCK=y +CONFIG_CLKBLD_I8253=y +# CONFIG_ATMEL_PIT is not set +# CONFIG_SH_TIMER_CMT is not set +# CONFIG_SH_TIMER_MTU2 is not set +# CONFIG_SH_TIMER_TMU is not set +# CONFIG_EM_TIMER_STI is not set +# CONFIG_MAILBOX is not set +CONFIG_IOMMU_SUPPORT=y +# CONFIG_AMD_IOMMU is not set +# CONFIG_INTEL_IOMMU is not set +# CONFIG_IRQ_REMAP is not set + +# +# Remoteproc drivers +# +# CONFIG_STE_MODEM_RPROC is not set + +# +# Rpmsg drivers +# + +# +# SOC (System On Chip) specific Drivers +# +# CONFIG_PM_DEVFREQ is not set +# CONFIG_EXTCON is not set +# CONFIG_MEMORY is not set +# CONFIG_IIO is not set +# CONFIG_NTB is not set +# CONFIG_VME_BUS is not set +# CONFIG_PWM is not set +# CONFIG_IPACK_BUS is not set +# CONFIG_RESET_CONTROLLER is not set +# CONFIG_FMC is not set + +# +# PHY Subsystem +# +# CONFIG_GENERIC_PHY is not set +# CONFIG_BCM_KONA_USB2_PHY is not set +# CONFIG_POWERCAP is not set +# CONFIG_MCB is not set +# CONFIG_THUNDERBOLT is not set + +# +# Firmware Drivers +# +# CONFIG_EDD is not set +CONFIG_FIRMWARE_MEMMAP=y +# CONFIG_DELL_RBU is not set +# CONFIG_DCDBAS is not set +CONFIG_DMIID=y +# CONFIG_DMI_SYSFS is not set +CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y +# CONFIG_ISCSI_IBFT_FIND is not set +# CONFIG_GOOGLE_FIRMWARE is not set + +# +# File systems +# +CONFIG_DCACHE_WORD_ACCESS=y +CONFIG_EXT2_FS=y +# CONFIG_EXT2_FS_XATTR is not set +# CONFIG_EXT2_FS_XIP is not set +CONFIG_EXT3_FS=y +# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set +# CONFIG_EXT3_FS_XATTR is not set +# CONFIG_EXT4_FS is not set +CONFIG_JBD=y +CONFIG_REISERFS_FS=y +# CONFIG_REISERFS_CHECK is not set +# CONFIG_REISERFS_PROC_INFO is not set +# CONFIG_REISERFS_FS_XATTR is not set +# CONFIG_JFS_FS is not set +# CONFIG_XFS_FS is not set +# CONFIG_GFS2_FS is not set +# CONFIG_BTRFS_FS is not set +# CONFIG_NILFS2_FS is not set +CONFIG_FS_POSIX_ACL=y +CONFIG_FILE_LOCKING=y +CONFIG_FSNOTIFY=y +CONFIG_DNOTIFY=y +CONFIG_INOTIFY_USER=y +# CONFIG_FANOTIFY is not set +CONFIG_QUOTA=y +# CONFIG_QUOTA_NETLINK_INTERFACE is not set +CONFIG_PRINT_QUOTA_WARNING=y +# CONFIG_QUOTA_DEBUG is not set +# CONFIG_QFMT_V1 is not set +# CONFIG_QFMT_V2 is not set +CONFIG_QUOTACTL=y +CONFIG_AUTOFS4_FS=y +# CONFIG_FUSE_FS is not set +# CONFIG_OVERLAY_FS is not set + +# +# Caches +# +# CONFIG_FSCACHE is not set + +# +# CD-ROM/DVD Filesystems +# +CONFIG_ISO9660_FS=y +CONFIG_JOLIET=y +# CONFIG_ZISOFS is not set +# CONFIG_UDF_FS is not set + +# +# DOS/FAT/NT Filesystems +# +# CONFIG_MSDOS_FS is not set +# CONFIG_VFAT_FS is not set +# CONFIG_NTFS_FS is not set + +# +# Pseudo filesystems +# +CONFIG_PROC_FS=y +CONFIG_PROC_KCORE=y +CONFIG_PROC_SYSCTL=y +CONFIG_PROC_PAGE_MONITOR=y +CONFIG_KERNFS=y +CONFIG_SYSFS=y +CONFIG_TMPFS=y +# CONFIG_TMPFS_POSIX_ACL is not set +# CONFIG_TMPFS_XATTR is not set +# CONFIG_HUGETLBFS is not set +# CONFIG_HUGETLB_PAGE is not set +# CONFIG_CONFIGFS_FS is not set +CONFIG_MISC_FILESYSTEMS=y +# CONFIG_ADFS_FS is not set +# CONFIG_AFFS_FS is not set +# CONFIG_HFS_FS is not set +# CONFIG_HFSPLUS_FS is not set +# CONFIG_BEFS_FS is not set +# CONFIG_BFS_FS is not set +# CONFIG_EFS_FS is not set +# CONFIG_LOGFS is not set +# CONFIG_CRAMFS is not set +# CONFIG_SQUASHFS is not set +# CONFIG_VXFS_FS is not set +# CONFIG_MINIX_FS is not set +# CONFIG_OMFS_FS is not set +# CONFIG_HPFS_FS is not set +# CONFIG_QNX4FS_FS is not set +# CONFIG_QNX6FS_FS is not set +# CONFIG_ROMFS_FS is not set +# CONFIG_PSTORE is not set +# CONFIG_SYSV_FS is not set +# CONFIG_UFS_FS is not set +# CONFIG_F2FS_FS is not set +CONFIG_NETWORK_FILESYSTEMS=y +# CONFIG_NFS_FS is not set +# CONFIG_NFSD is not set +# CONFIG_CEPH_FS is not set +# CONFIG_CIFS is not set +# CONFIG_NCP_FS is not set +# CONFIG_CODA_FS is not set +# CONFIG_AFS_FS is not set +CONFIG_9P_FS=y +CONFIG_9P_FS_POSIX_ACL=y +# CONFIG_9P_FS_SECURITY is not set +CONFIG_NLS=y +CONFIG_NLS_DEFAULT="iso8859-1" +# CONFIG_NLS_CODEPAGE_437 is not set +# CONFIG_NLS_CODEPAGE_737 is not set +# CONFIG_NLS_CODEPAGE_775 is not set +# CONFIG_NLS_CODEPAGE_850 is not set +# CONFIG_NLS_CODEPAGE_852 is not set +# CONFIG_NLS_CODEPAGE_855 is not set +# CONFIG_NLS_CODEPAGE_857 is not set +# CONFIG_NLS_CODEPAGE_860 is not set +# CONFIG_NLS_CODEPAGE_861 is not set +# CONFIG_NLS_CODEPAGE_862 is not set +# CONFIG_NLS_CODEPAGE_863 is not set +# CONFIG_NLS_CODEPAGE_864 is not set +# CONFIG_NLS_CODEPAGE_865 is not set +# CONFIG_NLS_CODEPAGE_866 is not set +# CONFIG_NLS_CODEPAGE_869 is not set +# CONFIG_NLS_CODEPAGE_936 is not set +# CONFIG_NLS_CODEPAGE_950 is not set +# CONFIG_NLS_CODEPAGE_932 is not set +# CONFIG_NLS_CODEPAGE_949 is not set +# CONFIG_NLS_CODEPAGE_874 is not set +# CONFIG_NLS_ISO8859_8 is not set +# CONFIG_NLS_CODEPAGE_1250 is not set +# CONFIG_NLS_CODEPAGE_1251 is not set +# CONFIG_NLS_ASCII is not set +# CONFIG_NLS_ISO8859_1 is not set +# CONFIG_NLS_ISO8859_2 is not set +# CONFIG_NLS_ISO8859_3 is not set +# CONFIG_NLS_ISO8859_4 is not set +# CONFIG_NLS_ISO8859_5 is not set +# CONFIG_NLS_ISO8859_6 is not set +# CONFIG_NLS_ISO8859_7 is not set +# CONFIG_NLS_ISO8859_9 is not set +# CONFIG_NLS_ISO8859_13 is not set +# CONFIG_NLS_ISO8859_14 is not set +# CONFIG_NLS_ISO8859_15 is not set +# CONFIG_NLS_KOI8_R is not set +# CONFIG_NLS_KOI8_U is not set +# CONFIG_NLS_MAC_ROMAN is not set +# CONFIG_NLS_MAC_CELTIC is not set +# CONFIG_NLS_MAC_CENTEURO is not set +# CONFIG_NLS_MAC_CROATIAN is not set +# CONFIG_NLS_MAC_CYRILLIC is not set +# CONFIG_NLS_MAC_GAELIC is not set +# CONFIG_NLS_MAC_GREEK is not set +# CONFIG_NLS_MAC_ICELAND is not set +# CONFIG_NLS_MAC_INUIT is not set +# CONFIG_NLS_MAC_ROMANIAN is not set +# CONFIG_NLS_MAC_TURKISH is not set +# CONFIG_NLS_UTF8 is not set + +# +# Kernel hacking +# +CONFIG_TRACE_IRQFLAGS_SUPPORT=y + +# +# printk and dmesg options +# +# CONFIG_PRINTK_TIME is not set +CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 +# CONFIG_BOOT_PRINTK_DELAY is not set + +# +# Compile-time checks and compiler options +# +CONFIG_DEBUG_INFO=y +# CONFIG_DEBUG_INFO_REDUCED is not set +# CONFIG_DEBUG_INFO_SPLIT is not set +# CONFIG_DEBUG_INFO_DWARF4 is not set +CONFIG_ENABLE_WARN_DEPRECATED=y +CONFIG_ENABLE_MUST_CHECK=y +CONFIG_FRAME_WARN=1024 +# CONFIG_STRIP_ASM_SYMS is not set +# CONFIG_READABLE_ASM is not set +# CONFIG_UNUSED_SYMBOLS is not set +# CONFIG_DEBUG_FS is not set +# CONFIG_HEADERS_CHECK is not set +# CONFIG_DEBUG_SECTION_MISMATCH is not set +CONFIG_ARCH_WANT_FRAME_POINTERS=y +CONFIG_FRAME_POINTER=y +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +# CONFIG_MAGIC_SYSRQ is not set +CONFIG_DEBUG_KERNEL=y + +# +# Memory Debugging +# +# CONFIG_DEBUG_PAGEALLOC is not set +# CONFIG_DEBUG_OBJECTS is not set +# CONFIG_DEBUG_SLAB is not set +CONFIG_HAVE_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set +# CONFIG_DEBUG_STACK_USAGE is not set +# CONFIG_DEBUG_VM is not set +# CONFIG_DEBUG_VIRTUAL is not set +CONFIG_DEBUG_MEMORY_INIT=y +CONFIG_HAVE_DEBUG_STACKOVERFLOW=y +# CONFIG_DEBUG_STACKOVERFLOW is not set +CONFIG_HAVE_ARCH_KMEMCHECK=y +# CONFIG_DEBUG_SHIRQ is not set + +# +# Debug Lockups and Hangs +# +# CONFIG_LOCKUP_DETECTOR is not set +CONFIG_DETECT_HUNG_TASK=y +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 +# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set +CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0 +# CONFIG_PANIC_ON_OOPS is not set +CONFIG_PANIC_ON_OOPS_VALUE=0 +CONFIG_PANIC_TIMEOUT=0 +# CONFIG_SCHED_DEBUG is not set +# CONFIG_SCHEDSTATS is not set +# CONFIG_SCHED_STACK_END_CHECK is not set +# CONFIG_TIMER_STATS is not set + +# +# Lock Debugging (spinlocks, mutexes, etc...) +# +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_PROVE_LOCKING is not set +# CONFIG_LOCK_STAT is not set +# CONFIG_DEBUG_ATOMIC_SLEEP is not set +# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set +# CONFIG_LOCK_TORTURE_TEST is not set +# CONFIG_STACKTRACE is not set +# CONFIG_DEBUG_KOBJECT is not set +CONFIG_DEBUG_BUGVERBOSE=y +# CONFIG_DEBUG_LIST is not set +# CONFIG_DEBUG_PI_LIST is not set +# CONFIG_DEBUG_SG is not set +# CONFIG_DEBUG_NOTIFIERS is not set +# CONFIG_DEBUG_CREDENTIALS is not set + +# +# RCU Debugging +# +# CONFIG_SPARSE_RCU_POINTER is not set +# CONFIG_TORTURE_TEST is not set +# CONFIG_RCU_TORTURE_TEST is not set +# CONFIG_RCU_TRACE is not set +# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set +# CONFIG_NOTIFIER_ERROR_INJECTION is not set +# CONFIG_FAULT_INJECTION is not set +# CONFIG_LATENCYTOP is not set +CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y +# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set +CONFIG_USER_STACKTRACE_SUPPORT=y +CONFIG_HAVE_FUNCTION_TRACER=y +CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y +CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y +CONFIG_HAVE_DYNAMIC_FTRACE=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y +CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y +CONFIG_HAVE_SYSCALL_TRACEPOINTS=y +CONFIG_HAVE_FENTRY=y +CONFIG_HAVE_C_RECORDMCOUNT=y +CONFIG_TRACING_SUPPORT=y +CONFIG_FTRACE=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_IRQSOFF_TRACER is not set +# CONFIG_SCHED_TRACER is not set +# CONFIG_ENABLE_DEFAULT_TRACERS is not set +# CONFIG_FTRACE_SYSCALLS is not set +# CONFIG_TRACER_SNAPSHOT is not set +CONFIG_BRANCH_PROFILE_NONE=y +# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set +# CONFIG_PROFILE_ALL_BRANCHES is not set +# CONFIG_STACK_TRACER is not set +# CONFIG_BLK_DEV_IO_TRACE is not set +# CONFIG_UPROBE_EVENT is not set +# CONFIG_PROBE_EVENTS is not set +# CONFIG_MMIOTRACE is not set +# CONFIG_TRACEPOINT_BENCHMARK is not set + +# +# Runtime Testing +# +# CONFIG_TEST_LIST_SORT is not set +# CONFIG_BACKTRACE_SELF_TEST is not set +# CONFIG_RBTREE_TEST is not set +# CONFIG_ATOMIC64_SELFTEST is not set +# CONFIG_TEST_STRING_HELPERS is not set +# CONFIG_TEST_KSTRTOX is not set +# CONFIG_TEST_RHASHTABLE is not set +# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set +# CONFIG_DMA_API_DEBUG is not set +# CONFIG_TEST_FIRMWARE is not set +# CONFIG_TEST_UDELAY is not set +# CONFIG_SAMPLES is not set +CONFIG_HAVE_ARCH_KGDB=y +# CONFIG_KGDB is not set +# CONFIG_STRICT_DEVMEM is not set +CONFIG_X86_VERBOSE_BOOTUP=y +CONFIG_EARLY_PRINTK=y +# CONFIG_EARLY_PRINTK_DBGP is not set +# CONFIG_X86_PTDUMP is not set +CONFIG_DEBUG_RODATA=y +CONFIG_DEBUG_RODATA_TEST=y +CONFIG_DOUBLEFAULT=y +# CONFIG_DEBUG_TLBFLUSH is not set +# CONFIG_IOMMU_DEBUG is not set +# CONFIG_IOMMU_STRESS is not set +CONFIG_HAVE_MMIOTRACE_SUPPORT=y +CONFIG_IO_DELAY_TYPE_0X80=0 +CONFIG_IO_DELAY_TYPE_0XED=1 +CONFIG_IO_DELAY_TYPE_UDELAY=2 +CONFIG_IO_DELAY_TYPE_NONE=3 +CONFIG_IO_DELAY_0X80=y +# CONFIG_IO_DELAY_0XED is not set +# CONFIG_IO_DELAY_UDELAY is not set +# CONFIG_IO_DELAY_NONE is not set +CONFIG_DEFAULT_IO_DELAY_TYPE=0 +# CONFIG_CPA_DEBUG is not set +# CONFIG_OPTIMIZE_INLINING is not set +# CONFIG_DEBUG_NMI_SELFTEST is not set +# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set + +# +# Security options +# +# CONFIG_KEYS is not set +# CONFIG_SECURITY_DMESG_RESTRICT is not set +# CONFIG_SECURITY is not set +# CONFIG_SECURITYFS is not set +CONFIG_DEFAULT_SECURITY_DAC=y +CONFIG_DEFAULT_SECURITY="" +CONFIG_CRYPTO=y + +# +# Crypto core or helper +# +CONFIG_CRYPTO_ALGAPI=y +CONFIG_CRYPTO_ALGAPI2=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_AEAD2=y +CONFIG_CRYPTO_BLKCIPHER=y +CONFIG_CRYPTO_BLKCIPHER2=y +CONFIG_CRYPTO_HASH=y +CONFIG_CRYPTO_HASH2=y +CONFIG_CRYPTO_RNG=y +CONFIG_CRYPTO_RNG2=y +CONFIG_CRYPTO_PCOMP=y +CONFIG_CRYPTO_PCOMP2=y +CONFIG_CRYPTO_MANAGER=y +CONFIG_CRYPTO_MANAGER2=y +CONFIG_CRYPTO_USER=y +CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y +CONFIG_CRYPTO_GF128MUL=y +CONFIG_CRYPTO_NULL=y +CONFIG_CRYPTO_WORKQUEUE=y +CONFIG_CRYPTO_CRYPTD=y +# CONFIG_CRYPTO_MCRYPTD is not set +CONFIG_CRYPTO_AUTHENC=y +CONFIG_CRYPTO_ABLK_HELPER=y +CONFIG_CRYPTO_GLUE_HELPER_X86=y + +# +# Authenticated Encryption with Associated Data +# +CONFIG_CRYPTO_CCM=y +CONFIG_CRYPTO_GCM=y +CONFIG_CRYPTO_SEQIV=y + +# +# Block modes +# +CONFIG_CRYPTO_CBC=y +CONFIG_CRYPTO_CTR=y +# CONFIG_CRYPTO_CTS is not set +CONFIG_CRYPTO_ECB=y +CONFIG_CRYPTO_LRW=y +CONFIG_CRYPTO_PCBC=y +CONFIG_CRYPTO_XTS=y + +# +# Hash modes +# +CONFIG_CRYPTO_CMAC=y +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_XCBC=y +# CONFIG_CRYPTO_VMAC is not set + +# +# Digest +# +CONFIG_CRYPTO_CRC32C=y +# CONFIG_CRYPTO_CRC32C_INTEL is not set +# CONFIG_CRYPTO_CRC32 is not set +# CONFIG_CRYPTO_CRC32_PCLMUL is not set +# CONFIG_CRYPTO_CRCT10DIF is not set +CONFIG_CRYPTO_GHASH=y +CONFIG_CRYPTO_MD4=y +CONFIG_CRYPTO_MD5=y +CONFIG_CRYPTO_MICHAEL_MIC=y +CONFIG_CRYPTO_RMD128=y +CONFIG_CRYPTO_RMD160=y +CONFIG_CRYPTO_RMD256=y +CONFIG_CRYPTO_RMD320=y +CONFIG_CRYPTO_SHA1=y +# CONFIG_CRYPTO_SHA1_SSSE3 is not set +CONFIG_CRYPTO_SHA256_SSSE3=y +CONFIG_CRYPTO_SHA512_SSSE3=y +# CONFIG_CRYPTO_SHA1_MB is not set +CONFIG_CRYPTO_SHA256=y +CONFIG_CRYPTO_SHA512=y +CONFIG_CRYPTO_TGR192=y +CONFIG_CRYPTO_WP512=y +# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set + +# +# Ciphers +# +CONFIG_CRYPTO_AES=y +CONFIG_CRYPTO_AES_X86_64=y +CONFIG_CRYPTO_AES_NI_INTEL=y +CONFIG_CRYPTO_ANUBIS=y +CONFIG_CRYPTO_ARC4=y +CONFIG_CRYPTO_BLOWFISH=y +CONFIG_CRYPTO_BLOWFISH_COMMON=y +CONFIG_CRYPTO_BLOWFISH_X86_64=y +CONFIG_CRYPTO_CAMELLIA=y +CONFIG_CRYPTO_CAMELLIA_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y +CONFIG_CRYPTO_CAST_COMMON=y +CONFIG_CRYPTO_CAST5=y +CONFIG_CRYPTO_CAST5_AVX_X86_64=y +CONFIG_CRYPTO_CAST6=y +CONFIG_CRYPTO_CAST6_AVX_X86_64=y +CONFIG_CRYPTO_DES=y +# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set +CONFIG_CRYPTO_FCRYPT=y +CONFIG_CRYPTO_KHAZAD=y +CONFIG_CRYPTO_SALSA20=y +CONFIG_CRYPTO_SALSA20_X86_64=y +CONFIG_CRYPTO_SEED=y +CONFIG_CRYPTO_SERPENT=y +CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y +CONFIG_CRYPTO_TEA=y +CONFIG_CRYPTO_TWOFISH=y +CONFIG_CRYPTO_TWOFISH_COMMON=y +CONFIG_CRYPTO_TWOFISH_X86_64=y +CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y +CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y + +# +# Compression +# +CONFIG_CRYPTO_DEFLATE=y +CONFIG_CRYPTO_ZLIB=y +CONFIG_CRYPTO_LZO=y +CONFIG_CRYPTO_LZ4=y +CONFIG_CRYPTO_LZ4HC=y + +# +# Random Number Generation +# +# CONFIG_CRYPTO_ANSI_CPRNG is not set +# CONFIG_CRYPTO_DRBG_MENU is not set +CONFIG_CRYPTO_USER_API=y +CONFIG_CRYPTO_USER_API_HASH=y +CONFIG_CRYPTO_USER_API_SKCIPHER=y +# CONFIG_CRYPTO_HW is not set +CONFIG_HAVE_KVM=y +CONFIG_VIRTUALIZATION=y +# CONFIG_KVM is not set +# CONFIG_BINARY_PRINTF is not set + +# +# Library routines +# +CONFIG_BITREVERSE=y +CONFIG_GENERIC_STRNCPY_FROM_USER=y +CONFIG_GENERIC_STRNLEN_USER=y +CONFIG_GENERIC_NET_UTILS=y +CONFIG_GENERIC_FIND_FIRST_BIT=y +CONFIG_GENERIC_PCI_IOMAP=y +CONFIG_GENERIC_IOMAP=y +CONFIG_GENERIC_IO=y +CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y +CONFIG_ARCH_HAS_FAST_MULTIPLIER=y +CONFIG_CRC_CCITT=y +CONFIG_CRC16=y +# CONFIG_CRC_T10DIF is not set +CONFIG_CRC_ITU_T=y +CONFIG_CRC32=y +# CONFIG_CRC32_SELFTEST is not set +CONFIG_CRC32_SLICEBY8=y +# CONFIG_CRC32_SLICEBY4 is not set +# CONFIG_CRC32_SARWATE is not set +# CONFIG_CRC32_BIT is not set +CONFIG_CRC7=y +CONFIG_LIBCRC32C=y +# CONFIG_CRC8 is not set +# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set +# CONFIG_RANDOM32_SELFTEST is not set +CONFIG_ZLIB_INFLATE=y +CONFIG_ZLIB_DEFLATE=y +CONFIG_LZO_COMPRESS=y +CONFIG_LZO_DECOMPRESS=y +CONFIG_LZ4_COMPRESS=y +CONFIG_LZ4HC_COMPRESS=y +CONFIG_LZ4_DECOMPRESS=y +# CONFIG_XZ_DEC is not set +# CONFIG_XZ_DEC_BCJ is not set +CONFIG_TEXTSEARCH=y +CONFIG_TEXTSEARCH_KMP=y +CONFIG_TEXTSEARCH_BM=y +CONFIG_TEXTSEARCH_FSM=y +CONFIG_HAS_IOMEM=y +CONFIG_HAS_IOPORT_MAP=y +CONFIG_HAS_DMA=y +CONFIG_DQL=y +CONFIG_NLATTR=y +CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y +CONFIG_AVERAGE=y +# CONFIG_CORDIC is not set +# CONFIG_DDR is not set +CONFIG_ARCH_HAS_SG_CHAIN=y diff --git a/testing/config/kernel/config-3.19 b/testing/config/kernel/config-3.19 new file mode 100644 index 000000000..8520b3155 --- /dev/null +++ b/testing/config/kernel/config-3.19 @@ -0,0 +1,2181 @@ +# +# Automatically generated file; DO NOT EDIT. +# Linux/x86 3.19.0 Kernel Configuration +# +CONFIG_64BIT=y +CONFIG_X86_64=y +CONFIG_X86=y +CONFIG_INSTRUCTION_DECODER=y +CONFIG_PERF_EVENTS_INTEL_UNCORE=y +CONFIG_OUTPUT_FORMAT="elf64-x86-64" +CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig" +CONFIG_LOCKDEP_SUPPORT=y +CONFIG_STACKTRACE_SUPPORT=y +CONFIG_HAVE_LATENCYTOP_SUPPORT=y +CONFIG_MMU=y +CONFIG_NEED_DMA_MAP_STATE=y +CONFIG_NEED_SG_DMA_LENGTH=y +CONFIG_GENERIC_ISA_DMA=y +CONFIG_GENERIC_BUG=y +CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y +CONFIG_GENERIC_HWEIGHT=y +CONFIG_ARCH_MAY_HAVE_PC_FDC=y +CONFIG_RWSEM_XCHGADD_ALGORITHM=y +CONFIG_GENERIC_CALIBRATE_DELAY=y +CONFIG_ARCH_HAS_CPU_RELAX=y +CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y +CONFIG_HAVE_SETUP_PER_CPU_AREA=y +CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y +CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y +CONFIG_ARCH_HIBERNATION_POSSIBLE=y +CONFIG_ARCH_SUSPEND_POSSIBLE=y +CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y +CONFIG_ARCH_WANT_GENERAL_HUGETLB=y +CONFIG_ZONE_DMA32=y +CONFIG_AUDIT_ARCH=y +CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y +CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y +CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11" +CONFIG_ARCH_SUPPORTS_UPROBES=y +CONFIG_FIX_EARLYCON_MEM=y +CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" +CONFIG_IRQ_WORK=y +CONFIG_BUILDTIME_EXTABLE_SORT=y + +# +# General setup +# +CONFIG_BROKEN_ON_SMP=y +CONFIG_INIT_ENV_ARG_LIMIT=32 +CONFIG_CROSS_COMPILE="" +# CONFIG_COMPILE_TEST is not set +CONFIG_LOCALVERSION="" +CONFIG_LOCALVERSION_AUTO=y +CONFIG_HAVE_KERNEL_GZIP=y +CONFIG_HAVE_KERNEL_BZIP2=y +CONFIG_HAVE_KERNEL_LZMA=y +CONFIG_HAVE_KERNEL_XZ=y +CONFIG_HAVE_KERNEL_LZO=y +CONFIG_HAVE_KERNEL_LZ4=y +CONFIG_KERNEL_GZIP=y +# CONFIG_KERNEL_BZIP2 is not set +# CONFIG_KERNEL_LZMA is not set +# CONFIG_KERNEL_XZ is not set +# CONFIG_KERNEL_LZO is not set +# CONFIG_KERNEL_LZ4 is not set +CONFIG_DEFAULT_HOSTNAME="(none)" +CONFIG_SWAP=y +CONFIG_SYSVIPC=y +CONFIG_SYSVIPC_SYSCTL=y +CONFIG_POSIX_MQUEUE=y +CONFIG_POSIX_MQUEUE_SYSCTL=y +CONFIG_CROSS_MEMORY_ATTACH=y +# CONFIG_FHANDLE is not set +CONFIG_USELIB=y +# CONFIG_AUDIT is not set +CONFIG_HAVE_ARCH_AUDITSYSCALL=y + +# +# IRQ subsystem +# +CONFIG_GENERIC_IRQ_PROBE=y +CONFIG_GENERIC_IRQ_SHOW=y +CONFIG_GENERIC_IRQ_LEGACY_ALLOC_HWIRQ=y +CONFIG_IRQ_DOMAIN=y +CONFIG_GENERIC_MSI_IRQ=y +CONFIG_IRQ_FORCED_THREADING=y +CONFIG_SPARSE_IRQ=y +CONFIG_CLOCKSOURCE_WATCHDOG=y +CONFIG_ARCH_CLOCKSOURCE_DATA=y +CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y +CONFIG_GENERIC_TIME_VSYSCALL=y +CONFIG_GENERIC_CLOCKEVENTS=y +CONFIG_GENERIC_CLOCKEVENTS_BUILD=y +CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y +CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y +CONFIG_GENERIC_CMOS_UPDATE=y + +# +# Timers subsystem +# +CONFIG_TICK_ONESHOT=y +CONFIG_NO_HZ_COMMON=y +# CONFIG_HZ_PERIODIC is not set +CONFIG_NO_HZ_IDLE=y +CONFIG_NO_HZ=y +CONFIG_HIGH_RES_TIMERS=y + +# +# CPU/Task time and stats accounting +# +CONFIG_TICK_CPU_ACCOUNTING=y +# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set +# CONFIG_IRQ_TIME_ACCOUNTING is not set +CONFIG_BSD_PROCESS_ACCT=y +# CONFIG_BSD_PROCESS_ACCT_V3 is not set +# CONFIG_TASKSTATS is not set + +# +# RCU Subsystem +# +CONFIG_TINY_RCU=y +# CONFIG_TASKS_RCU is not set +# CONFIG_RCU_STALL_COMMON is not set +# CONFIG_TREE_RCU_TRACE is not set +CONFIG_BUILD_BIN2C=y +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y +CONFIG_LOG_BUF_SHIFT=14 +CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y +CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y +CONFIG_ARCH_SUPPORTS_INT128=y +# CONFIG_CGROUPS is not set +# CONFIG_CHECKPOINT_RESTORE is not set +CONFIG_NAMESPACES=y +# CONFIG_UTS_NS is not set +# CONFIG_IPC_NS is not set +# CONFIG_USER_NS is not set +# CONFIG_PID_NS is not set +# CONFIG_NET_NS is not set +# CONFIG_SCHED_AUTOGROUP is not set +# CONFIG_SYSFS_DEPRECATED is not set +# CONFIG_RELAY is not set +# CONFIG_BLK_DEV_INITRD is not set +CONFIG_INIT_FALLBACK=y +CONFIG_CC_OPTIMIZE_FOR_SIZE=y +CONFIG_SYSCTL=y +CONFIG_ANON_INODES=y +CONFIG_SYSCTL_EXCEPTION_TRACE=y +CONFIG_HAVE_PCSPKR_PLATFORM=y +CONFIG_BPF=y +# CONFIG_EXPERT is not set +CONFIG_SGETMASK_SYSCALL=y +CONFIG_SYSFS_SYSCALL=y +# CONFIG_SYSCTL_SYSCALL is not set +CONFIG_KALLSYMS=y +# CONFIG_KALLSYMS_ALL is not set +CONFIG_PRINTK=y +CONFIG_BUG=y +CONFIG_ELF_CORE=y +CONFIG_PCSPKR_PLATFORM=y +CONFIG_BASE_FULL=y +CONFIG_FUTEX=y +CONFIG_EPOLL=y +CONFIG_SIGNALFD=y +CONFIG_TIMERFD=y +CONFIG_EVENTFD=y +# CONFIG_BPF_SYSCALL is not set +CONFIG_SHMEM=y +CONFIG_AIO=y +CONFIG_ADVISE_SYSCALLS=y +CONFIG_PCI_QUIRKS=y +# CONFIG_EMBEDDED is not set +CONFIG_HAVE_PERF_EVENTS=y + +# +# Kernel Performance Events And Counters +# +CONFIG_PERF_EVENTS=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_VM_EVENT_COUNTERS=y +CONFIG_COMPAT_BRK=y +CONFIG_SLAB=y +# CONFIG_SLUB is not set +# CONFIG_PROFILING is not set +CONFIG_HAVE_OPROFILE=y +CONFIG_OPROFILE_NMI_TIMER=y +# CONFIG_JUMP_LABEL is not set +# CONFIG_UPROBES is not set +# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set +CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y +CONFIG_ARCH_USE_BUILTIN_BSWAP=y +CONFIG_HAVE_IOREMAP_PROT=y +CONFIG_HAVE_KPROBES=y +CONFIG_HAVE_KRETPROBES=y +CONFIG_HAVE_OPTPROBES=y +CONFIG_HAVE_KPROBES_ON_FTRACE=y +CONFIG_HAVE_ARCH_TRACEHOOK=y +CONFIG_HAVE_DMA_ATTRS=y +CONFIG_HAVE_DMA_CONTIGUOUS=y +CONFIG_GENERIC_SMP_IDLE_THREAD=y +CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y +CONFIG_HAVE_DMA_API_DEBUG=y +CONFIG_HAVE_HW_BREAKPOINT=y +CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y +CONFIG_HAVE_USER_RETURN_NOTIFIER=y +CONFIG_HAVE_PERF_EVENTS_NMI=y +CONFIG_HAVE_PERF_REGS=y +CONFIG_HAVE_PERF_USER_STACK_DUMP=y +CONFIG_HAVE_ARCH_JUMP_LABEL=y +CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y +CONFIG_HAVE_CMPXCHG_LOCAL=y +CONFIG_HAVE_CMPXCHG_DOUBLE=y +CONFIG_HAVE_ARCH_SECCOMP_FILTER=y +CONFIG_SECCOMP_FILTER=y +CONFIG_HAVE_CC_STACKPROTECTOR=y +CONFIG_CC_STACKPROTECTOR=y +# CONFIG_CC_STACKPROTECTOR_NONE is not set +CONFIG_CC_STACKPROTECTOR_REGULAR=y +# CONFIG_CC_STACKPROTECTOR_STRONG is not set +CONFIG_HAVE_CONTEXT_TRACKING=y +CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y +CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y +CONFIG_HAVE_ARCH_SOFT_DIRTY=y +CONFIG_MODULES_USE_ELF_RELA=y +CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y + +# +# GCOV-based kernel profiling +# +CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y +# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set +CONFIG_SLABINFO=y +CONFIG_RT_MUTEXES=y +CONFIG_BASE_SMALL=0 +# CONFIG_MODULES is not set +CONFIG_BLOCK=y +# CONFIG_BLK_DEV_BSG is not set +# CONFIG_BLK_DEV_BSGLIB is not set +# CONFIG_BLK_DEV_INTEGRITY is not set +# CONFIG_BLK_CMDLINE_PARSER is not set + +# +# Partition Types +# +# CONFIG_PARTITION_ADVANCED is not set +CONFIG_MSDOS_PARTITION=y +CONFIG_EFI_PARTITION=y + +# +# IO Schedulers +# +CONFIG_IOSCHED_NOOP=y +CONFIG_IOSCHED_DEADLINE=y +CONFIG_IOSCHED_CFQ=y +# CONFIG_DEFAULT_DEADLINE is not set +CONFIG_DEFAULT_CFQ=y +# CONFIG_DEFAULT_NOOP is not set +CONFIG_DEFAULT_IOSCHED="cfq" +CONFIG_INLINE_SPIN_UNLOCK_IRQ=y +CONFIG_INLINE_READ_UNLOCK=y +CONFIG_INLINE_READ_UNLOCK_IRQ=y +CONFIG_INLINE_WRITE_UNLOCK=y +CONFIG_INLINE_WRITE_UNLOCK_IRQ=y +CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y +CONFIG_ARCH_USE_QUEUE_RWLOCK=y +CONFIG_FREEZER=y + +# +# Processor type and features +# +CONFIG_ZONE_DMA=y +# CONFIG_SMP is not set +CONFIG_X86_FEATURE_NAMES=y +CONFIG_X86_MPPARSE=y +CONFIG_X86_EXTENDED_PLATFORM=y +# CONFIG_X86_GOLDFISH is not set +# CONFIG_X86_INTEL_LPSS is not set +CONFIG_IOSF_MBI=y +CONFIG_SCHED_OMIT_FRAME_POINTER=y +# CONFIG_HYPERVISOR_GUEST is not set +CONFIG_NO_BOOTMEM=y +# CONFIG_MEMTEST is not set +# CONFIG_MK8 is not set +# CONFIG_MPSC is not set +CONFIG_MCORE2=y +# CONFIG_MATOM is not set +# CONFIG_GENERIC_CPU is not set +CONFIG_X86_INTERNODE_CACHE_SHIFT=6 +CONFIG_X86_L1_CACHE_SHIFT=6 +CONFIG_X86_INTEL_USERCOPY=y +CONFIG_X86_USE_PPRO_CHECKSUM=y +CONFIG_X86_P6_NOP=y +CONFIG_X86_TSC=y +CONFIG_X86_CMPXCHG64=y +CONFIG_X86_CMOV=y +CONFIG_X86_MINIMUM_CPU_FAMILY=64 +CONFIG_X86_DEBUGCTLMSR=y +CONFIG_CPU_SUP_INTEL=y +CONFIG_CPU_SUP_AMD=y +CONFIG_CPU_SUP_CENTAUR=y +CONFIG_HPET_TIMER=y +CONFIG_DMI=y +CONFIG_GART_IOMMU=y +# CONFIG_CALGARY_IOMMU is not set +CONFIG_SWIOTLB=y +CONFIG_IOMMU_HELPER=y +CONFIG_NR_CPUS=1 +CONFIG_PREEMPT_NONE=y +# CONFIG_PREEMPT_VOLUNTARY is not set +# CONFIG_PREEMPT is not set +CONFIG_X86_UP_APIC_MSI=y +CONFIG_X86_LOCAL_APIC=y +CONFIG_X86_IO_APIC=y +# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set +# CONFIG_X86_MCE is not set +CONFIG_X86_16BIT=y +CONFIG_X86_ESPFIX64=y +CONFIG_X86_VSYSCALL_EMULATION=y +# CONFIG_I8K is not set +# CONFIG_MICROCODE is not set +# CONFIG_MICROCODE_INTEL_EARLY is not set +# CONFIG_MICROCODE_AMD_EARLY is not set +# CONFIG_X86_MSR is not set +# CONFIG_X86_CPUID is not set +CONFIG_ARCH_PHYS_ADDR_T_64BIT=y +CONFIG_ARCH_DMA_ADDR_T_64BIT=y +CONFIG_DIRECT_GBPAGES=y +CONFIG_ARCH_SPARSEMEM_ENABLE=y +CONFIG_ARCH_SPARSEMEM_DEFAULT=y +CONFIG_ARCH_SELECT_MEMORY_MODEL=y +CONFIG_ARCH_MEMORY_PROBE=y +CONFIG_ARCH_PROC_KCORE_TEXT=y +CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 +CONFIG_SELECT_MEMORY_MODEL=y +CONFIG_SPARSEMEM_MANUAL=y +CONFIG_SPARSEMEM=y +CONFIG_HAVE_MEMORY_PRESENT=y +CONFIG_SPARSEMEM_EXTREME=y +CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y +CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y +CONFIG_SPARSEMEM_VMEMMAP=y +CONFIG_HAVE_MEMBLOCK=y +CONFIG_HAVE_MEMBLOCK_NODE_MAP=y +CONFIG_ARCH_DISCARD_MEMBLOCK=y +CONFIG_MEMORY_ISOLATION=y +CONFIG_HAVE_BOOTMEM_INFO_NODE=y +CONFIG_MEMORY_HOTPLUG=y +CONFIG_MEMORY_HOTPLUG_SPARSE=y +CONFIG_MEMORY_HOTREMOVE=y +CONFIG_PAGEFLAGS_EXTENDED=y +CONFIG_SPLIT_PTLOCK_CPUS=4 +CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y +CONFIG_MEMORY_BALLOON=y +# CONFIG_COMPACTION is not set +CONFIG_MIGRATION=y +CONFIG_PHYS_ADDR_T_64BIT=y +CONFIG_ZONE_DMA_FLAG=1 +CONFIG_BOUNCE=y +CONFIG_VIRT_TO_BUS=y +# CONFIG_KSM is not set +CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 +# CONFIG_TRANSPARENT_HUGEPAGE is not set +CONFIG_NEED_PER_CPU_KM=y +# CONFIG_CLEANCACHE is not set +# CONFIG_FRONTSWAP is not set +# CONFIG_CMA is not set +# CONFIG_ZPOOL is not set +# CONFIG_ZBUD is not set +# CONFIG_ZSMALLOC is not set +CONFIG_GENERIC_EARLY_IOREMAP=y +# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set +CONFIG_X86_RESERVE_LOW=64 +CONFIG_MTRR=y +CONFIG_MTRR_SANITIZER=y +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 +CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 +CONFIG_X86_PAT=y +CONFIG_ARCH_USES_PG_UNCACHED=y +CONFIG_ARCH_RANDOM=y +CONFIG_X86_SMAP=y +# CONFIG_X86_INTEL_MPX is not set +# CONFIG_EFI is not set +CONFIG_SECCOMP=y +# CONFIG_HZ_100 is not set +CONFIG_HZ_250=y +# CONFIG_HZ_300 is not set +# CONFIG_HZ_1000 is not set +CONFIG_HZ=250 +CONFIG_SCHED_HRTICK=y +# CONFIG_KEXEC is not set +# CONFIG_CRASH_DUMP is not set +CONFIG_PHYSICAL_START=0x1000000 +CONFIG_RELOCATABLE=y +# CONFIG_RANDOMIZE_BASE is not set +CONFIG_PHYSICAL_ALIGN=0x1000000 +# CONFIG_CMDLINE_BOOL is not set +CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y + +# +# Power management and ACPI options +# +CONFIG_SUSPEND=y +CONFIG_SUSPEND_FREEZER=y +# CONFIG_HIBERNATION is not set +CONFIG_PM_SLEEP=y +# CONFIG_PM_AUTOSLEEP is not set +# CONFIG_PM_WAKELOCKS is not set +CONFIG_PM=y +# CONFIG_PM_DEBUG is not set +# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set +CONFIG_ACPI=y +CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y +CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y +CONFIG_ACPI_SLEEP=y +# CONFIG_ACPI_PROCFS_POWER is not set +# CONFIG_ACPI_EC_DEBUGFS is not set +CONFIG_ACPI_AC=y +CONFIG_ACPI_BATTERY=y +CONFIG_ACPI_BUTTON=y +CONFIG_ACPI_FAN=y +# CONFIG_ACPI_DOCK is not set +CONFIG_ACPI_PROCESSOR=y +# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set +CONFIG_ACPI_THERMAL=y +# CONFIG_ACPI_CUSTOM_DSDT is not set +# CONFIG_ACPI_DEBUG is not set +# CONFIG_ACPI_PCI_SLOT is not set +CONFIG_X86_PM_TIMER=y +# CONFIG_ACPI_CONTAINER is not set +# CONFIG_ACPI_HOTPLUG_MEMORY is not set +# CONFIG_ACPI_SBS is not set +# CONFIG_ACPI_HED is not set +# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set +CONFIG_HAVE_ACPI_APEI=y +CONFIG_HAVE_ACPI_APEI_NMI=y +# CONFIG_ACPI_APEI is not set +# CONFIG_PMIC_OPREGION is not set +# CONFIG_SFI is not set + +# +# CPU Frequency scaling +# +# CONFIG_CPU_FREQ is not set + +# +# CPU Idle +# +CONFIG_CPU_IDLE=y +CONFIG_CPU_IDLE_GOV_LADDER=y +CONFIG_CPU_IDLE_GOV_MENU=y +# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set +# CONFIG_INTEL_IDLE is not set + +# +# Memory power savings +# +# CONFIG_I7300_IDLE is not set + +# +# Bus options (PCI etc.) +# +CONFIG_PCI=y +CONFIG_PCI_DIRECT=y +# CONFIG_PCI_MMCONFIG is not set +CONFIG_PCI_DOMAINS=y +# CONFIG_PCIEPORTBUS is not set +CONFIG_PCI_MSI=y +# CONFIG_PCI_DEBUG is not set +# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set +# CONFIG_PCI_STUB is not set +CONFIG_HT_IRQ=y +# CONFIG_PCI_IOV is not set +# CONFIG_PCI_PRI is not set +# CONFIG_PCI_PASID is not set +CONFIG_PCI_LABEL=y + +# +# PCI host controller drivers +# +CONFIG_ISA_DMA_API=y +CONFIG_AMD_NB=y +# CONFIG_PCCARD is not set +# CONFIG_HOTPLUG_PCI is not set +# CONFIG_RAPIDIO is not set +# CONFIG_X86_SYSFB is not set + +# +# Executable file formats / Emulations +# +CONFIG_BINFMT_ELF=y +CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y +# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set +CONFIG_BINFMT_SCRIPT=y +# CONFIG_HAVE_AOUT is not set +# CONFIG_BINFMT_MISC is not set +CONFIG_COREDUMP=y +# CONFIG_IA32_EMULATION is not set +CONFIG_X86_DEV_DMA_OPS=y +CONFIG_PMC_ATOM=y +CONFIG_NET=y + +# +# Networking options +# +CONFIG_PACKET=y +# CONFIG_PACKET_DIAG is not set +CONFIG_UNIX=y +# CONFIG_UNIX_DIAG is not set +CONFIG_XFRM=y +CONFIG_XFRM_ALGO=y +CONFIG_XFRM_USER=y +CONFIG_XFRM_SUB_POLICY=y +CONFIG_XFRM_MIGRATE=y +CONFIG_XFRM_STATISTICS=y +CONFIG_XFRM_IPCOMP=y +CONFIG_NET_KEY=y +CONFIG_NET_KEY_MIGRATE=y +CONFIG_INET=y +# CONFIG_IP_MULTICAST is not set +CONFIG_IP_ADVANCED_ROUTER=y +# CONFIG_IP_FIB_TRIE_STATS is not set +CONFIG_IP_MULTIPLE_TABLES=y +# CONFIG_IP_ROUTE_MULTIPATH is not set +# CONFIG_IP_ROUTE_VERBOSE is not set +CONFIG_IP_ROUTE_CLASSID=y +# CONFIG_IP_PNP is not set +# CONFIG_NET_IPIP is not set +# CONFIG_NET_IPGRE_DEMUX is not set +CONFIG_NET_IP_TUNNEL=y +# CONFIG_SYN_COOKIES is not set +# CONFIG_NET_IPVTI is not set +CONFIG_NET_UDP_TUNNEL=y +# CONFIG_NET_FOU is not set +# CONFIG_GENEVE is not set +CONFIG_INET_AH=y +CONFIG_INET_ESP=y +CONFIG_INET_IPCOMP=y +CONFIG_INET_XFRM_TUNNEL=y +CONFIG_INET_TUNNEL=y +CONFIG_INET_XFRM_MODE_TRANSPORT=y +CONFIG_INET_XFRM_MODE_TUNNEL=y +CONFIG_INET_XFRM_MODE_BEET=y +# CONFIG_INET_LRO is not set +CONFIG_INET_DIAG=y +CONFIG_INET_TCP_DIAG=y +# CONFIG_INET_UDP_DIAG is not set +# CONFIG_TCP_CONG_ADVANCED is not set +CONFIG_TCP_CONG_CUBIC=y +CONFIG_DEFAULT_TCP_CONG="cubic" +# CONFIG_TCP_MD5SIG is not set +CONFIG_IPV6=y +# CONFIG_IPV6_ROUTER_PREF is not set +CONFIG_IPV6_OPTIMISTIC_DAD=y +CONFIG_INET6_AH=y +CONFIG_INET6_ESP=y +CONFIG_INET6_IPCOMP=y +CONFIG_IPV6_MIP6=y +CONFIG_INET6_XFRM_TUNNEL=y +CONFIG_INET6_TUNNEL=y +CONFIG_INET6_XFRM_MODE_TRANSPORT=y +CONFIG_INET6_XFRM_MODE_TUNNEL=y +CONFIG_INET6_XFRM_MODE_BEET=y +# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set +# CONFIG_IPV6_VTI is not set +# CONFIG_IPV6_SIT is not set +CONFIG_IPV6_TUNNEL=y +CONFIG_IPV6_GRE=y +CONFIG_IPV6_MULTIPLE_TABLES=y +CONFIG_IPV6_SUBTREES=y +# CONFIG_IPV6_MROUTE is not set +# CONFIG_NETWORK_SECMARK is not set +# CONFIG_NET_PTP_CLASSIFY is not set +# CONFIG_NETWORK_PHY_TIMESTAMPING is not set +CONFIG_NETFILTER=y +# CONFIG_NETFILTER_DEBUG is not set +CONFIG_NETFILTER_ADVANCED=y + +# +# Core Netfilter Configuration +# +CONFIG_NETFILTER_NETLINK=y +# CONFIG_NETFILTER_NETLINK_ACCT is not set +CONFIG_NETFILTER_NETLINK_QUEUE=y +CONFIG_NETFILTER_NETLINK_LOG=y +CONFIG_NF_CONNTRACK=y +CONFIG_NF_LOG_COMMON=y +CONFIG_NF_CONNTRACK_MARK=y +# CONFIG_NF_CONNTRACK_ZONES is not set +CONFIG_NF_CONNTRACK_PROCFS=y +CONFIG_NF_CONNTRACK_EVENTS=y +# CONFIG_NF_CONNTRACK_TIMEOUT is not set +# CONFIG_NF_CONNTRACK_TIMESTAMP is not set +# CONFIG_NF_CT_PROTO_DCCP is not set +# CONFIG_NF_CT_PROTO_SCTP is not set +CONFIG_NF_CT_PROTO_UDPLITE=y +# CONFIG_NF_CONNTRACK_AMANDA is not set +# CONFIG_NF_CONNTRACK_FTP is not set +# CONFIG_NF_CONNTRACK_H323 is not set +# CONFIG_NF_CONNTRACK_IRC is not set +# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set +# CONFIG_NF_CONNTRACK_SNMP is not set +# CONFIG_NF_CONNTRACK_PPTP is not set +CONFIG_NF_CONNTRACK_SANE=y +# CONFIG_NF_CONNTRACK_SIP is not set +# CONFIG_NF_CONNTRACK_TFTP is not set +CONFIG_NF_CT_NETLINK=y +# CONFIG_NF_CT_NETLINK_TIMEOUT is not set +# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set +CONFIG_NF_NAT=y +CONFIG_NF_NAT_NEEDED=y +CONFIG_NF_NAT_PROTO_UDPLITE=y +# CONFIG_NF_NAT_AMANDA is not set +# CONFIG_NF_NAT_FTP is not set +# CONFIG_NF_NAT_IRC is not set +# CONFIG_NF_NAT_SIP is not set +# CONFIG_NF_NAT_TFTP is not set +CONFIG_NF_NAT_REDIRECT=y +# CONFIG_NF_TABLES is not set +CONFIG_NETFILTER_XTABLES=y + +# +# Xtables combined modules +# +CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_CONNMARK=y +CONFIG_NETFILTER_XT_SET=y + +# +# Xtables targets +# +# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set +CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y +CONFIG_NETFILTER_XT_TARGET_CONNMARK=y +CONFIG_NETFILTER_XT_TARGET_CT=y +CONFIG_NETFILTER_XT_TARGET_DSCP=y +CONFIG_NETFILTER_XT_TARGET_HL=y +# CONFIG_NETFILTER_XT_TARGET_HMARK is not set +# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set +CONFIG_NETFILTER_XT_TARGET_LOG=y +CONFIG_NETFILTER_XT_TARGET_MARK=y +CONFIG_NETFILTER_XT_NAT=y +CONFIG_NETFILTER_XT_TARGET_NETMAP=y +CONFIG_NETFILTER_XT_TARGET_NFLOG=y +CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y +CONFIG_NETFILTER_XT_TARGET_NOTRACK=y +# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set +CONFIG_NETFILTER_XT_TARGET_REDIRECT=y +# CONFIG_NETFILTER_XT_TARGET_TEE is not set +# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set +CONFIG_NETFILTER_XT_TARGET_TRACE=y +CONFIG_NETFILTER_XT_TARGET_TCPMSS=y +# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set + +# +# Xtables matches +# +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +# CONFIG_NETFILTER_XT_MATCH_BPF is not set +CONFIG_NETFILTER_XT_MATCH_CLUSTER=y +CONFIG_NETFILTER_XT_MATCH_COMMENT=y +CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y +# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set +CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y +CONFIG_NETFILTER_XT_MATCH_CONNMARK=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +# CONFIG_NETFILTER_XT_MATCH_CPU is not set +CONFIG_NETFILTER_XT_MATCH_DCCP=y +CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y +CONFIG_NETFILTER_XT_MATCH_DSCP=y +CONFIG_NETFILTER_XT_MATCH_ECN=y +CONFIG_NETFILTER_XT_MATCH_ESP=y +CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y +CONFIG_NETFILTER_XT_MATCH_HELPER=y +CONFIG_NETFILTER_XT_MATCH_HL=y +# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set +# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set +CONFIG_NETFILTER_XT_MATCH_L2TP=y +CONFIG_NETFILTER_XT_MATCH_LENGTH=y +CONFIG_NETFILTER_XT_MATCH_LIMIT=y +CONFIG_NETFILTER_XT_MATCH_MAC=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y +# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set +# CONFIG_NETFILTER_XT_MATCH_OSF is not set +# CONFIG_NETFILTER_XT_MATCH_OWNER is not set +CONFIG_NETFILTER_XT_MATCH_POLICY=y +CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y +CONFIG_NETFILTER_XT_MATCH_QUOTA=y +# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set +CONFIG_NETFILTER_XT_MATCH_REALM=y +# CONFIG_NETFILTER_XT_MATCH_RECENT is not set +CONFIG_NETFILTER_XT_MATCH_SCTP=y +# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set +CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_MATCH_STATISTIC=y +CONFIG_NETFILTER_XT_MATCH_STRING=y +CONFIG_NETFILTER_XT_MATCH_TCPMSS=y +# CONFIG_NETFILTER_XT_MATCH_TIME is not set +CONFIG_NETFILTER_XT_MATCH_U32=y +CONFIG_IP_SET=y +CONFIG_IP_SET_MAX=256 +CONFIG_IP_SET_BITMAP_IP=y +CONFIG_IP_SET_BITMAP_IPMAC=y +CONFIG_IP_SET_BITMAP_PORT=y +CONFIG_IP_SET_HASH_IP=y +# CONFIG_IP_SET_HASH_IPMARK is not set +CONFIG_IP_SET_HASH_IPPORT=y +CONFIG_IP_SET_HASH_IPPORTIP=y +CONFIG_IP_SET_HASH_IPPORTNET=y +# CONFIG_IP_SET_HASH_MAC is not set +# CONFIG_IP_SET_HASH_NETPORTNET is not set +CONFIG_IP_SET_HASH_NET=y +# CONFIG_IP_SET_HASH_NETNET is not set +CONFIG_IP_SET_HASH_NETPORT=y +# CONFIG_IP_SET_HASH_NETIFACE is not set +CONFIG_IP_SET_LIST_SET=y +# CONFIG_IP_VS is not set + +# +# IP: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV4=y +CONFIG_NF_CONNTRACK_IPV4=y +CONFIG_NF_CONNTRACK_PROC_COMPAT=y +# CONFIG_NF_LOG_ARP is not set +CONFIG_NF_LOG_IPV4=y +CONFIG_NF_REJECT_IPV4=y +CONFIG_NF_NAT_IPV4=y +CONFIG_NF_NAT_MASQUERADE_IPV4=y +# CONFIG_NF_NAT_PPTP is not set +# CONFIG_NF_NAT_H323 is not set +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_MATCH_AH=y +CONFIG_IP_NF_MATCH_ECN=y +# CONFIG_IP_NF_MATCH_RPFILTER is not set +CONFIG_IP_NF_MATCH_TTL=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_TARGET_REJECT=y +# CONFIG_IP_NF_TARGET_SYNPROXY is not set +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_NETMAP=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_TARGET_CLUSTERIP=y +CONFIG_IP_NF_TARGET_ECN=y +CONFIG_IP_NF_TARGET_TTL=y +CONFIG_IP_NF_RAW=y +CONFIG_IP_NF_ARPTABLES=y +CONFIG_IP_NF_ARPFILTER=y +CONFIG_IP_NF_ARP_MANGLE=y + +# +# IPv6: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV6=y +CONFIG_NF_CONNTRACK_IPV6=y +CONFIG_NF_REJECT_IPV6=y +CONFIG_NF_LOG_IPV6=y +CONFIG_NF_NAT_IPV6=y +CONFIG_NF_NAT_MASQUERADE_IPV6=y +CONFIG_IP6_NF_IPTABLES=y +CONFIG_IP6_NF_MATCH_AH=y +CONFIG_IP6_NF_MATCH_EUI64=y +CONFIG_IP6_NF_MATCH_FRAG=y +CONFIG_IP6_NF_MATCH_OPTS=y +CONFIG_IP6_NF_MATCH_HL=y +CONFIG_IP6_NF_MATCH_IPV6HEADER=y +CONFIG_IP6_NF_MATCH_MH=y +# CONFIG_IP6_NF_MATCH_RPFILTER is not set +CONFIG_IP6_NF_MATCH_RT=y +CONFIG_IP6_NF_TARGET_HL=y +CONFIG_IP6_NF_FILTER=y +CONFIG_IP6_NF_TARGET_REJECT=y +# CONFIG_IP6_NF_TARGET_SYNPROXY is not set +CONFIG_IP6_NF_MANGLE=y +CONFIG_IP6_NF_RAW=y +# CONFIG_IP6_NF_NAT is not set +# CONFIG_IP_DCCP is not set +# CONFIG_IP_SCTP is not set +# CONFIG_RDS is not set +# CONFIG_TIPC is not set +# CONFIG_ATM is not set +CONFIG_L2TP=y +# CONFIG_L2TP_V3 is not set +# CONFIG_BRIDGE is not set +CONFIG_HAVE_NET_DSA=y +# CONFIG_VLAN_8021Q is not set +# CONFIG_DECNET is not set +# CONFIG_LLC2 is not set +# CONFIG_IPX is not set +# CONFIG_ATALK is not set +# CONFIG_X25 is not set +# CONFIG_LAPB is not set +# CONFIG_PHONET is not set +# CONFIG_6LOWPAN is not set +# CONFIG_IEEE802154 is not set +# CONFIG_NET_SCHED is not set +# CONFIG_DCB is not set +# CONFIG_BATMAN_ADV is not set +# CONFIG_OPENVSWITCH is not set +# CONFIG_VSOCKETS is not set +# CONFIG_NETLINK_MMAP is not set +# CONFIG_NETLINK_DIAG is not set +# CONFIG_NET_MPLS_GSO is not set +# CONFIG_HSR is not set +# CONFIG_NET_SWITCHDEV is not set +CONFIG_NET_RX_BUSY_POLL=y +CONFIG_BQL=y + +# +# Network testing +# +# CONFIG_NET_PKTGEN is not set +# CONFIG_HAMRADIO is not set +# CONFIG_CAN is not set +# CONFIG_IRDA is not set +# CONFIG_BT is not set +# CONFIG_AF_RXRPC is not set +CONFIG_FIB_RULES=y +CONFIG_WIRELESS=y +# CONFIG_CFG80211 is not set +# CONFIG_LIB80211 is not set + +# +# CFG80211 needs to be enabled for MAC80211 +# +# CONFIG_WIMAX is not set +# CONFIG_RFKILL is not set +CONFIG_NET_9P=y +CONFIG_NET_9P_VIRTIO=y +# CONFIG_NET_9P_DEBUG is not set +# CONFIG_CAIF is not set +# CONFIG_CEPH_LIB is not set +# CONFIG_NFC is not set +CONFIG_HAVE_BPF_JIT=y + +# +# Device Drivers +# + +# +# Generic Driver Options +# +CONFIG_UEVENT_HELPER=y +CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug" +# CONFIG_DEVTMPFS is not set +CONFIG_STANDALONE=y +CONFIG_PREVENT_FIRMWARE_BUILD=y +CONFIG_FW_LOADER=y +CONFIG_FIRMWARE_IN_KERNEL=y +CONFIG_EXTRA_FIRMWARE="" +# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set +CONFIG_ALLOW_DEV_COREDUMP=y +# CONFIG_DEBUG_DRIVER is not set +# CONFIG_DEBUG_DEVRES is not set +# CONFIG_SYS_HYPERVISOR is not set +# CONFIG_GENERIC_CPU_DEVICES is not set +CONFIG_GENERIC_CPU_AUTOPROBE=y +# CONFIG_DMA_SHARED_BUFFER is not set + +# +# Bus devices +# +# CONFIG_CONNECTOR is not set +# CONFIG_MTD is not set +CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y +# CONFIG_PARPORT is not set +CONFIG_PNP=y +CONFIG_PNP_DEBUG_MESSAGES=y + +# +# Protocols +# +CONFIG_PNPACPI=y +CONFIG_BLK_DEV=y +# CONFIG_BLK_DEV_NULL_BLK is not set +# CONFIG_BLK_DEV_FD is not set +# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set +# CONFIG_BLK_CPQ_CISS_DA is not set +# CONFIG_BLK_DEV_DAC960 is not set +# CONFIG_BLK_DEV_UMEM is not set +# CONFIG_BLK_DEV_COW_COMMON is not set +CONFIG_BLK_DEV_LOOP=y +CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 +# CONFIG_BLK_DEV_CRYPTOLOOP is not set +# CONFIG_BLK_DEV_DRBD is not set +CONFIG_BLK_DEV_NBD=y +# CONFIG_BLK_DEV_NVME is not set +# CONFIG_BLK_DEV_SKD is not set +# CONFIG_BLK_DEV_SX8 is not set +# CONFIG_BLK_DEV_RAM is not set +# CONFIG_CDROM_PKTCDVD is not set +# CONFIG_ATA_OVER_ETH is not set +CONFIG_VIRTIO_BLK=y +# CONFIG_BLK_DEV_HD is not set +# CONFIG_BLK_DEV_RBD is not set +# CONFIG_BLK_DEV_RSXX is not set + +# +# Misc devices +# +# CONFIG_SENSORS_LIS3LV02D is not set +# CONFIG_DUMMY_IRQ is not set +# CONFIG_IBM_ASM is not set +# CONFIG_PHANTOM is not set +# CONFIG_SGI_IOC4 is not set +# CONFIG_TIFM_CORE is not set +# CONFIG_ENCLOSURE_SERVICES is not set +# CONFIG_HP_ILO is not set +# CONFIG_SRAM is not set +# CONFIG_C2PORT is not set + +# +# EEPROM support +# +# CONFIG_EEPROM_93CX6 is not set +# CONFIG_CB710_CORE is not set + +# +# Texas Instruments shared transport line discipline +# + +# +# Altera FPGA firmware download module +# +# CONFIG_VMWARE_VMCI is not set + +# +# Intel MIC Bus Driver +# +# CONFIG_INTEL_MIC_BUS is not set + +# +# Intel MIC Host Driver +# + +# +# Intel MIC Card Driver +# +# CONFIG_GENWQE is not set +# CONFIG_ECHO is not set +# CONFIG_CXL_BASE is not set +CONFIG_HAVE_IDE=y +# CONFIG_IDE is not set + +# +# SCSI device support +# +CONFIG_SCSI_MOD=y +# CONFIG_RAID_ATTRS is not set +# CONFIG_SCSI is not set +# CONFIG_SCSI_DMA is not set +# CONFIG_SCSI_NETLINK is not set +# CONFIG_ATA is not set +# CONFIG_MD is not set +# CONFIG_FUSION is not set + +# +# IEEE 1394 (FireWire) support +# +# CONFIG_FIREWIRE is not set +# CONFIG_FIREWIRE_NOSY is not set +# CONFIG_I2O is not set +# CONFIG_MACINTOSH_DRIVERS is not set +CONFIG_NETDEVICES=y +CONFIG_NET_CORE=y +# CONFIG_BONDING is not set +CONFIG_DUMMY=y +# CONFIG_EQUALIZER is not set +# CONFIG_NET_TEAM is not set +# CONFIG_MACVLAN is not set +# CONFIG_IPVLAN is not set +# CONFIG_VXLAN is not set +# CONFIG_NETCONSOLE is not set +# CONFIG_NETPOLL is not set +# CONFIG_NET_POLL_CONTROLLER is not set +CONFIG_TUN=y +# CONFIG_VETH is not set +CONFIG_VIRTIO_NET=y +# CONFIG_NLMON is not set +# CONFIG_ARCNET is not set + +# +# CAIF transport drivers +# +# CONFIG_VHOST_NET is not set + +# +# Distributed Switch Architecture drivers +# +# CONFIG_NET_DSA_MV88E6XXX is not set +# CONFIG_NET_DSA_MV88E6060 is not set +# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set +# CONFIG_NET_DSA_MV88E6131 is not set +# CONFIG_NET_DSA_MV88E6123_61_65 is not set +# CONFIG_NET_DSA_MV88E6171 is not set +# CONFIG_NET_DSA_MV88E6352 is not set +# CONFIG_NET_DSA_BCM_SF2 is not set +CONFIG_ETHERNET=y +CONFIG_NET_VENDOR_3COM=y +# CONFIG_VORTEX is not set +# CONFIG_TYPHOON is not set +CONFIG_NET_VENDOR_ADAPTEC=y +# CONFIG_ADAPTEC_STARFIRE is not set +CONFIG_NET_VENDOR_AGERE=y +# CONFIG_ET131X is not set +CONFIG_NET_VENDOR_ALTEON=y +# CONFIG_ACENIC is not set +# CONFIG_ALTERA_TSE is not set +CONFIG_NET_VENDOR_AMD=y +# CONFIG_AMD8111_ETH is not set +# CONFIG_PCNET32 is not set +# CONFIG_NET_XGENE is not set +# CONFIG_NET_VENDOR_ARC is not set +CONFIG_NET_VENDOR_ATHEROS=y +# CONFIG_ATL2 is not set +# CONFIG_ATL1 is not set +# CONFIG_ATL1E is not set +# CONFIG_ATL1C is not set +# CONFIG_ALX is not set +CONFIG_NET_VENDOR_BROADCOM=y +# CONFIG_B44 is not set +# CONFIG_BCMGENET is not set +# CONFIG_BNX2 is not set +# CONFIG_CNIC is not set +# CONFIG_TIGON3 is not set +# CONFIG_BNX2X is not set +CONFIG_NET_VENDOR_BROCADE=y +# CONFIG_BNA is not set +CONFIG_NET_VENDOR_CHELSIO=y +# CONFIG_CHELSIO_T1 is not set +# CONFIG_CHELSIO_T3 is not set +# CONFIG_CHELSIO_T4 is not set +# CONFIG_CHELSIO_T4VF is not set +CONFIG_NET_VENDOR_CISCO=y +# CONFIG_ENIC is not set +# CONFIG_CX_ECAT is not set +# CONFIG_DNET is not set +CONFIG_NET_VENDOR_DEC=y +# CONFIG_NET_TULIP is not set +CONFIG_NET_VENDOR_DLINK=y +# CONFIG_DL2K is not set +# CONFIG_SUNDANCE is not set +CONFIG_NET_VENDOR_EMULEX=y +# CONFIG_BE2NET is not set +CONFIG_NET_VENDOR_EXAR=y +# CONFIG_S2IO is not set +# CONFIG_VXGE is not set +CONFIG_NET_VENDOR_HP=y +# CONFIG_HP100 is not set +CONFIG_NET_VENDOR_INTEL=y +# CONFIG_E100 is not set +# CONFIG_E1000 is not set +# CONFIG_E1000E is not set +# CONFIG_IGB is not set +# CONFIG_IGBVF is not set +# CONFIG_IXGB is not set +# CONFIG_IXGBE is not set +# CONFIG_IXGBEVF is not set +# CONFIG_I40E is not set +# CONFIG_I40EVF is not set +# CONFIG_FM10K is not set +CONFIG_NET_VENDOR_I825XX=y +# CONFIG_IP1000 is not set +# CONFIG_JME is not set +CONFIG_NET_VENDOR_MARVELL=y +# CONFIG_MVMDIO is not set +# CONFIG_SKGE is not set +# CONFIG_SKY2 is not set +CONFIG_NET_VENDOR_MELLANOX=y +# CONFIG_MLX4_EN is not set +# CONFIG_MLX4_CORE is not set +# CONFIG_MLX5_CORE is not set +CONFIG_NET_VENDOR_MICREL=y +# CONFIG_KS8851_MLL is not set +# CONFIG_KSZ884X_PCI is not set +CONFIG_NET_VENDOR_MYRI=y +# CONFIG_MYRI10GE is not set +# CONFIG_FEALNX is not set +CONFIG_NET_VENDOR_NATSEMI=y +# CONFIG_NATSEMI is not set +# CONFIG_NS83820 is not set +CONFIG_NET_VENDOR_8390=y +# CONFIG_NE2K_PCI is not set +CONFIG_NET_VENDOR_NVIDIA=y +# CONFIG_FORCEDETH is not set +CONFIG_NET_VENDOR_OKI=y +# CONFIG_ETHOC is not set +CONFIG_NET_PACKET_ENGINE=y +# CONFIG_HAMACHI is not set +# CONFIG_YELLOWFIN is not set +CONFIG_NET_VENDOR_QLOGIC=y +# CONFIG_QLA3XXX is not set +# CONFIG_QLCNIC is not set +# CONFIG_QLGE is not set +# CONFIG_NETXEN_NIC is not set +CONFIG_NET_VENDOR_QUALCOMM=y +CONFIG_NET_VENDOR_REALTEK=y +# CONFIG_8139CP is not set +# CONFIG_8139TOO is not set +# CONFIG_R8169 is not set +CONFIG_NET_VENDOR_RDC=y +# CONFIG_R6040 is not set +CONFIG_NET_VENDOR_ROCKER=y +CONFIG_NET_VENDOR_SAMSUNG=y +# CONFIG_SXGBE_ETH is not set +CONFIG_NET_VENDOR_SEEQ=y +CONFIG_NET_VENDOR_SILAN=y +# CONFIG_SC92031 is not set +CONFIG_NET_VENDOR_SIS=y +# CONFIG_SIS900 is not set +# CONFIG_SIS190 is not set +# CONFIG_SFC is not set +CONFIG_NET_VENDOR_SMSC=y +# CONFIG_EPIC100 is not set +# CONFIG_SMSC911X is not set +# CONFIG_SMSC9420 is not set +CONFIG_NET_VENDOR_STMICRO=y +# CONFIG_STMMAC_ETH is not set +CONFIG_NET_VENDOR_SUN=y +# CONFIG_HAPPYMEAL is not set +# CONFIG_SUNGEM is not set +# CONFIG_CASSINI is not set +# CONFIG_NIU is not set +CONFIG_NET_VENDOR_TEHUTI=y +# CONFIG_TEHUTI is not set +CONFIG_NET_VENDOR_TI=y +# CONFIG_TLAN is not set +CONFIG_NET_VENDOR_VIA=y +# CONFIG_VIA_RHINE is not set +# CONFIG_VIA_VELOCITY is not set +CONFIG_NET_VENDOR_WIZNET=y +# CONFIG_WIZNET_W5100 is not set +# CONFIG_WIZNET_W5300 is not set +# CONFIG_FDDI is not set +# CONFIG_HIPPI is not set +# CONFIG_NET_SB1000 is not set +# CONFIG_PHYLIB is not set +# CONFIG_PPP is not set +# CONFIG_SLIP is not set + +# +# Host-side USB support is needed for USB Network Adapter support +# +CONFIG_WLAN=y +# CONFIG_PRISM54 is not set +# CONFIG_HOSTAP is not set +# CONFIG_WL_TI is not set + +# +# Enable WiMAX (Networking options) to see the WiMAX drivers +# +# CONFIG_WAN is not set +# CONFIG_VMXNET3 is not set +# CONFIG_ISDN is not set + +# +# Input device support +# +CONFIG_INPUT=y +# CONFIG_INPUT_FF_MEMLESS is not set +# CONFIG_INPUT_POLLDEV is not set +# CONFIG_INPUT_SPARSEKMAP is not set +# CONFIG_INPUT_MATRIXKMAP is not set + +# +# Userland interfaces +# +CONFIG_INPUT_MOUSEDEV=y +CONFIG_INPUT_MOUSEDEV_PSAUX=y +CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 +CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 +# CONFIG_INPUT_JOYDEV is not set +CONFIG_INPUT_EVDEV=y +# CONFIG_INPUT_EVBUG is not set + +# +# Input Device Drivers +# +CONFIG_INPUT_KEYBOARD=y +CONFIG_KEYBOARD_ATKBD=y +# CONFIG_KEYBOARD_LKKBD is not set +# CONFIG_KEYBOARD_NEWTON is not set +# CONFIG_KEYBOARD_OPENCORES is not set +# CONFIG_KEYBOARD_STOWAWAY is not set +# CONFIG_KEYBOARD_SUNKBD is not set +# CONFIG_KEYBOARD_XTKBD is not set +CONFIG_INPUT_MOUSE=y +CONFIG_MOUSE_PS2=y +CONFIG_MOUSE_PS2_ALPS=y +CONFIG_MOUSE_PS2_LOGIPS2PP=y +CONFIG_MOUSE_PS2_SYNAPTICS=y +CONFIG_MOUSE_PS2_CYPRESS=y +CONFIG_MOUSE_PS2_LIFEBOOK=y +CONFIG_MOUSE_PS2_TRACKPOINT=y +# CONFIG_MOUSE_PS2_ELANTECH is not set +# CONFIG_MOUSE_PS2_SENTELIC is not set +# CONFIG_MOUSE_PS2_TOUCHKIT is not set +# CONFIG_MOUSE_SERIAL is not set +# CONFIG_MOUSE_APPLETOUCH is not set +# CONFIG_MOUSE_BCM5974 is not set +# CONFIG_MOUSE_VSXXXAA is not set +# CONFIG_MOUSE_SYNAPTICS_USB is not set +# CONFIG_INPUT_JOYSTICK is not set +# CONFIG_INPUT_TABLET is not set +# CONFIG_INPUT_TOUCHSCREEN is not set +# CONFIG_INPUT_MISC is not set + +# +# Hardware I/O ports +# +CONFIG_SERIO=y +CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y +CONFIG_SERIO_I8042=y +CONFIG_SERIO_SERPORT=y +# CONFIG_SERIO_CT82C710 is not set +# CONFIG_SERIO_PCIPS2 is not set +CONFIG_SERIO_LIBPS2=y +# CONFIG_SERIO_RAW is not set +# CONFIG_SERIO_ALTERA_PS2 is not set +# CONFIG_SERIO_PS2MULT is not set +# CONFIG_SERIO_ARC_PS2 is not set +# CONFIG_GAMEPORT is not set + +# +# Character devices +# +CONFIG_TTY=y +CONFIG_VT=y +CONFIG_CONSOLE_TRANSLATIONS=y +CONFIG_VT_CONSOLE=y +CONFIG_VT_CONSOLE_SLEEP=y +CONFIG_HW_CONSOLE=y +# CONFIG_VT_HW_CONSOLE_BINDING is not set +CONFIG_UNIX98_PTYS=y +# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set +CONFIG_LEGACY_PTYS=y +CONFIG_LEGACY_PTY_COUNT=256 +# CONFIG_SERIAL_NONSTANDARD is not set +# CONFIG_NOZOMI is not set +# CONFIG_N_GSM is not set +# CONFIG_TRACE_SINK is not set +CONFIG_DEVKMEM=y + +# +# Serial drivers +# +# CONFIG_SERIAL_8250 is not set + +# +# Non-8250 serial port support +# +# CONFIG_SERIAL_MFD_HSU is not set +# CONFIG_SERIAL_JSM is not set +# CONFIG_SERIAL_SCCNXP is not set +# CONFIG_SERIAL_ALTERA_JTAGUART is not set +# CONFIG_SERIAL_ALTERA_UART is not set +# CONFIG_SERIAL_ARC is not set +# CONFIG_SERIAL_RP2 is not set +# CONFIG_SERIAL_FSL_LPUART is not set +CONFIG_HVC_DRIVER=y +CONFIG_VIRTIO_CONSOLE=y +# CONFIG_IPMI_HANDLER is not set +# CONFIG_HW_RANDOM is not set +# CONFIG_NVRAM is not set +# CONFIG_R3964 is not set +# CONFIG_APPLICOM is not set +# CONFIG_MWAVE is not set +# CONFIG_RAW_DRIVER is not set +# CONFIG_HPET is not set +# CONFIG_HANGCHECK_TIMER is not set +# CONFIG_TCG_TPM is not set +# CONFIG_TELCLOCK is not set +CONFIG_DEVPORT=y +# CONFIG_XILLYBUS is not set + +# +# I2C support +# +# CONFIG_I2C is not set +# CONFIG_SPI is not set +# CONFIG_SPMI is not set +# CONFIG_HSI is not set + +# +# PPS support +# +# CONFIG_PPS is not set + +# +# PPS generators support +# + +# +# PTP clock support +# +# CONFIG_PTP_1588_CLOCK is not set + +# +# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks. +# +CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y +# CONFIG_GPIOLIB is not set +# CONFIG_W1 is not set +CONFIG_POWER_SUPPLY=y +# CONFIG_POWER_SUPPLY_DEBUG is not set +# CONFIG_PDA_POWER is not set +# CONFIG_TEST_POWER is not set +# CONFIG_BATTERY_DS2780 is not set +# CONFIG_BATTERY_DS2781 is not set +# CONFIG_BATTERY_BQ27x00 is not set +# CONFIG_CHARGER_MAX8903 is not set +# CONFIG_POWER_RESET is not set +# CONFIG_POWER_AVS is not set +CONFIG_HWMON=y +# CONFIG_HWMON_VID is not set +# CONFIG_HWMON_DEBUG_CHIP is not set + +# +# Native drivers +# +# CONFIG_SENSORS_ABITUGURU is not set +# CONFIG_SENSORS_ABITUGURU3 is not set +# CONFIG_SENSORS_K8TEMP is not set +# CONFIG_SENSORS_K10TEMP is not set +# CONFIG_SENSORS_FAM15H_POWER is not set +# CONFIG_SENSORS_APPLESMC is not set +# CONFIG_SENSORS_I5K_AMB is not set +# CONFIG_SENSORS_F71805F is not set +# CONFIG_SENSORS_F71882FG is not set +# CONFIG_SENSORS_I5500 is not set +# CONFIG_SENSORS_CORETEMP is not set +# CONFIG_SENSORS_IT87 is not set +# CONFIG_SENSORS_MAX197 is not set +# CONFIG_SENSORS_PC87360 is not set +# CONFIG_SENSORS_PC87427 is not set +# CONFIG_SENSORS_NTC_THERMISTOR is not set +# CONFIG_SENSORS_NCT6683 is not set +# CONFIG_SENSORS_NCT6775 is not set +# CONFIG_SENSORS_SIS5595 is not set +# CONFIG_SENSORS_SMSC47M1 is not set +# CONFIG_SENSORS_SMSC47B397 is not set +# CONFIG_SENSORS_SCH56XX_COMMON is not set +# CONFIG_SENSORS_VIA_CPUTEMP is not set +# CONFIG_SENSORS_VIA686A is not set +# CONFIG_SENSORS_VT1211 is not set +# CONFIG_SENSORS_VT8231 is not set +# CONFIG_SENSORS_W83627HF is not set +# CONFIG_SENSORS_W83627EHF is not set + +# +# ACPI drivers +# +# CONFIG_SENSORS_ACPI_POWER is not set +# CONFIG_SENSORS_ATK0110 is not set +CONFIG_THERMAL=y +CONFIG_THERMAL_HWMON=y +CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y +# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set +# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set +# CONFIG_THERMAL_GOV_FAIR_SHARE is not set +CONFIG_THERMAL_GOV_STEP_WISE=y +# CONFIG_THERMAL_GOV_BANG_BANG is not set +# CONFIG_THERMAL_GOV_USER_SPACE is not set +# CONFIG_THERMAL_EMULATION is not set +# CONFIG_INTEL_POWERCLAMP is not set +# CONFIG_INTEL_SOC_DTS_THERMAL is not set +# CONFIG_INT340X_THERMAL is not set + +# +# Texas Instruments thermal drivers +# +# CONFIG_WATCHDOG is not set +CONFIG_SSB_POSSIBLE=y + +# +# Sonics Silicon Backplane +# +# CONFIG_SSB is not set +CONFIG_BCMA_POSSIBLE=y + +# +# Broadcom specific AMBA +# +# CONFIG_BCMA is not set + +# +# Multifunction device drivers +# +# CONFIG_MFD_CORE is not set +# CONFIG_MFD_CROS_EC is not set +# CONFIG_HTC_PASIC3 is not set +# CONFIG_LPC_ICH is not set +# CONFIG_LPC_SCH is not set +# CONFIG_MFD_JANZ_CMODIO is not set +# CONFIG_MFD_KEMPLD is not set +# CONFIG_MFD_RDC321X is not set +# CONFIG_MFD_RTSX_PCI is not set +# CONFIG_MFD_SM501 is not set +# CONFIG_ABX500_CORE is not set +# CONFIG_MFD_SYSCON is not set +# CONFIG_MFD_TI_AM335X_TSCADC is not set +# CONFIG_MFD_TMIO is not set +# CONFIG_MFD_VX855 is not set +# CONFIG_REGULATOR is not set +# CONFIG_MEDIA_SUPPORT is not set + +# +# Graphics support +# +# CONFIG_AGP is not set +CONFIG_VGA_ARB=y +CONFIG_VGA_ARB_MAX_GPUS=16 +# CONFIG_VGA_SWITCHEROO is not set + +# +# Direct Rendering Manager +# +# CONFIG_DRM is not set + +# +# Frame buffer Devices +# +# CONFIG_FB is not set +# CONFIG_BACKLIGHT_LCD_SUPPORT is not set +# CONFIG_VGASTATE is not set + +# +# Console display driver support +# +CONFIG_VGA_CONSOLE=y +# CONFIG_VGACON_SOFT_SCROLLBACK is not set +CONFIG_DUMMY_CONSOLE=y +CONFIG_SOUND=y +# CONFIG_SOUND_OSS_CORE is not set +# CONFIG_SND is not set +# CONFIG_SOUND_PRIME is not set + +# +# HID support +# +CONFIG_HID=y +# CONFIG_HID_BATTERY_STRENGTH is not set +# CONFIG_HIDRAW is not set +# CONFIG_UHID is not set +CONFIG_HID_GENERIC=y + +# +# Special HID drivers +# +CONFIG_HID_A4TECH=y +# CONFIG_HID_ACRUX is not set +CONFIG_HID_APPLE=y +# CONFIG_HID_AUREAL is not set +CONFIG_HID_BELKIN=y +CONFIG_HID_CHERRY=y +CONFIG_HID_CHICONY=y +CONFIG_HID_CYPRESS=y +# CONFIG_HID_DRAGONRISE is not set +# CONFIG_HID_EMS_FF is not set +# CONFIG_HID_ELECOM is not set +CONFIG_HID_EZKEY=y +# CONFIG_HID_KEYTOUCH is not set +# CONFIG_HID_KYE is not set +# CONFIG_HID_UCLOGIC is not set +# CONFIG_HID_WALTOP is not set +# CONFIG_HID_GYRATION is not set +# CONFIG_HID_ICADE is not set +# CONFIG_HID_TWINHAN is not set +CONFIG_HID_KENSINGTON=y +# CONFIG_HID_LCPOWER is not set +# CONFIG_HID_LENOVO is not set +CONFIG_HID_LOGITECH=y +# CONFIG_HID_LOGITECH_HIDPP is not set +# CONFIG_LOGITECH_FF is not set +# CONFIG_LOGIRUMBLEPAD2_FF is not set +# CONFIG_LOGIG940_FF is not set +# CONFIG_LOGIWHEELS_FF is not set +# CONFIG_HID_MAGICMOUSE is not set +CONFIG_HID_MICROSOFT=y +CONFIG_HID_MONTEREY=y +# CONFIG_HID_MULTITOUCH is not set +# CONFIG_HID_ORTEK is not set +# CONFIG_HID_PANTHERLORD is not set +# CONFIG_HID_PETALYNX is not set +# CONFIG_HID_PICOLCD is not set +CONFIG_HID_PLANTRONICS=y +# CONFIG_HID_PRIMAX is not set +# CONFIG_HID_SAITEK is not set +# CONFIG_HID_SAMSUNG is not set +# CONFIG_HID_SPEEDLINK is not set +# CONFIG_HID_STEELSERIES is not set +# CONFIG_HID_SUNPLUS is not set +# CONFIG_HID_RMI is not set +# CONFIG_HID_GREENASIA is not set +# CONFIG_HID_SMARTJOYPLUS is not set +# CONFIG_HID_TIVO is not set +# CONFIG_HID_TOPSEED is not set +# CONFIG_HID_THRUSTMASTER is not set +# CONFIG_HID_WACOM is not set +# CONFIG_HID_XINMO is not set +# CONFIG_HID_ZEROPLUS is not set +# CONFIG_HID_ZYDACRON is not set +# CONFIG_HID_SENSOR_HUB is not set +CONFIG_USB_OHCI_LITTLE_ENDIAN=y +CONFIG_USB_SUPPORT=y +CONFIG_USB_ARCH_HAS_HCD=y +# CONFIG_USB is not set + +# +# USB port drivers +# + +# +# USB Physical Layer drivers +# +# CONFIG_USB_PHY is not set +# CONFIG_NOP_USB_XCEIV is not set +# CONFIG_USB_GADGET is not set +# CONFIG_UWB is not set +# CONFIG_MMC is not set +# CONFIG_MEMSTICK is not set +# CONFIG_NEW_LEDS is not set +# CONFIG_ACCESSIBILITY is not set +# CONFIG_INFINIBAND is not set +# CONFIG_EDAC is not set +CONFIG_RTC_LIB=y +# CONFIG_RTC_CLASS is not set +# CONFIG_DMADEVICES is not set +# CONFIG_AUXDISPLAY is not set +# CONFIG_UIO is not set +# CONFIG_VIRT_DRIVERS is not set +CONFIG_VIRTIO=y + +# +# Virtio drivers +# +CONFIG_VIRTIO_PCI=y +CONFIG_VIRTIO_BALLOON=y +CONFIG_VIRTIO_MMIO=y +# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set + +# +# Microsoft Hyper-V guest support +# +# CONFIG_STAGING is not set +CONFIG_X86_PLATFORM_DEVICES=y +# CONFIG_ACERHDF is not set +# CONFIG_ASUS_LAPTOP is not set +# CONFIG_DELL_SMO8800 is not set +# CONFIG_FUJITSU_TABLET is not set +# CONFIG_HP_ACCEL is not set +# CONFIG_HP_WIRELESS is not set +# CONFIG_THINKPAD_ACPI is not set +# CONFIG_SENSORS_HDAPS is not set +# CONFIG_INTEL_MENLOW is not set +# CONFIG_ACPI_WMI is not set +# CONFIG_TOPSTAR_LAPTOP is not set +# CONFIG_TOSHIBA_BT_RFKILL is not set +# CONFIG_TOSHIBA_HAPS is not set +# CONFIG_ACPI_CMPC is not set +# CONFIG_INTEL_IPS is not set +# CONFIG_IBM_RTL is not set +# CONFIG_SAMSUNG_Q10 is not set +# CONFIG_INTEL_RST is not set +# CONFIG_INTEL_SMARTCONNECT is not set +# CONFIG_PVPANIC is not set +# CONFIG_CHROME_PLATFORMS is not set + +# +# Hardware Spinlock drivers +# + +# +# Clock Source drivers +# +CONFIG_CLKEVT_I8253=y +CONFIG_I8253_LOCK=y +CONFIG_CLKBLD_I8253=y +# CONFIG_ATMEL_PIT is not set +# CONFIG_SH_TIMER_CMT is not set +# CONFIG_SH_TIMER_MTU2 is not set +# CONFIG_SH_TIMER_TMU is not set +# CONFIG_EM_TIMER_STI is not set +# CONFIG_MAILBOX is not set +CONFIG_IOMMU_SUPPORT=y +# CONFIG_AMD_IOMMU is not set +# CONFIG_INTEL_IOMMU is not set +# CONFIG_IRQ_REMAP is not set + +# +# Remoteproc drivers +# +# CONFIG_STE_MODEM_RPROC is not set + +# +# Rpmsg drivers +# + +# +# SOC (System On Chip) specific Drivers +# +# CONFIG_SOC_TI is not set +# CONFIG_PM_DEVFREQ is not set +# CONFIG_EXTCON is not set +# CONFIG_MEMORY is not set +# CONFIG_IIO is not set +# CONFIG_NTB is not set +# CONFIG_VME_BUS is not set +# CONFIG_PWM is not set +# CONFIG_IPACK_BUS is not set +# CONFIG_RESET_CONTROLLER is not set +# CONFIG_FMC is not set + +# +# PHY Subsystem +# +# CONFIG_GENERIC_PHY is not set +# CONFIG_BCM_KONA_USB2_PHY is not set +# CONFIG_POWERCAP is not set +# CONFIG_MCB is not set +# CONFIG_THUNDERBOLT is not set + +# +# Android +# +# CONFIG_ANDROID is not set + +# +# Firmware Drivers +# +# CONFIG_EDD is not set +CONFIG_FIRMWARE_MEMMAP=y +# CONFIG_DELL_RBU is not set +# CONFIG_DCDBAS is not set +CONFIG_DMIID=y +# CONFIG_DMI_SYSFS is not set +CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y +# CONFIG_ISCSI_IBFT_FIND is not set +# CONFIG_GOOGLE_FIRMWARE is not set + +# +# File systems +# +CONFIG_DCACHE_WORD_ACCESS=y +CONFIG_EXT2_FS=y +# CONFIG_EXT2_FS_XATTR is not set +# CONFIG_EXT2_FS_XIP is not set +CONFIG_EXT3_FS=y +# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set +# CONFIG_EXT3_FS_XATTR is not set +# CONFIG_EXT4_FS is not set +CONFIG_JBD=y +CONFIG_REISERFS_FS=y +# CONFIG_REISERFS_CHECK is not set +# CONFIG_REISERFS_PROC_INFO is not set +# CONFIG_REISERFS_FS_XATTR is not set +# CONFIG_JFS_FS is not set +# CONFIG_XFS_FS is not set +# CONFIG_GFS2_FS is not set +# CONFIG_BTRFS_FS is not set +# CONFIG_NILFS2_FS is not set +CONFIG_FS_POSIX_ACL=y +CONFIG_FILE_LOCKING=y +CONFIG_FSNOTIFY=y +CONFIG_DNOTIFY=y +CONFIG_INOTIFY_USER=y +# CONFIG_FANOTIFY is not set +CONFIG_QUOTA=y +# CONFIG_QUOTA_NETLINK_INTERFACE is not set +CONFIG_PRINT_QUOTA_WARNING=y +# CONFIG_QUOTA_DEBUG is not set +# CONFIG_QFMT_V1 is not set +# CONFIG_QFMT_V2 is not set +CONFIG_QUOTACTL=y +CONFIG_AUTOFS4_FS=y +# CONFIG_FUSE_FS is not set +# CONFIG_OVERLAY_FS is not set + +# +# Caches +# +# CONFIG_FSCACHE is not set + +# +# CD-ROM/DVD Filesystems +# +CONFIG_ISO9660_FS=y +CONFIG_JOLIET=y +# CONFIG_ZISOFS is not set +# CONFIG_UDF_FS is not set + +# +# DOS/FAT/NT Filesystems +# +# CONFIG_MSDOS_FS is not set +# CONFIG_VFAT_FS is not set +# CONFIG_NTFS_FS is not set + +# +# Pseudo filesystems +# +CONFIG_PROC_FS=y +CONFIG_PROC_KCORE=y +CONFIG_PROC_SYSCTL=y +CONFIG_PROC_PAGE_MONITOR=y +CONFIG_KERNFS=y +CONFIG_SYSFS=y +CONFIG_TMPFS=y +# CONFIG_TMPFS_POSIX_ACL is not set +# CONFIG_TMPFS_XATTR is not set +# CONFIG_HUGETLBFS is not set +# CONFIG_HUGETLB_PAGE is not set +# CONFIG_CONFIGFS_FS is not set +CONFIG_MISC_FILESYSTEMS=y +# CONFIG_ADFS_FS is not set +# CONFIG_AFFS_FS is not set +# CONFIG_HFS_FS is not set +# CONFIG_HFSPLUS_FS is not set +# CONFIG_BEFS_FS is not set +# CONFIG_BFS_FS is not set +# CONFIG_EFS_FS is not set +# CONFIG_LOGFS is not set +# CONFIG_CRAMFS is not set +# CONFIG_SQUASHFS is not set +# CONFIG_VXFS_FS is not set +# CONFIG_MINIX_FS is not set +# CONFIG_OMFS_FS is not set +# CONFIG_HPFS_FS is not set +# CONFIG_QNX4FS_FS is not set +# CONFIG_QNX6FS_FS is not set +# CONFIG_ROMFS_FS is not set +# CONFIG_PSTORE is not set +# CONFIG_SYSV_FS is not set +# CONFIG_UFS_FS is not set +# CONFIG_F2FS_FS is not set +CONFIG_NETWORK_FILESYSTEMS=y +# CONFIG_NFS_FS is not set +# CONFIG_NFSD is not set +# CONFIG_CEPH_FS is not set +# CONFIG_CIFS is not set +# CONFIG_NCP_FS is not set +# CONFIG_CODA_FS is not set +# CONFIG_AFS_FS is not set +CONFIG_9P_FS=y +CONFIG_9P_FS_POSIX_ACL=y +# CONFIG_9P_FS_SECURITY is not set +CONFIG_NLS=y +CONFIG_NLS_DEFAULT="iso8859-1" +# CONFIG_NLS_CODEPAGE_437 is not set +# CONFIG_NLS_CODEPAGE_737 is not set +# CONFIG_NLS_CODEPAGE_775 is not set +# CONFIG_NLS_CODEPAGE_850 is not set +# CONFIG_NLS_CODEPAGE_852 is not set +# CONFIG_NLS_CODEPAGE_855 is not set +# CONFIG_NLS_CODEPAGE_857 is not set +# CONFIG_NLS_CODEPAGE_860 is not set +# CONFIG_NLS_CODEPAGE_861 is not set +# CONFIG_NLS_CODEPAGE_862 is not set +# CONFIG_NLS_CODEPAGE_863 is not set +# CONFIG_NLS_CODEPAGE_864 is not set +# CONFIG_NLS_CODEPAGE_865 is not set +# CONFIG_NLS_CODEPAGE_866 is not set +# CONFIG_NLS_CODEPAGE_869 is not set +# CONFIG_NLS_CODEPAGE_936 is not set +# CONFIG_NLS_CODEPAGE_950 is not set +# CONFIG_NLS_CODEPAGE_932 is not set +# CONFIG_NLS_CODEPAGE_949 is not set +# CONFIG_NLS_CODEPAGE_874 is not set +# CONFIG_NLS_ISO8859_8 is not set +# CONFIG_NLS_CODEPAGE_1250 is not set +# CONFIG_NLS_CODEPAGE_1251 is not set +# CONFIG_NLS_ASCII is not set +# CONFIG_NLS_ISO8859_1 is not set +# CONFIG_NLS_ISO8859_2 is not set +# CONFIG_NLS_ISO8859_3 is not set +# CONFIG_NLS_ISO8859_4 is not set +# CONFIG_NLS_ISO8859_5 is not set +# CONFIG_NLS_ISO8859_6 is not set +# CONFIG_NLS_ISO8859_7 is not set +# CONFIG_NLS_ISO8859_9 is not set +# CONFIG_NLS_ISO8859_13 is not set +# CONFIG_NLS_ISO8859_14 is not set +# CONFIG_NLS_ISO8859_15 is not set +# CONFIG_NLS_KOI8_R is not set +# CONFIG_NLS_KOI8_U is not set +# CONFIG_NLS_MAC_ROMAN is not set +# CONFIG_NLS_MAC_CELTIC is not set +# CONFIG_NLS_MAC_CENTEURO is not set +# CONFIG_NLS_MAC_CROATIAN is not set +# CONFIG_NLS_MAC_CYRILLIC is not set +# CONFIG_NLS_MAC_GAELIC is not set +# CONFIG_NLS_MAC_GREEK is not set +# CONFIG_NLS_MAC_ICELAND is not set +# CONFIG_NLS_MAC_INUIT is not set +# CONFIG_NLS_MAC_ROMANIAN is not set +# CONFIG_NLS_MAC_TURKISH is not set +# CONFIG_NLS_UTF8 is not set + +# +# Kernel hacking +# +CONFIG_TRACE_IRQFLAGS_SUPPORT=y + +# +# printk and dmesg options +# +# CONFIG_PRINTK_TIME is not set +CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 +# CONFIG_BOOT_PRINTK_DELAY is not set + +# +# Compile-time checks and compiler options +# +CONFIG_DEBUG_INFO=y +# CONFIG_DEBUG_INFO_REDUCED is not set +# CONFIG_DEBUG_INFO_SPLIT is not set +# CONFIG_DEBUG_INFO_DWARF4 is not set +CONFIG_ENABLE_WARN_DEPRECATED=y +CONFIG_ENABLE_MUST_CHECK=y +CONFIG_FRAME_WARN=1024 +# CONFIG_STRIP_ASM_SYMS is not set +# CONFIG_READABLE_ASM is not set +# CONFIG_UNUSED_SYMBOLS is not set +# CONFIG_PAGE_OWNER is not set +# CONFIG_DEBUG_FS is not set +# CONFIG_HEADERS_CHECK is not set +# CONFIG_DEBUG_SECTION_MISMATCH is not set +CONFIG_ARCH_WANT_FRAME_POINTERS=y +CONFIG_FRAME_POINTER=y +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +# CONFIG_MAGIC_SYSRQ is not set +CONFIG_DEBUG_KERNEL=y + +# +# Memory Debugging +# +# CONFIG_PAGE_EXTENSION is not set +# CONFIG_DEBUG_PAGEALLOC is not set +# CONFIG_DEBUG_OBJECTS is not set +# CONFIG_DEBUG_SLAB is not set +CONFIG_HAVE_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set +# CONFIG_DEBUG_STACK_USAGE is not set +# CONFIG_DEBUG_VM is not set +# CONFIG_DEBUG_VIRTUAL is not set +CONFIG_DEBUG_MEMORY_INIT=y +CONFIG_HAVE_DEBUG_STACKOVERFLOW=y +# CONFIG_DEBUG_STACKOVERFLOW is not set +CONFIG_HAVE_ARCH_KMEMCHECK=y +# CONFIG_DEBUG_SHIRQ is not set + +# +# Debug Lockups and Hangs +# +# CONFIG_LOCKUP_DETECTOR is not set +CONFIG_DETECT_HUNG_TASK=y +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 +# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set +CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0 +# CONFIG_PANIC_ON_OOPS is not set +CONFIG_PANIC_ON_OOPS_VALUE=0 +CONFIG_PANIC_TIMEOUT=0 +# CONFIG_SCHED_DEBUG is not set +# CONFIG_SCHEDSTATS is not set +# CONFIG_SCHED_STACK_END_CHECK is not set +# CONFIG_TIMER_STATS is not set + +# +# Lock Debugging (spinlocks, mutexes, etc...) +# +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_PROVE_LOCKING is not set +# CONFIG_LOCK_STAT is not set +# CONFIG_DEBUG_ATOMIC_SLEEP is not set +# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set +# CONFIG_LOCK_TORTURE_TEST is not set +# CONFIG_STACKTRACE is not set +# CONFIG_DEBUG_KOBJECT is not set +CONFIG_DEBUG_BUGVERBOSE=y +# CONFIG_DEBUG_LIST is not set +# CONFIG_DEBUG_PI_LIST is not set +# CONFIG_DEBUG_SG is not set +# CONFIG_DEBUG_NOTIFIERS is not set +# CONFIG_DEBUG_CREDENTIALS is not set + +# +# RCU Debugging +# +# CONFIG_SPARSE_RCU_POINTER is not set +# CONFIG_TORTURE_TEST is not set +# CONFIG_RCU_TORTURE_TEST is not set +# CONFIG_RCU_TRACE is not set +# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set +# CONFIG_NOTIFIER_ERROR_INJECTION is not set +# CONFIG_FAULT_INJECTION is not set +# CONFIG_LATENCYTOP is not set +CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y +# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set +CONFIG_USER_STACKTRACE_SUPPORT=y +CONFIG_HAVE_FUNCTION_TRACER=y +CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y +CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y +CONFIG_HAVE_DYNAMIC_FTRACE=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y +CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y +CONFIG_HAVE_SYSCALL_TRACEPOINTS=y +CONFIG_HAVE_FENTRY=y +CONFIG_HAVE_C_RECORDMCOUNT=y +CONFIG_TRACING_SUPPORT=y +CONFIG_FTRACE=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_IRQSOFF_TRACER is not set +# CONFIG_SCHED_TRACER is not set +# CONFIG_ENABLE_DEFAULT_TRACERS is not set +# CONFIG_FTRACE_SYSCALLS is not set +# CONFIG_TRACER_SNAPSHOT is not set +CONFIG_BRANCH_PROFILE_NONE=y +# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set +# CONFIG_PROFILE_ALL_BRANCHES is not set +# CONFIG_STACK_TRACER is not set +# CONFIG_BLK_DEV_IO_TRACE is not set +# CONFIG_UPROBE_EVENT is not set +# CONFIG_PROBE_EVENTS is not set +# CONFIG_MMIOTRACE is not set +# CONFIG_TRACEPOINT_BENCHMARK is not set + +# +# Runtime Testing +# +# CONFIG_TEST_LIST_SORT is not set +# CONFIG_BACKTRACE_SELF_TEST is not set +# CONFIG_RBTREE_TEST is not set +# CONFIG_ATOMIC64_SELFTEST is not set +# CONFIG_TEST_STRING_HELPERS is not set +# CONFIG_TEST_KSTRTOX is not set +# CONFIG_TEST_RHASHTABLE is not set +# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set +# CONFIG_DMA_API_DEBUG is not set +# CONFIG_TEST_FIRMWARE is not set +# CONFIG_TEST_UDELAY is not set +# CONFIG_SAMPLES is not set +CONFIG_HAVE_ARCH_KGDB=y +# CONFIG_KGDB is not set +# CONFIG_STRICT_DEVMEM is not set +CONFIG_X86_VERBOSE_BOOTUP=y +CONFIG_EARLY_PRINTK=y +# CONFIG_EARLY_PRINTK_DBGP is not set +# CONFIG_X86_PTDUMP is not set +CONFIG_DEBUG_RODATA=y +CONFIG_DEBUG_RODATA_TEST=y +CONFIG_DOUBLEFAULT=y +# CONFIG_DEBUG_TLBFLUSH is not set +# CONFIG_IOMMU_DEBUG is not set +# CONFIG_IOMMU_STRESS is not set +CONFIG_HAVE_MMIOTRACE_SUPPORT=y +CONFIG_IO_DELAY_TYPE_0X80=0 +CONFIG_IO_DELAY_TYPE_0XED=1 +CONFIG_IO_DELAY_TYPE_UDELAY=2 +CONFIG_IO_DELAY_TYPE_NONE=3 +CONFIG_IO_DELAY_0X80=y +# CONFIG_IO_DELAY_0XED is not set +# CONFIG_IO_DELAY_UDELAY is not set +# CONFIG_IO_DELAY_NONE is not set +CONFIG_DEFAULT_IO_DELAY_TYPE=0 +# CONFIG_CPA_DEBUG is not set +# CONFIG_OPTIMIZE_INLINING is not set +# CONFIG_DEBUG_NMI_SELFTEST is not set +# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set + +# +# Security options +# +# CONFIG_KEYS is not set +# CONFIG_SECURITY_DMESG_RESTRICT is not set +# CONFIG_SECURITY is not set +# CONFIG_SECURITYFS is not set +CONFIG_DEFAULT_SECURITY_DAC=y +CONFIG_DEFAULT_SECURITY="" +CONFIG_CRYPTO=y + +# +# Crypto core or helper +# +CONFIG_CRYPTO_ALGAPI=y +CONFIG_CRYPTO_ALGAPI2=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_AEAD2=y +CONFIG_CRYPTO_BLKCIPHER=y +CONFIG_CRYPTO_BLKCIPHER2=y +CONFIG_CRYPTO_HASH=y +CONFIG_CRYPTO_HASH2=y +CONFIG_CRYPTO_RNG=y +CONFIG_CRYPTO_RNG2=y +CONFIG_CRYPTO_PCOMP=y +CONFIG_CRYPTO_PCOMP2=y +CONFIG_CRYPTO_MANAGER=y +CONFIG_CRYPTO_MANAGER2=y +CONFIG_CRYPTO_USER=y +CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y +CONFIG_CRYPTO_GF128MUL=y +CONFIG_CRYPTO_NULL=y +CONFIG_CRYPTO_WORKQUEUE=y +CONFIG_CRYPTO_CRYPTD=y +# CONFIG_CRYPTO_MCRYPTD is not set +CONFIG_CRYPTO_AUTHENC=y +CONFIG_CRYPTO_ABLK_HELPER=y +CONFIG_CRYPTO_GLUE_HELPER_X86=y + +# +# Authenticated Encryption with Associated Data +# +CONFIG_CRYPTO_CCM=y +CONFIG_CRYPTO_GCM=y +CONFIG_CRYPTO_SEQIV=y + +# +# Block modes +# +CONFIG_CRYPTO_CBC=y +CONFIG_CRYPTO_CTR=y +# CONFIG_CRYPTO_CTS is not set +CONFIG_CRYPTO_ECB=y +CONFIG_CRYPTO_LRW=y +CONFIG_CRYPTO_PCBC=y +CONFIG_CRYPTO_XTS=y + +# +# Hash modes +# +CONFIG_CRYPTO_CMAC=y +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_XCBC=y +# CONFIG_CRYPTO_VMAC is not set + +# +# Digest +# +CONFIG_CRYPTO_CRC32C=y +# CONFIG_CRYPTO_CRC32C_INTEL is not set +# CONFIG_CRYPTO_CRC32 is not set +# CONFIG_CRYPTO_CRC32_PCLMUL is not set +# CONFIG_CRYPTO_CRCT10DIF is not set +CONFIG_CRYPTO_GHASH=y +CONFIG_CRYPTO_MD4=y +CONFIG_CRYPTO_MD5=y +CONFIG_CRYPTO_MICHAEL_MIC=y +CONFIG_CRYPTO_RMD128=y +CONFIG_CRYPTO_RMD160=y +CONFIG_CRYPTO_RMD256=y +CONFIG_CRYPTO_RMD320=y +CONFIG_CRYPTO_SHA1=y +# CONFIG_CRYPTO_SHA1_SSSE3 is not set +CONFIG_CRYPTO_SHA256_SSSE3=y +CONFIG_CRYPTO_SHA512_SSSE3=y +# CONFIG_CRYPTO_SHA1_MB is not set +CONFIG_CRYPTO_SHA256=y +CONFIG_CRYPTO_SHA512=y +CONFIG_CRYPTO_TGR192=y +CONFIG_CRYPTO_WP512=y +# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set + +# +# Ciphers +# +CONFIG_CRYPTO_AES=y +CONFIG_CRYPTO_AES_X86_64=y +CONFIG_CRYPTO_AES_NI_INTEL=y +CONFIG_CRYPTO_ANUBIS=y +CONFIG_CRYPTO_ARC4=y +CONFIG_CRYPTO_BLOWFISH=y +CONFIG_CRYPTO_BLOWFISH_COMMON=y +CONFIG_CRYPTO_BLOWFISH_X86_64=y +CONFIG_CRYPTO_CAMELLIA=y +CONFIG_CRYPTO_CAMELLIA_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y +CONFIG_CRYPTO_CAST_COMMON=y +CONFIG_CRYPTO_CAST5=y +CONFIG_CRYPTO_CAST5_AVX_X86_64=y +CONFIG_CRYPTO_CAST6=y +CONFIG_CRYPTO_CAST6_AVX_X86_64=y +CONFIG_CRYPTO_DES=y +# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set +CONFIG_CRYPTO_FCRYPT=y +CONFIG_CRYPTO_KHAZAD=y +CONFIG_CRYPTO_SALSA20=y +CONFIG_CRYPTO_SALSA20_X86_64=y +CONFIG_CRYPTO_SEED=y +CONFIG_CRYPTO_SERPENT=y +CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y +CONFIG_CRYPTO_TEA=y +CONFIG_CRYPTO_TWOFISH=y +CONFIG_CRYPTO_TWOFISH_COMMON=y +CONFIG_CRYPTO_TWOFISH_X86_64=y +CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y +CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y + +# +# Compression +# +CONFIG_CRYPTO_DEFLATE=y +CONFIG_CRYPTO_ZLIB=y +CONFIG_CRYPTO_LZO=y +CONFIG_CRYPTO_LZ4=y +CONFIG_CRYPTO_LZ4HC=y + +# +# Random Number Generation +# +# CONFIG_CRYPTO_ANSI_CPRNG is not set +# CONFIG_CRYPTO_DRBG_MENU is not set +CONFIG_CRYPTO_USER_API=y +CONFIG_CRYPTO_USER_API_HASH=y +CONFIG_CRYPTO_USER_API_SKCIPHER=y +# CONFIG_CRYPTO_HW is not set +CONFIG_HAVE_KVM=y +CONFIG_VIRTUALIZATION=y +# CONFIG_KVM is not set +# CONFIG_BINARY_PRINTF is not set + +# +# Library routines +# +CONFIG_BITREVERSE=y +CONFIG_GENERIC_STRNCPY_FROM_USER=y +CONFIG_GENERIC_STRNLEN_USER=y +CONFIG_GENERIC_NET_UTILS=y +CONFIG_GENERIC_FIND_FIRST_BIT=y +CONFIG_GENERIC_PCI_IOMAP=y +CONFIG_GENERIC_IOMAP=y +CONFIG_GENERIC_IO=y +CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y +CONFIG_ARCH_HAS_FAST_MULTIPLIER=y +CONFIG_CRC_CCITT=y +CONFIG_CRC16=y +# CONFIG_CRC_T10DIF is not set +CONFIG_CRC_ITU_T=y +CONFIG_CRC32=y +# CONFIG_CRC32_SELFTEST is not set +CONFIG_CRC32_SLICEBY8=y +# CONFIG_CRC32_SLICEBY4 is not set +# CONFIG_CRC32_SARWATE is not set +# CONFIG_CRC32_BIT is not set +CONFIG_CRC7=y +CONFIG_LIBCRC32C=y +# CONFIG_CRC8 is not set +# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set +# CONFIG_RANDOM32_SELFTEST is not set +CONFIG_ZLIB_INFLATE=y +CONFIG_ZLIB_DEFLATE=y +CONFIG_LZO_COMPRESS=y +CONFIG_LZO_DECOMPRESS=y +CONFIG_LZ4_COMPRESS=y +CONFIG_LZ4HC_COMPRESS=y +CONFIG_LZ4_DECOMPRESS=y +# CONFIG_XZ_DEC is not set +# CONFIG_XZ_DEC_BCJ is not set +CONFIG_TEXTSEARCH=y +CONFIG_TEXTSEARCH_KMP=y +CONFIG_TEXTSEARCH_BM=y +CONFIG_TEXTSEARCH_FSM=y +CONFIG_HAS_IOMEM=y +CONFIG_HAS_IOPORT_MAP=y +CONFIG_HAS_DMA=y +CONFIG_DQL=y +CONFIG_NLATTR=y +CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y +CONFIG_AVERAGE=y +# CONFIG_CORDIC is not set +# CONFIG_DDR is not set +CONFIG_ARCH_HAS_SG_CHAIN=y diff --git a/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissCert.der b/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissCert.der new file mode 100644 index 000000000..cbc7e09c1 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissCert.der differ diff --git a/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissKey.der b/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissKey.der new file mode 100644 index 000000000..76cafc198 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissKey.der differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261 b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261 deleted file mode 100644 index c98775369..000000000 Binary files a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261 and /dev/null differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/35ef6b73537e090d3b09359bfee642eafa6192eb b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/35ef6b73537e090d3b09359bfee642eafa6192eb new file mode 100644 index 000000000..016c4125d Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/35ef6b73537e090d3b09359bfee642eafa6192eb differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1 b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1 deleted file mode 100644 index 0f2a0ec8d..000000000 Binary files a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1 and /dev/null differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6645da3911d7f86e5410b698e2a441f1e2e4491a b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6645da3911d7f86e5410b698e2a441f1e2e4491a new file mode 100644 index 000000000..1a40299f2 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6645da3911d7f86e5410b698e2a441f1e2e4491a differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da deleted file mode 100644 index 489030d9f..000000000 Binary files a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da and /dev/null differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488 b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488 deleted file mode 100644 index 863f65237..000000000 Binary files a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488 and /dev/null differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/e2d52f0f42f61f786f1c570a4acc8fa8d72a329f b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/e2d52f0f42f61f786f1c570a4acc8fa8d72a329f new file mode 100644 index 000000000..49f4ad719 Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/e2d52f0f42f61f786f1c570a4acc8fa8d72a329f differ diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/f22389d26d00a7ddb5ff61f3b2e66022b18b2e3d b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/f22389d26d00a7ddb5ff61f3b2e66022b18b2e3d new file mode 100644 index 000000000..267516b0c Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/f22389d26d00a7ddb5ff61f3b2e66022b18b2e3d differ diff --git a/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem b/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem index bb205a0fd..2076242cc 100644 --- a/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem +++ b/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem @@ -1,23 +1,23 @@ -----BEGIN CERTIFICATE----- -MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MIID0jCCArqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw -M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MTEyODIyMDcwOFoXDTE5MDQwMTIyMDcw +OFowVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN -BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu -MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa -ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO -UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD -h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY -i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB -o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2 -KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu984h2mkpbWJZc9Ydka6jC84EkPz +w6tqtEkIdftEawgc5gvlC80JXLTwnQySMTb49KByyt44S59ZWE6SHHV0u2P2ihiw +1duoY7NE+RZwODEsWVgnDRZmyume2Bj+Hpkugm6o+rL7jiGxhvNLeoFZK3RyD6IR +IcEfZeAv7URGz7xdrzmK/vWXukfEnU8DlrFDSQUb3NaJS5tVVVLFuTWQBSjuT3NX +7mdNHnpjcwT9/ruyOaNQ0DV2Bgz1nCiOup+oW396/AInb03CQ+wIqQpB9reWma0w +F0Bc9lZxnv9ppYgBPsOTjE3yyyeTptzk9Gw+DFV1cw8Crm+aew5VH18oEwIDAQAB +o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBSK +cODKpRxkbyuSuXNcAayQG/35NTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 -YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF -AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv -YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx -rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C -1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5 -wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v -DSlBqDpnqK8tEI9V9YeroihTcygrEg== +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDANBgkqhkiG9w0BAQsF +AAOCAQEAMtm7ldvd45818Ghl8+Z7PfCnRXDPbikyCJn5PXkuR3TSB62ekJSGT1Rd +i2rnDoIZpfSzDQSpKH616MuWtwJoomJh8n9wCzbdUv1sn1cfgjDSkgLqIbm/Xpc4 +zUcHnZFdwvMr3sq/xSO/SgkfgTHi8bFLLp2RQwPNsNycT94nNE7DRjSeRenpuEPM +4t4xIZCoUyX3sdusHvh+dDu4iuIVQoM0zaW9p7pVh210ALt0jac3HW0rQXtbfchE +VeuDLZ0G7baFZ9LLLWpuQB4zPRUET7puvzabsf+sHpO54y+zXRaB0tbiFIurt4gF +5n7mN4ssNQdcD86W5lnI9pT5s1uvdw== -----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem b/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem index 5fff90708..a5b46cc6c 100644 --- a/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem +++ b/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNuMfyRDsc7m1KRDVt8N4h/ -EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKaub5AgsRa2fOOR9xfyf0Q -7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsOUHOJAPZNoGPey5UL9Zjj -sN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKDh/pliP7uZANd0ZpPcrIc -68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeYi9wFLnS2tgV3ID4LzEEI -CSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQABAoIBADfb0r6cpnRsnSKF -5RBfReyu6vo4GB0lNGSeRqFRgivU+vMoiG2S58t7AQi2FyTNYbNDFdh31LS8WLbI -OkWv2HehijN4FO4pqmI9JtSHnbLNJEHEizDBTASLz/9irisX3HCXMVORh4oEb2Ko -QdmulOjePSJDZbLv6H/JI0bpYsgiAw26KEoB8cnHwiApF69a4uPJA6gW98nsabyq -9NQVW5QAmUFDnzA6upFRBUeBBpufYMvP82zfntFx72yLBmXgBnyZW23WwZfQZSzw -FChhl40mwykOE8jpeGgxmdWyPc29roF+kuvaOUaSF2nmyl4qhLCISdr0eHXHAGDH -2RjVJ6ECgYEA0YW38d4309J1QegK5vhPWehnxpZHpK86DENevYaS7zRcCu1BRZc0 -aBAceTYCZHYofOWmeIns0qtMfzzuemPCiOZWy9VYgJrJ0YkmNin3DM1/13pWiKqn -EkQCFa6K5AiB0umTOwJoAHlJYlJ2k4bw7Rm/LtiHC2fnRq2KJeKmg60CgYEAyP30 -5D8sUkih9rRfZRHAPo0x1qJpJQC+cFUBMIuOXFIz37TqbZcGDkRRb+ewywNxT73t -TfVDvR7tD3cYTi78dVz539Dwl9mt10QLGsQJ4825uY/LQqUe8F2qz+E3lWqoo+yJ -WlTAqbHI2a4g4CjFC4/+i6lKQ+NpmJLZIPz3HAUCgYEAiduy4Ti2gPAb6OZ1re05 -wM1y4q5kq04EIqd9QbS3Hx7TZPkgllpbyBC5u2M3BcTc9PjhpLQTl7XQGnQL8YmM -KSlteKaCmfO+0NitxLut6sWX1T6Qi1HFpfYLbRqwFkQmr5CyKAR4S7+B8miRzpXe -FhN3wKoFiRKvkMiEelL7/u0CgYEAnh4TWsBL+MuFBxTs+xDU4SCotYZ9GwwTxUFK -N0uCiiRtBK9JwT8PF4gtXNCzZ3Jk4Ou0VSD+0jgTHJh/eXpDR30GYkn4DC3GMdQo -vDy+3wSH+HAj4mEODuBRMUqnNJd85cB+aZ7FFnpzXLQ8zrukEC2OfYaHkxLDjrDv -uaDoMZUCgYEAhD89Cj849LXbJEmjX0MGUCCBO9EBR2Ux2nbuB+TQnvwz7VT0Jkds -Db1IfljoDefqzyFfH/0Z3bNg4EpidAG3BMC4MwY7WzR1rfnXwNluaWM5gmUzFNw0 -mBGXonIf6nRMIO9eeTFI8VfFb6BYvosNxz+9QA/5rpamGN1cKdMjgPc= +MIIEpQIBAAKCAQEAu984h2mkpbWJZc9Ydka6jC84EkPzw6tqtEkIdftEawgc5gvl +C80JXLTwnQySMTb49KByyt44S59ZWE6SHHV0u2P2ihiw1duoY7NE+RZwODEsWVgn +DRZmyume2Bj+Hpkugm6o+rL7jiGxhvNLeoFZK3RyD6IRIcEfZeAv7URGz7xdrzmK +/vWXukfEnU8DlrFDSQUb3NaJS5tVVVLFuTWQBSjuT3NX7mdNHnpjcwT9/ruyOaNQ +0DV2Bgz1nCiOup+oW396/AInb03CQ+wIqQpB9reWma0wF0Bc9lZxnv9ppYgBPsOT +jE3yyyeTptzk9Gw+DFV1cw8Crm+aew5VH18oEwIDAQABAoIBADxEv72xBkCinBEt +ExPeXLnb7ADwC6MZuoFbbHtsv+YWFC84YaIHhJlY8ldvUPa4y+SuFCVAZI7d76uE +iRrYEzqKNuzWPuRcMwjI2beOmzFrlO6UePKZ3R/7EhoA6oSmX2U4Wr0R7eEKrgi8 +w9no5NIr6Ota8mQBsDDeWoGjBZReLHcagK3P+LG7B9EfMbdedd4c+sAYypmbhjvf +pj2AE08D/eI1j9Jd0w9J4oVNel1p7iYT5wYnZzdHcJdAWHlzFrKFQVVfJBBviskX +dm8GUOP0ZdOc0xYAyVcFAyu1x0JBkrFM5zOs6UAsRSzP5PQ/J8VFK7BQAv9/TX1D +eZi2DwECgYEA3mPpG0VRsZXDF63KlWnCn7cl6i+CAhMxYVCVn8RwBGc7Q8Xtw+9b +y7VktDGTcgcZIxDh/T17FBAn2ZL28tbssRxnRD+lQG1pf86RKLU+HXQ4Ppt7CbA0 +G2oV7+qxA2At3yknHmeIyvzBp+OuCc2XboOhshN5ncgMXl9EzRsCilUCgYEA2EPT +dXf57rG4k9mcjdohIdutBB+mOXS8K9fbg+V/l+bmGxINWKxF4w2N3pulw4380TRr +caYI7dxjpmCopnxNEhBiyOuBOEEqdGxdm69CNSO/hFDE92pQECl+6+AIa9Kv/Z3+ +Wdxwo447xgz1wDclhEcVW9rD6sAshpLQREOvIMcCgYEAjxrDmeTVWO0CCW6v+c2A +i74TC8teYW9wSyrL3W9OlcbIACiRg4+3BjLHhpyQQMQIjOQESC0T0ilDO2KyvjlH +PgEFAoniEL9XMAMAra1TNyjeOItcdTOJlEqDq0redUmiuwOERLBi+hwDkcGU8IH3 +fAoANtMJY1qjeubbIxDKZbECgYEAleJkMtzFBq57m1TNkO6l2d5zShFZVibWp5hC +Fma/iJrJzec0Asna4eMp+Sdsuly05JVtBeYp+Bivo8cH++LYU3Wx0UiPVVqsvuW/ +9r9/pm6xNFX6PPOcq6bmxTmO/JOXz7FpcAQ8uM5CFSA0TlSqFsRhRDkZYaBw+4/S +8gzq2k8CgYEAz/0eK0YPxxh4NHwXVWEsMeTDmC37BmoXU5oOmcgFHmhWXFSvvJLn +OB5QojTUuEsU9soHqk8F5oCt8DTz/LkJt+lygcSZ+qDOLJ0c9fGxDIp0s3HxiX4G +BwiYDDqLzFNi6TOQsk15rWWVC9W+PaxsfkrdewvW4ZT695ZWxsKAHP8= -----END RSA PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/duck/index.txt b/testing/hosts/winnetou/etc/openssl/duck/index.txt index 759a85b80..70a88fcbb 100644 --- a/testing/hosts/winnetou/etc/openssl/duck/index.txt +++ b/testing/hosts/winnetou/etc/openssl/duck/index.txt @@ -1 +1 @@ -V 141103162335Z 01 unknown /C=CH/O=Linux strongSwan/OU=Duck Research/CN=carol@strongswan.org +V 190225221822Z 01 unknown /C=CH/O=Linux strongSwan/OU=Duck Research/CN=carol@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem b/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem index 4e13b52d0..70b953e49 100644 --- a/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem +++ b/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX -BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz -MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh +BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMTQxMTI4MjIxODIyWhcNMTkwMjI1 +MjIxODIyWjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n -c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y -IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2 -30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb -jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG -veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii -ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5 -7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD -VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx -jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg +c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNBbHnfLRk +Lvxh9V7x/NoSs5qavpr8F51LnYpIfppgMvBDjpdeSnBPOOPakPlfUhKSvXIesESv +QI1HJOlGftswL9A5B1lTnsH65sqpgqgj67grh386U3O9ZccFhUj8Dw6TUo/qe4pK +sWDwUX/LG3mjOx/rOGvX8WxvZU7JVXXhU4g8TpIV3JRTQ+lF82z3qoS6dAfRt4xh +6pyLuMYbu6UtX5Al0iJDvpsWr9ZbKI2f8Dhkr0sZFRHl7Gs5jTN1Ra1EF0jCjIzo +6AkkY+ITBssvVvMFpeN/jb0ZhvLcRFU56lvLkmrj/InKUsk9qNm80+/wFBUzJ5N7 +GezXmBIPwXdlAgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD +VR0OBBYEFLPw4VsFnIRIKhjd/OF7delHM9kiMHkGA1UdIwRyMHCAFIpw4MqlHGRv +K5K5c1wBrJAb/fk1oVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo -IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3 -DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH -TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G -4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6 -Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O -3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok -BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE +IENBggEKMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3 +DQEBCwUAA4IBAQCi2vUHTZtkUGMAQsztQBLDwtqS7D+1ydO2BU/wkNRn4M7Zlkjq +O2JBgwGmeWpnZWPdNo+A5ECqcVYXp0XQw/24zxV92StTN7mGvPKVM6bYExcCT8x6 +tVkzlfyjJaVdBgl12jkQA4v6Efwc0P6nunYfxYIrfoFA4kjMnAbxLfPKFEj8b8NW +E9gvOEPy9hOv2dJEKyNxau+O5oGRZ46zSotcS0n34huoMEkXpUnpGOgZw8cl8xpP +ffHiAJqZYgqU6B++HQO6M6IQ0nQmX6OxGz+5VhEmuizgWB0B1L65BlzAysdavLZN +Yn4RdcYfpdbUgj5oRapiwWaQxpGImyQ1JBIU -----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl index 839816bf5..f064bdb0b 100755 --- a/testing/hosts/winnetou/etc/openssl/generate-crl +++ b/testing/hosts/winnetou/etc/openssl/generate-crl @@ -44,4 +44,6 @@ cd /etc/openssl/rfc3779 openssl ca -gencrl -crldays 15 -config /etc/openssl/rfc3779/openssl.cnf -out crl.pem openssl crl -in crl.pem -outform der -out strongswan_rfc3779.crl cp strongswan_rfc3779.crl ${ROOT} - +cd /etc/openssl/bliss +pki --signcrl --cacert strongswan_blissCert.der --cakey strongswan_blissKey.der --lifetime 30 --digest sha512 > strongswan_bliss.crl +cp strongswan_bliss.crl ${ROOT} diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt index 49264a5ee..ba3349cf9 100644 --- a/testing/hosts/winnetou/etc/openssl/index.txt +++ b/testing/hosts/winnetou/etc/openssl/index.txt @@ -27,7 +27,7 @@ R 140826100818Z 140827143358Z,superseded 1A unknown /C=CH/O=Linux strongSwan/OU= R 140826103106Z 090827103405Z,keyCompromise 1B unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org R 140826103739Z 140827143427Z,superseded 1C unknown /C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org R 140826104451Z 140827143432Z,superseded 1D unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org -V 141123125153Z 1E unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org +R 141123125153Z 141128194312Z,superseded 1E unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org V 150226210530Z 1F unknown /C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org V 190404095350Z 20 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA V 190404095433Z 21 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA @@ -47,3 +47,4 @@ V 190826145626Z 2E unknown /C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongsw R 190826150222Z 140827150343Z,keyCompromise 2F unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org V 190826150536Z 30 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org V 190826151202Z 31 unknown /C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org +V 191127201436Z 32 unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old index cd5ddfd6b..b3ff1c581 100644 --- a/testing/hosts/winnetou/etc/openssl/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/index.txt.old @@ -27,7 +27,7 @@ R 140826100818Z 140827143358Z,superseded 1A unknown /C=CH/O=Linux strongSwan/OU= R 140826103106Z 090827103405Z,keyCompromise 1B unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org R 140826103739Z 140827143427Z,superseded 1C unknown /C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org R 140826104451Z 140827143432Z,superseded 1D unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org -V 141123125153Z 1E unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org +R 141123125153Z 141128194312Z,superseded 1E unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org V 150226210530Z 1F unknown /C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org V 190404095350Z 20 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA V 190404095433Z 21 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA @@ -46,3 +46,4 @@ V 190826145436Z 2D unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=alice@strongswa V 190826145626Z 2E unknown /C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongswan.org R 190826150222Z 140827150343Z,keyCompromise 2F unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org V 190826150536Z 30 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +V 190826151202Z 31 unknown /C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/32.pem b/testing/hosts/winnetou/etc/openssl/newcerts/32.pem new file mode 100644 index 000000000..f7c90d302 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/32.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQzCCAyugAwIBAgIBMjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTE0MTEyODIwMTQzNloXDTE5MTEyNzIwMTQzNlowZzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHzAdBgNVBAsTFk9DU1Ag +U2lnbmluZyBBdXRob3JpdHkxHDAaBgNVBAMTE29jc3Auc3Ryb25nc3dhbi5vcmcw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcEKXgcanpPoLMCxFLx1Br +9WYJGHxMIi6eGfHHFObA56DpDxEUfRA88wvOgcq/PxSjAJZLePO9VQLU+sdK9+u9 +7INf7AMQ7CSRfHgkjEAt2SK4iWAk01I957qdwbvTTsBvmEAiKtqpQVcKbkokx1dC +J7prB4TjJWQlxihMAfgRQEX8EWE1c2vmzQ8fVkEc37E/kWpwDYlKtVidn+Nrt5j7 +SuE+HKZOE9zc2hRXU9IE/5hgHmPd0sIkmusTYqr+feeS3x6FfiWn/xIMlf4eTQ6F +55EgdUsem4su0y30i369aMviOL5Rc9OAyT/eH5AU/5BBy9M/y0Sep3wgdrOLsD3h +AgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU +DPBHE7nzb272+F6creQm6ORqEkIwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg +YOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdT +d2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYIT +b2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA5BgNVHR8E +MjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4u +Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBvnya63noZrXlKv5daWjqGTmpftPIvK5KA +tyQlZn4eSY0GDK4M9HPtPmg1o+gYJnQr9STADh737clPb3P05xzc1LLBiQ+laLZ4 +8KpZ4od5QSMTPCzYgx2LQxqKQz9PjbeLP1wcMLxRsluiwPJu9KnfZBDvHsow/UU8 +SPg62z3p17SZxoCk/87Q3eyZkI7BFJJtyrq4yiRf7lFjaLyw1SnM7sjwOMzoQBVO +bj21Spn1XQ/1X+DiCB3pFvsGEU0ZdfWKrURNeYgh+KX6S1q0mDusOwIunpR0z2Nx +Oc8QA3YT5fse48k3sUlRuKY+YSQZqj/vG12cHjBGGQRwmpbaTBHT +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/ocspCert.pem index f84d1a877..f7c90d302 100644 --- a/testing/hosts/winnetou/etc/openssl/ocspCert.pem +++ b/testing/hosts/winnetou/etc/openssl/ocspCert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIEQzCCAyugAwIBAgIBHjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MIIEQzCCAyugAwIBAgIBMjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA5MTEyNDEyNTE1M1oXDTE0MTEyMzEyNTE1M1owZzELMAkGA1UE +b290IENBMB4XDTE0MTEyODIwMTQzNloXDTE5MTEyNzIwMTQzNlowZzELMAkGA1UE BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHzAdBgNVBAsTFk9DU1Ag U2lnbmluZyBBdXRob3JpdHkxHDAaBgNVBAMTE29jc3Auc3Ryb25nc3dhbi5vcmcw -ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8BT5LvsaxM0gOw9QM74ML -vbxXXxTv9W0L//oBnPohbVyueSl0/r2rcIeYa0g1eePgwRRBHwr356Om2mv/zXTp -lQA4qtY6YMZkoeYCOVhO/fJ4CGO213qWeWIYOe4njTuiPUiI20PWancgaic5UOAC -UBnyes94I5kB1OWx0THma4Sv0HdBRoWwO+ZqAA87fpV/Wagi6ElJBcjLbO5Hpy3J -dFvrjNWZwuJw2+qHQ4QOT4McpusfIjgXaZtyEpVIcbJ7knNSq+MapdP0RBS6wzXa -kWx9tMIAB9gKUfENTNl60ZnmqI0KgKiR3Yqia/bbsD7JcangOcOjWA2H0LKnnLdp +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcEKXgcanpPoLMCxFLx1Br +9WYJGHxMIi6eGfHHFObA56DpDxEUfRA88wvOgcq/PxSjAJZLePO9VQLU+sdK9+u9 +7INf7AMQ7CSRfHgkjEAt2SK4iWAk01I957qdwbvTTsBvmEAiKtqpQVcKbkokx1dC +J7prB4TjJWQlxihMAfgRQEX8EWE1c2vmzQ8fVkEc37E/kWpwDYlKtVidn+Nrt5j7 +SuE+HKZOE9zc2hRXU9IE/5hgHmPd0sIkmusTYqr+feeS3x6FfiWn/xIMlf4eTQ6F +55EgdUsem4su0y30i369aMviOL5Rc9OAyT/eH5AU/5BBy9M/y0Sep3wgdrOLsD3h AgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU -NJFukTK/NSVDzCh074LCV5J5E3MwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg +DPBHE7nzb272+F6creQm6ORqEkIwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg YOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdT d2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYIT b2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA5BgNVHR8E MjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4u -Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBteNdmkKbr3bUJSKTaJ/qssbyPjL7MjAmi -QA1sSq5yIh7Ir23xEq/XQFF51N2yDNuXhLYk1fWou8BL+X9x97BlQkp9/nZ+BdJG -uH2zOUxcsfq57jtwMzlXGrmVUTMAJRtMqrSnVa9jbW+IF2p/sJfeSRRqJ2qwQoDW -ppvvBF4RfdWOVCCidtRmWKycEtP1ylSYyiHswVWhL2gLXQRQ0l5wJdgT2URRDopC -CBiE5mHOWn17gTWQw9SdGbY37o9jXNrY8GRgOeubHFRmdXa1Cli5P5HhIZygUBWX -tn5BvNDEIUz11/AT+HfpdMSKDiAXMq44wqWoYoUXsaLTIp+Vt6NM +Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBvnya63noZrXlKv5daWjqGTmpftPIvK5KA +tyQlZn4eSY0GDK4M9HPtPmg1o+gYJnQr9STADh737clPb3P05xzc1LLBiQ+laLZ4 +8KpZ4od5QSMTPCzYgx2LQxqKQz9PjbeLP1wcMLxRsluiwPJu9KnfZBDvHsow/UU8 +SPg62z3p17SZxoCk/87Q3eyZkI7BFJJtyrq4yiRf7lFjaLyw1SnM7sjwOMzoQBVO +bj21Spn1XQ/1X+DiCB3pFvsGEU0ZdfWKrURNeYgh+KX6S1q0mDusOwIunpR0z2Nx +Oc8QA3YT5fse48k3sUlRuKY+YSQZqj/vG12cHjBGGQRwmpbaTBHT -----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/ocspKey.pem index d25396b09..13a81f29d 100644 --- a/testing/hosts/winnetou/etc/openssl/ocspKey.pem +++ b/testing/hosts/winnetou/etc/openssl/ocspKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAvAU+S77GsTNIDsPUDO+DC728V18U7/VtC//6AZz6IW1crnkp -dP69q3CHmGtINXnj4MEUQR8K9+ejptpr/8106ZUAOKrWOmDGZKHmAjlYTv3yeAhj -ttd6lnliGDnuJ407oj1IiNtD1mp3IGonOVDgAlAZ8nrPeCOZAdTlsdEx5muEr9B3 -QUaFsDvmagAPO36Vf1moIuhJSQXIy2zuR6ctyXRb64zVmcLicNvqh0OEDk+DHKbr -HyI4F2mbchKVSHGye5JzUqvjGqXT9EQUusM12pFsfbTCAAfYClHxDUzZetGZ5qiN -CoCokd2Komv227A+yXGp4DnDo1gNh9Cyp5y3aQIDAQABAoIBACKheJrs9Z3XyzLl -AN6tEt8LwG/7VFjqRH6MVFkNt8iGYybDrE4fSYIVRPRe9jrbS4yvI3LnK9cDdFIc -Mv43sov/ZL4LQVAZWRFZ/Ip2U3yhK5LOQMeBotOqYdYCfYoNaml0jjKe6DzK+Uwg -IT9eVRQ3+r99vU7sh5cdxnzdAirlXAGdy2QxdF1lyC/49H6jxS7qxuxHPqI0P8VR -9xVKIXaAKaxcijg47slC386/yEbO96morZuJX+F+iaQ37T0nV3tTergbwDtit3xo -cOdsHan9zGHE1ayKh8DkBinD+BpiLZdapRvcSm2wAKlamXfI3GIAB5r/3B1NW9yb -rsThgc0CgYEA4CN+fNaFYQmLMK33wZfXvcadaktSWWXmnqPVLIWRddUH3SA5qEJB -RwuuLgcfmlmZqBqSOj4pDTtAoNooqA9Ryi0Ugzpvmn5iPevfixQoLix4mn1/bvbF -bo4CX7Vb7mUdfXpu7PwVNALNfaW6fgKM79LoqX4yZ4k/yFuYl+JTIGcCgYEA1r9k -mTi/5royyVX0vV7uwyKrXQ8VRVhnVeT2nG1KkuQqUraUQG8WD9J9uxvbZxhsrax1 -Hg1iCAobzlEL2XoX2y+dN+81o2tm9qcy3L7+g6M/+7nQmU+fbGdBkcWq72dZC4ev -K6grD+gl0uQmdVc7m+3lErojNAlvxTSK1BKrR68CgYA2CxjijO8YGK8BC9FjUnNo -hM1L5eFzQMi8k5BA7evG15jPzodYdLE8qipTWtBZ7STJja6YcIiBcjoBDtkivJ7h -+sCpa5uhSrvxZkA+Tpvpljt2NLBXVxT/tSoJXbdO4f6cVLsOVTHfmpVlqGIxI/hL -kzUaOR16LXO9oahHZwDYHQKBgHPg60PS35p9NxJ1k47sPyKE/rtEfFHjFj+/QWO/ -hdIl1MC1TOJIDzuSdc4Vhhrnjx1YRgplZlS4P7DhAufjfiQEWW3pYqRAPFs0dbmw -Rl56JPiMmAdic8BnJ3all0uAFQinutpv8Gyw9FgMTMRcwgmuIUIttvlJbkqXw6IU -QOB5AoGBAJkTG5alPABxJG9ZuEE+iWCPAV1671FXT115D5wlKOY3CImuhsEW085X -uGZz7WDZWFZJres8RiRlpK035MAg6lUG3trC9+wOluRNehT6h0Vwru8TxjLBxPcc -yjdSVDH61FQLSKWIGLH9VVLX03NXqi3qxVGrrulUSW5h/HR2s3f7 +MIIEowIBAAKCAQEAnBCl4HGp6T6CzAsRS8dQa/VmCRh8TCIunhnxxxTmwOeg6Q8R +FH0QPPMLzoHKvz8UowCWS3jzvVUC1PrHSvfrveyDX+wDEOwkkXx4JIxALdkiuIlg +JNNSPee6ncG7007Ab5hAIiraqUFXCm5KJMdXQie6aweE4yVkJcYoTAH4EUBF/BFh +NXNr5s0PH1ZBHN+xP5FqcA2JSrVYnZ/ja7eY+0rhPhymThPc3NoUV1PSBP+YYB5j +3dLCJJrrE2Kq/n3nkt8ehX4lp/8SDJX+Hk0OheeRIHVLHpuLLtMt9It+vWjL4ji+ +UXPTgMk/3h+QFP+QQcvTP8tEnqd8IHazi7A94QIDAQABAoIBAEP6NGZY3AuOgOZj +g7sgK/V6RGF92tZGpUuUPW3bus8XlU0ulN/5wZLqwp/GhQtcbJ67aLujCXfUiZE/ +UoNjDboCRQ8I/CTo1tzP/Hze4i2WQLtkiw4/RblVMEH62tclnEh/Zp/7TpcesM0I +UR9H/MgCCf8InWdbKA4UDAVfbjAEws/72QSMnhhsdUfNMKKFiaaDz596MXpI3AWY +SsenVmcqhMTP819DEem7GTSyOZbx482i7tr1Ix/HB/WlXoTZLB4IFsUOjbtQkoym +fJHftuCsuN6xg6xUq28zaWqcZzDje7pavqmexXfxvG7a8jXFGY/sagWIHSIp32la +0WoUO2ECgYEAy0pG09+zY5pHsHoNrSEsN3wIXOv4EIwwEuk4ZTqBPyh/lbHozHDp +JlO+ObJVzRG/NS4RnlJUicmAUtI7CSpdvTD1OclROBF3DPwiu18zEJTqXkGDcVyt +bmy8JQDZPYt4mE/TsuRN3uoc9+2jc1ZL6zvS3u6s0EV5j4SYxrn/oQ0CgYEAxIe5 +uBvR+wRXeWddRbIAKxQJa1PR4WDbIQWGm8TlXpcBWsyaqId3AIg9IoQH9AtFvl5F ++6QHjhl5jNK/PkzNM/xAMbS4X4S32zDVUtmJXheyze65lQvXVfUFQUCyb5DeBtvk +XOf6k5WfM8rAzCb4PNwp+U21vQW7dfOSWp1yEyUCgYEAv3QHeljOYHqXE4wPP0Lj +mqmUUrbk2+i7CcRdGXDc8jdY2QlBfvDDkxYBK+NZTRVup03ox9svxMhhsx5M/RfK +SnhGKxL/C7ffD/qRVzeUJwSoKPa4LNYke7+p/YtsDLtCauebL3o2ID8J4zEJ44Cd +ZT/lG5FabZdQoao2G8pmBi0CgYBrdG5mLMflwJz3Yz3LUqTm6OCxjzXtTeDiMDxG +RSTIUDZMaByT0uWNI/CRQ7F5jQRILxGColADMQiVp9ErBiEYsG6E/vPkPhOsxAmP +cCO8j6aTFFjiFoRZmkuSPwaRG5taErbM2YXXVfKjBdPei9wkophMmGGrBUxXFKNL +6lQqBQKBgFeDuiesvRr+3KUxO6FiRXdGzkhFpfVaSxnFpvyd03vByTsuI5AugjHt +UPHkOxnrXYg2bZwHSy5fvhUs18FdcucfJnsVl+/Clhl5jkeQzSOszoPx8lvhcck5 +uzlqo+L2XXWN3MaiBHvboA/duTiSQAvcPaEi8gpprxvLHojz/P9R -----END RSA PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt index 0565c768e..25f57370c 100644 --- a/testing/hosts/winnetou/etc/openssl/research/index.txt +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt @@ -2,8 +2,9 @@ R 100322070423Z 100407091025Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU= R 100615195710Z 100703145747Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA R 120323210330Z 140324140605Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org R 140323203747Z 140324142334Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org -V 151103161503Z 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA +R 151103161503Z 141128215838Z,superseded 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA V 150406092057Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org V 150702151839Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA V 190323140633Z 08 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org V 190323142352Z 09 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org +V 190401220708Z 0A unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old index 8a0231b05..3fc101e9e 100644 --- a/testing/hosts/winnetou/etc/openssl/research/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old @@ -2,7 +2,8 @@ R 100322070423Z 100407091025Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU= R 100615195710Z 100703145747Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA R 120323210330Z 140324140605Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org R 140323203747Z 140324142334Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org -V 151103161503Z 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA +R 151103161503Z 141128215838Z,superseded 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA V 150406092057Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org V 150702151839Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA V 190323140633Z 08 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org +V 190323142352Z 09 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/0A.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/0A.pem new file mode 100644 index 000000000..2076242cc --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/0A.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID0jCCArqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MTEyODIyMDcwOFoXDTE5MDQwMTIyMDcw +OFowVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu984h2mkpbWJZc9Ydka6jC84EkPz +w6tqtEkIdftEawgc5gvlC80JXLTwnQySMTb49KByyt44S59ZWE6SHHV0u2P2ihiw +1duoY7NE+RZwODEsWVgnDRZmyume2Bj+Hpkugm6o+rL7jiGxhvNLeoFZK3RyD6IR +IcEfZeAv7URGz7xdrzmK/vWXukfEnU8DlrFDSQUb3NaJS5tVVVLFuTWQBSjuT3NX +7mdNHnpjcwT9/ruyOaNQ0DV2Bgz1nCiOup+oW396/AInb03CQ+wIqQpB9reWma0w +F0Bc9lZxnv9ppYgBPsOTjE3yyyeTptzk9Gw+DFV1cw8Crm+aew5VH18oEwIDAQAB +o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBSK +cODKpRxkbyuSuXNcAayQG/35NTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDANBgkqhkiG9w0BAQsF +AAOCAQEAMtm7ldvd45818Ghl8+Z7PfCnRXDPbikyCJn5PXkuR3TSB62ekJSGT1Rd +i2rnDoIZpfSzDQSpKH616MuWtwJoomJh8n9wCzbdUv1sn1cfgjDSkgLqIbm/Xpc4 +zUcHnZFdwvMr3sq/xSO/SgkfgTHi8bFLLp2RQwPNsNycT94nNE7DRjSeRenpuEPM +4t4xIZCoUyX3sdusHvh+dDu4iuIVQoM0zaW9p7pVh210ALt0jac3HW0rQXtbfchE +VeuDLZ0G7baFZ9LLLWpuQB4zPRUET7puvzabsf+sHpO54y+zXRaB0tbiFIurt4gF +5n7mN4ssNQdcD86W5lnI9pT5s1uvdw== +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial index d9bb888f8..eb589e9da 100644 --- a/testing/hosts/winnetou/etc/openssl/research/serial +++ b/testing/hosts/winnetou/etc/openssl/research/serial @@ -1 +1 @@ -0A +0B diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old index 86397e5c1..d9bb888f8 100644 --- a/testing/hosts/winnetou/etc/openssl/research/serial.old +++ b/testing/hosts/winnetou/etc/openssl/research/serial.old @@ -1 +1 @@ -09 +0A diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/.rand b/testing/hosts/winnetou/etc/openssl/rfc3779/.rand index 20107f5f6..b41b2202b 100644 Binary files a/testing/hosts/winnetou/etc/openssl/rfc3779/.rand and b/testing/hosts/winnetou/etc/openssl/rfc3779/.rand differ diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt index 9adf263bf..bfafdee5d 100644 --- a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt +++ b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt @@ -1,4 +1,8 @@ -V 141222133356Z 01 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org -V 141222133521Z 02 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org -V 141222133612Z 03 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org -V 141222133736Z 04 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=dave@strongswan.org +R 141222133356Z 141227062317Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org +R 141222133521Z 141227062321Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org +R 141222133612Z 141227062326Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org +R 141222133736Z 141227062335Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=dave@strongswan.org +V 191221064542Z 05 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org +V 191221064900Z 06 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org +V 191221085130Z 07 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org +V 191221085457Z 08 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=dave@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old index be48eeee4..56242a38b 100644 --- a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old @@ -1,3 +1,7 @@ -V 141222133356Z 01 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org -V 141222133521Z 02 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org -V 141222133612Z 03 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org +R 141222133356Z 141227062317Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org +R 141222133521Z 141227062321Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org +R 141222133612Z 141227062326Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org +R 141222133736Z 141227062335Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=dave@strongswan.org +V 191221064542Z 05 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org +V 191221064900Z 06 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org +V 191221085130Z 07 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/05.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/05.pem new file mode 100644 index 000000000..124e2ae46 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/05.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5 +MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh +bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6 +GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu +uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA +PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2 +jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd +D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK +KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV +HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ +owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 +eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT +d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u +Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG +MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy +bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY +AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL +aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo +830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5 +lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2 +NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR +pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu +Mc/lk4Nl8pHRO+Xm +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/06.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/06.pem new file mode 100644 index 000000000..a93121da1 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/06.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5 +MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu +Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5 +oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf +pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw +ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1 +Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd +0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd +bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud +DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj +Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4 +IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3 +YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz +d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo +dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww +RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR +AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu +7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p +nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg +oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx +k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD +yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug +NnBR3lf2HB2lWA== +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/07.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/07.pem new file mode 100644 index 000000000..bf8a4919d --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/07.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEojCCA4qgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTEzMFoXDTE5 +MTIyMTA4NTEzMFowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3 +YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsSlxt8LQf1wJ +u1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1XELjKv3kcYp2McydNPq63fw9XXbu +a/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++e0xxcZS4NQ6wz57bHgARzMoCisNr +xcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5LieSMGIBQjKGCd2a3eZYhTCs6hI0vhQ +Q1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXPuMY1CwZkGcANd6vBK5YBNiZFquBj +FhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN8Xim/AewWRcKJJKdlLAAHmZD0jx2 +g/E0LGu01wIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD +VR0OBBYEFNs9CUs7SNJewkkfo1Bg7bcUEzPXMIGMBgNVHSMEgYQwgYGAFCF/p+s3 +0KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu +dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n +U3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry +b25nc3dhbi5vcmcwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL2NybC5zdHJvbmdz +d2FuLm9yZy9zdHJvbmdzd2FuX3JmYzM3NzkuY3JsMEIGCCsGAQUFBwEHAQH/BDMw +MTAUBAIAATAOAwUACgMAAQMFAMCoAGQwGQQCAAIwEwMRAP7AAAAAAAAAAAAAAAAA +ABAwDQYJKoZIhvcNAQELBQADggEBAEYqXkheXXHiC5JnrZm5QUo11Vu4CtNRGeg0 +atuG8ZNHgQfa7wjjeCDNpj3lHvyegYsSMo7wGwN7DugH0mmXKZF9XHc4sU7/aUvl +mX52tDuUoCGD0/yFuKLlYOfwmsquC9snYDW7cJXaqMON/OMLcU44OR8E1oiw2ePT +FqyGFbfparp+Q8I7VHwJBs+mDphdNUlFbpuO9m2eEtqdYVyXlfUnbFpMMyWxxIY/ +6CIyWcRRKeWRRXxkk/dSeEWgsfWY7ITK9blP5nhIsgpCoEguGc6h4RL65VdH+Sy0 +9MLpesyGe6qkdrrg4nyaY82uuFXhUo0YiP0ddUw8eNaefFqEzL0= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/08.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/08.pem new file mode 100644 index 000000000..88ce01ed5 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/08.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEoDCCA4igAwIBAgIBCDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTQ1N1oXDTE5 +MTIyMTA4NTQ1N1owWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dh +bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpJKRQ2CEG39rO +8nX7RpY+Ed5tyx+rkug3HrSInie+fgkDnLES2U1X3wvM2OczLp6L1ccROv+SzEW+ +OKfCZSz7T4GLwaRodi9KtHvfOCsbDx/vkFFwui2yt9rVUSpcbk1OiVQsA9R0G6vz +eqFIL9GtrtHWQ+dkvWy61i2A+T1X2QfhVfzvj5msL3CuZU6fnwGYD4LZz8RUGlB4 +WkSFWCctfQfgK+lpfuzq6OFFkARzxZ55D0MzgAvXY6osS8gMdiSD50Zlik7qZVvn +RO0j6TOg0WKinzguAokAyDCsaoqsOvi27QalfH48PUM+aUzHNCKnD6pswebHou3m +mvG3rH+9AgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV +HQ4EFgQUsBjPeVTm7TUTaXtmfv09yQS2mV8wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ +owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 +eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT +d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVgRNkYXZlQHN0cm9u +Z3N3YW4ub3JnMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dh +bi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNybDBCBggrBgEFBQcBBwEB/wQzMDEw +FAQCAAEwDgMFAAoDAAIDBQDAqADIMBkEAgACMBMDEQD+wAAAAAAAAAAAAAAAAAAg +MA0GCSqGSIb3DQEBCwUAA4IBAQCNyAyUvqeCgWnPEMkfFFb1kBbd3me3aLRxXFb4 +TY44L6SBiFNy1s3UyFCLw1xXnSMgTpvZqHmB7fnzX7Aj6BNkPFIThEiHYN85ai4t +U9bO2nqwXfIINFt2Qlokd0QWHzDsL/o9Mmqs38ymlfIbsgwh7gCZ2HhGlOb7+QNU +IaDVIcKqBr07wX7qO/fEjKgFSkUT5eFNwQmyT3zUaE1PixK5w1hRxvs/KAsLgbfe +5ofLD88rfxvkqLwhRNU8PUzqIpqxfV1P+wS/k78z0tG+JI8yeEkcksuj9UOzlTr2 +jWL1QoxUEinR3N4dTqsW4u/Jz7R4MHdO+l9RoYZpQA8LV8s3 +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf index 9ec4b01a8..e8a0a2ee7 100644 --- a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf @@ -40,7 +40,7 @@ x509_extensions = host_ext # The extensions to add to the cert crl_extensions = crl_ext # The extensions to add to the CRL -default_days = 1825 # how long to certify for +default_days = 1820 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha256 # which md to use. preserve = no # keep passed DN ordering @@ -153,6 +153,13 @@ sbgp-ipAddrBlock = critical, @host-addr-section [host-addr-section] +#moon networks +#IPv4.0 = 192.168.0.1 +#IPv4.1 = 10.1.0.0/16 +#IPv6.0 = fec0::1 +#IPv6.1 = fec1::/16 + +#sun networks IPv4.0 = 192.168.0.2 IPv4.1 = 10.2.0.0/16 IPv6.0 = fec0::2 @@ -176,6 +183,12 @@ sbgp-ipAddrBlock = critical, @user-addr-section [user-addr-section] +#carol networks +#IPv4.0 = 192.168.0.100 +#IPv4.1 = 10.3.0.1 +#IPv6.0 = fec0::10 + +#dave networks IPv4.0 = 192.168.0.200 IPv4.1 = 10.3.0.2 IPv6.0 = fec0::20 diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/serial b/testing/hosts/winnetou/etc/openssl/rfc3779/serial index eeee65ec4..86397e5c1 100644 --- a/testing/hosts/winnetou/etc/openssl/rfc3779/serial +++ b/testing/hosts/winnetou/etc/openssl/rfc3779/serial @@ -1 +1 @@ -05 +09 diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old b/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old index 64969239d..adb9de8ee 100644 --- a/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old +++ b/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old @@ -1 +1 @@ -04 +08 diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial index f5c89552b..bb95160cb 100644 --- a/testing/hosts/winnetou/etc/openssl/serial +++ b/testing/hosts/winnetou/etc/openssl/serial @@ -1 +1 @@ -32 +33 diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old index e85087aff..f5c89552b 100644 --- a/testing/hosts/winnetou/etc/openssl/serial.old +++ b/testing/hosts/winnetou/etc/openssl/serial.old @@ -1 +1 @@ -31 +32 diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage index 075fd8e1e..c927934f1 100755 --- a/testing/scripts/build-baseimage +++ b/testing/scripts/build-baseimage @@ -21,7 +21,7 @@ INC=$INC,less,acpid,acpi-support-base,libldns-dev,libunbound-dev,dnsutils,screen INC=$INC,gnat,gprbuild,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev INC=$INC,libalog0.4.1-base-dev,hostapd,libsoup2.4-dev,ca-certificates,unzip INC=$INC,python,python-setuptools,python-dev,python-pip -INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi +INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi,iptables-dev SERVICES="apache2 dbus isc-dhcp-server slapd bind9" INC=$INC,${SERVICES// /,} diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk index 2b7bde5a5..d58de95bf 100644 --- a/testing/scripts/recipes/013_strongswan.mk +++ b/testing/scripts/recipes/013_strongswan.mk @@ -70,6 +70,8 @@ CONFIG_OPTS = \ --enable-socket-dynamic \ --enable-dhcp \ --enable-farp \ + --enable-connmark \ + --enable-forecast \ --enable-addrblock \ --enable-ctr \ --enable-ccm \ @@ -92,7 +94,8 @@ CONFIG_OPTS = \ --enable-tkm \ --enable-ntru \ --enable-lookip \ - --enable-swanctl + --enable-swanctl \ + --enable-bliss export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat diff --git a/testing/tests/ha/both-active/description.txt b/testing/tests/ha/both-active/description.txt index 4c64fff97..2d04e74f2 100644 --- a/testing/tests/ha/both-active/description.txt +++ b/testing/tests/ha/both-active/description.txt @@ -4,5 +4,5 @@ to the virtual gateway mars implemented by the two real gateways based on ClusterIP. Depending on the hash of the IP addresses of the peers and the SPIs, the inbound and outbound CHILD_SAs are either assigned to segment 1 managed by alice or segment 2 handled by moon. -The IKEv2 protocol is managed by moon exclusively with passive -IKE_SAs installed on the backup gateway alice. +The IKEv2 protocol is managed by alice exclusively with passive +IKE_SAs installed on the backup gateway moon. diff --git a/testing/tests/ikev1/double-nat-net/evaltest.dat b/testing/tests/ikev1/double-nat-net/evaltest.dat index 52c561964..8f5ffdb50 100644 --- a/testing/tests/ikev1/double-nat-net/evaltest.dat +++ b/testing/tests/ikev1/double-nat-net/evaltest.dat @@ -1,7 +1,7 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev1/double-nat/evaltest.dat b/testing/tests/ikev1/double-nat/evaltest.dat index 9ddad2de5..5f0622690 100644 --- a/testing/tests/ikev1/double-nat/evaltest.dat +++ b/testing/tests/ikev1/double-nat/evaltest.dat @@ -1,7 +1,7 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev1/nat-rw/evaltest.dat b/testing/tests/ikev1/nat-rw/evaltest.dat index 387dbae23..36d9f8456 100644 --- a/testing/tests/ikev1/nat-rw/evaltest.dat +++ b/testing/tests/ikev1/nat-rw/evaltest.dat @@ -2,10 +2,10 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun. venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES sun:: ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES sun:: ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES -sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES moon:: sleep 6::no output expected::NO diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown index aab1df687..b8b1fdd09 100755 --- a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown +++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown @@ -1,4 +1,4 @@ -#! /bin/sh +#!/bin/sh # NAT updown script # # Copyright (C) 2010 Andreas Steffen @@ -13,7 +13,6 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. -# things that this script gets (from ipsec_pluto(8) man page) # # PLUTO_VERSION # indicates what version of this interface is being @@ -32,15 +31,20 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA # # PLUTO_ME # is the IP address of our host. @@ -54,25 +58,21 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP -# if non-empty, then the source address for the route will be -# set to this IP address. +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first +# virtual IP, IPv4 or IPv6. # # PLUTO_MY_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -80,31 +80,38 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. # # define a minimum PATH environment in case it is not set @@ -129,22 +136,22 @@ up-client:) # If you are doing a custom version, firewall commands go here. iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \ -d $PLUTO_PEER_CLIENT -j ACCEPT - iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ - -s $PLUTO_PEER_CLIENT -j ACCEPT + iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ + -s $PLUTO_PEER_CLIENT -j ACCEPT iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \ -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP - echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 + echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 ;; down-client:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. - iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \ - -d $PLUTO_PEER_CLIENT -j ACCEPT - iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ - -s $PLUTO_PEER_CLIENT -j ACCEPT - iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \ - -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP - echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 + iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \ + -d $PLUTO_PEER_CLIENT -j ACCEPT + iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ + -s $PLUTO_PEER_CLIENT -j ACCEPT + iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \ + -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP + echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 diff --git a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat index 842eda00b..2dd5a40dd 100644 --- a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat +++ b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat @@ -1,7 +1,7 @@ moon::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES sun::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES -moon::cat /var/log/daemon.log::splitting IKE message with length of 1468 bytes into 2 fragments::YES -sun::cat /var/log/daemon.log::splitting IKE message with length of 1388 bytes into 2 fragments::YES +moon::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES +sun::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES moon::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES moon::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES sun::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem new file mode 100644 index 000000000..4d99866f7 --- /dev/null +++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm +MPvvkhl7dwj12//qfklihpZtdazxO9XkN3oYIdgt4QLq35ljtIkEGgsPn3a3niFQ +qjkCDj+lKmd9u4ecmGKR5PFUL+LwSU6cXJVNT6p1oXqntWZS8bFu+9y0Zpf30Lf1 +ILyZAgU2WTjSzTHyvu0w52GlbALZ3ILwze/J1DRHtqmPdiiu0qwSekqVBIOPZudR +fl4LBnLIFlR0vOaJ9zpvxuPHKyxFSY3bvAsXsEkVYG/pTyVsx3fELFNFYP+75arN +2UTMjbTSq6+KKUr1WwOmoBpU14Qwq3g4l1PChwIDAQABAoIBACBFB/Xqajv6fbn9 +K6pxrz02uXwGmacXAtVIDoPzejWmXS4QA4l17HrJDmelSnhelDKry8nnYHkTrTz7 +mn0wQ4HDWy86o/okJUG/TKRLd6bf79aRQqqohqd3iQkHk43GyzuXH+oGioVKF0fc +ACDWw4wfjL7FMNdHCZ4Bz9DrHO/ysHe9B6rvSYm3VZRhSxaneIkaLkkDadKpVx3f +XNFlMxY4qKPJYYSoJZ61iMqrO7+rnA93tmyDDs8PKU3BtnpfNrdePgleJHhk8Zqy +Ev2/NOCSUxbKE8NCtLpGTs+T0qjjnu4k3WPd3ZOBAan0uPDekHZeHB/aXGLhYcxx +J5SurqECgYEA+F1gppkER5Jtoaudt/CUpdQ1sR9wxf75VBqJ4FiYABGQz9xlG4oj +zL/o572s0iV3bwFpnQa+WuWrxGkP6ZuB/Z82npc0N/vLou/b4dxvg4n7K+eOOEf0 +8FMjsse2tqTIXKCqcmQnR0NPQ1jwuvEKsXP5w/JOlnRXAXnd4jxsJI0CgYEA0GaT +61ySttUW9jC3mxuY6jkQy8TEQqR3nOFvWwmCXIWOpN/MTTPus+Telxp/pdKhU+mo +PmX3Unyne5PvwleWDq3YzltX5ZDZGJ5UJlKuNnfGIzQ6OcHRbb7zBpQG6qSRPuug +bgo688hTnb1L59nK88zWVK45euf6pyuoI+SwIGMCgYEA7yvE8knyhBXvezuv0z1b +eGHmHp5/VDwY0DQKSEAoiBBiWrkLqLybgwXf/KJ8dZZc8En08aFX2GLJyYe/KiB1 +ys3ypEBJqgvRayP+o/9KZ+qNNRd0rqAksPXvL7ABNNt0kzapTSVDae3Yu6s/j1am +DIL5qAeERIDedG5uDPpQzdUCgYB7MtjpP63ABhLv8XbpbBQnCxtByw3W89F+Xcrt +v55gQdhE4cSuMzA/CuMH4vNpPS6AI9aBJNhj3CtKo/cOJachAGb1/wvkO5ALvLW0 +fhZdPstUTnDJain7vfF/hwzbs/PlhXgu9T9KlLfRvXFdG+Sd4g8mumRiozcLkoRw +y6XPTwKBgDJP+s9wXmdG90HST/aqC7FKrVXLpB63dY5swNUfQP6sa0pFnON0r0JC +h/YCsGFFIAebQ2uOkM3g3f9nkwTp7910ov+/5uThvRI2w2BBPy0mVuALPjyyF1Z2 +cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem new file mode 100644 index 000000000..d8fad9aad --- /dev/null +++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA35VUimfpDmNpT/8Q3qnoDlxJ9R+EErSYVraVoUVmH9jSHroB +eqqtDdf3XuHtg2xKTryijBj2H0jeA7HuE1UGwmvZWN1gL5vSrk1OFrT38DmaKa/+ +mtiPqjTJrDGg+OgOz1iHsPsp/4Xx+SCTSy2Ucllfront02sVduDXEGV34Snk6vYV +sRn1BZSlFBO6F2k23/j1i7FDn0N6Zj0hFvCysoIcfSYasmwN2p5vRqn7xC9JceMK +3V+v0w0pZoAUBAspAjh7R1rWe08IRAt4Tzff401EGAa5+TQqoZPd4BeqvFr0AQhQ +mdVw97FB2pQyNxSlcVvxY3NFYHwSCHcEMroWwQIDAQABAoIBADH51hjN2zk9HVgl +QmcTAWzcUie5cLMhrP+M9mtC8O3jcCwwFY6OwfnbMU8DHy0GMqHg5lB8b99UUVPw +HLAzjDw/ESkc6pgZs4EEhJTsxJLsvTnePgHssEgyXnXf7gRVEqJkPohfy+Zy0UCH +eIUQXiMlOQ7xg7iDMhwNa+UdWSt539DztSKilQn2xdPZjFnMT0/prvl4NA/8Zn54 +/SdWDq5yRdLWb6EK1V7yJ3687GXR1jzGtgy7TXuncUJVTYgX7RdP1Tn6gWD8YAQ/ +RfT0DdWYm4WHSgSb9/NW8lBZH2yy3hg+lNgofXEvTfBkO5QyW31LIr0tCV6zhJIc +Y9MxaKUCgYEA9sktaXfhPLe0ECjdeQEOq5EKuDrCviSKCOuAV4BDSOsdw6+5LWfY +Vb/oke8N70lL3RCblcj1pOKWUi2O/SpEJdDRduiw2gM9cXt3/bChSTHC4TsIxxN/ +Db9OGg72kZ4sRY5Au+zyAAQYBwXhFWux194Jk5qK0JblNG9J5QMqZDcCgYEA5+5h +BgHUMEO+pdME5lAiSc5PcNTejpA6j+OikCh4/HFXy3C/dLx+Cs1+egw64c8iVaIv +NEo7n7E9I0e3XqanPRXhMnBRrP+39OVsWPmZ18Li2Hi84KwJyi8Y11l3XJOqaYpF +wMVUuZpxR0dfG5k/5GwT/tEkmQBglOgG3m2zUMcCgYEA4m3Vd9ahV5dp5AXKpzKc +JjiPMFfhxJo7+FEz0ZUCp03qYljBu/Jy4MKS/grrqyiCLdQGHNlk4SNxLvdUId78 +5gGBnuuDEJU2dAAIKUE9yq2YlBUZSacOxStI2snt28/X6P3LUWHm7LLU5OS1D3Vf +mKPF/6MlSJuas5CEqVZNN+MCgYBH9Qh7IaQgmVQUBKVXg3Mv7OduvUyTdKIGtHxi +N3xZ7hxsDP4JjNWaKmlcGmFGX8pqQRheI83d3NJ4GK8GmbP3Wst0p65fezMqsudr +r30QmPFicgs/tYCQDw6o+aPzwAi2F+VOSqrfrtAIaldSq7hL+VA21dKB+cD9UgOX +jPd+TwKBgQCbKeg2QNS2qhPIG9eaqJDROuxmxb/07d7OBctgMgxVvKhqW9hW42Sy +gJ59fyz5QjFBaSfcOdf4gkKyEawVo45/q6ymIQU37R4vF4CW9Z3CfaIbwJp7LcHV +zH07so/HNsZua6GWCSCLJU5MeCRiZzk2RFiS9KIaLP4gZndv4lXOiQ== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/double-nat-net/evaltest.dat b/testing/tests/ikev2/double-nat-net/evaltest.dat index 52c561964..8f5ffdb50 100644 --- a/testing/tests/ikev2/double-nat-net/evaltest.dat +++ b/testing/tests/ikev2/double-nat-net/evaltest.dat @@ -1,7 +1,7 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2/double-nat/evaltest.dat b/testing/tests/ikev2/double-nat/evaltest.dat index 9ddad2de5..5f0622690 100644 --- a/testing/tests/ikev2/double-nat/evaltest.dat +++ b/testing/tests/ikev2/double-nat/evaltest.dat @@ -1,7 +1,7 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2/forecast/description.txt b/testing/tests/ikev2/forecast/description.txt new file mode 100644 index 000000000..db67b9c3d --- /dev/null +++ b/testing/tests/ikev2/forecast/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each to +gateway moon and request a virtual IP. moon negotiates +broadcast and multicast traffic selectors with the clients, and uses +%unique marks to avoid any policy conflicts. The enabled forecast +plugin on moon installs the required Netfilter rules to make use of these +policies, and additionally starts forwarding broadcast and multicast packets +between the clients.
+To test forwarding, the hosts send multicast and broadcast ping messages. diff --git a/testing/tests/ikev2/forecast/evaltest.dat b/testing/tests/ikev2/forecast/evaltest.dat new file mode 100644 index 000000000..6babe57f0 --- /dev/null +++ b/testing/tests/ikev2/forecast/evaltest.dat @@ -0,0 +1,20 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL, reqid 1::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL, reqid 2::YES +alice::ping -W 1 -c 1 239.0.0.1 2>&1> /dev/null +carol::ping -W 1 -c 1 239.0.0.2 2>&1> /dev/null +dave::ping -W 1 -c 1 239.0.0.3 2>&1> /dev/null +carol::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null +dave::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null +moon::iptables -t mangle -L -n -v +carol::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES +dave::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES +carol::tcpdump::IP 10.1.0.130 > 239.0.0.3: ICMP echo request::YES +dave::tcpdump::IP 10.1.0.129 > 239.0.0.2: ICMP echo request::YES +carol::tcpdump::IP 10.1.0.130 > 10.1.255.255: ICMP echo request::YES +dave::tcpdump::IP 10.1.0.129 > 10.1.255.255: ICMP echo request::YES diff --git a/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..4cd628384 --- /dev/null +++ b/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftsourceip=%config + leftsubnet=0.0.0.0/0 + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=0.0.0.0/0 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..7b81476e9 --- /dev/null +++ b/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve +} diff --git a/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..e2255d96b --- /dev/null +++ b/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftsourceip=%config + leftsubnet=0.0.0.0/0 + leftcert=daveCert.pem + leftid=dave@strongswan.org + right=PH_IP_MOON + rightsubnet=0.0.0.0/0 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..7b81476e9 --- /dev/null +++ b/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve +} diff --git a/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..fde2e9103 --- /dev/null +++ b/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16,224.0.0.0/4 + right=%any + rightid=*@strongswan.org + rightsourceip=10.1.0.128/26 + rightsubnet=%dynamic,224.0.0.0/4,10.1.255.255 + mark=%unique + auto=add diff --git a/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..986ef32de --- /dev/null +++ b/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown attr forecast + syslog { + daemon { + net = 2 + } + } + plugins { + forecast { + interface = eth1 + reinject = rw + } + } +} diff --git a/testing/tests/ikev2/forecast/posttest.dat b/testing/tests/ikev2/forecast/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/ikev2/forecast/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/forecast/pretest.dat b/testing/tests/ikev2/forecast/pretest.dat new file mode 100644 index 000000000..206bf5b64 --- /dev/null +++ b/testing/tests/ikev2/forecast/pretest.dat @@ -0,0 +1,7 @@ +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/forecast/test.conf b/testing/tests/ikev2/forecast/test.conf new file mode 100644 index 000000000..13b3927ae --- /dev/null +++ b/testing/tests/ikev2/forecast/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon carol dave" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/host2host-transport-connmark/description.txt b/testing/tests/ikev2/host2host-transport-connmark/description.txt new file mode 100644 index 000000000..6660279c9 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/description.txt @@ -0,0 +1,8 @@ +An IPsec transport-mode connection between the natted host alice +and gateway sun is successfully set up. The client venus behind +the same NAT as client alice also establishes the same transport-mode +connection. sun uses the connmark plugin and a %unique mark on +the CHILD_SAs to select the correct return path SA using connection tracking. +This allows sun to talk to both nodes for client initiated flows, even +if the SAs are actually both over moon.
+To test the connection, both hosts establish an SSH connection to sun. diff --git a/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat b/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat new file mode 100644 index 000000000..04a35c10c --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat @@ -0,0 +1,7 @@ +sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES +sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES +alice::ssh 192.168.0.2 'echo alice-echo && exit'::alice-echo::YES +venus::ssh 192.168.0.2 'echo venus-echo && exit'::venus-echo::YES +sun::iptables -t mangle -L -n -v diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf new file mode 100644 index 000000000..9000ebcfe --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf @@ -0,0 +1,17 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + leftcert=aliceCert.pem + leftid=alice@strongswan.org + right=192.168.0.2 + rightid=@sun.strongswan.org + type=transport + auto=add diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..220059c43 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=192.168.0.2 + leftcert=sunCert.pem + leftid=@sun.strongswan.org + +conn nat-t + right=%any + type=transport + mark=%unique + auto=add diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..1311e5b27 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default connmark +} diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf new file mode 100644 index 000000000..cea239abe --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf @@ -0,0 +1,17 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + leftcert=venusCert.pem + leftid=venus@strongswan.org + right=192.168.0.2 + rightid=@sun.strongswan.org + type=transport + auto=add diff --git a/testing/tests/ikev2/host2host-transport-connmark/posttest.dat b/testing/tests/ikev2/host2host-transport-connmark/posttest.dat new file mode 100644 index 000000000..144be6c90 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/posttest.dat @@ -0,0 +1,5 @@ +alice::ipsec stop +venus::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/host2host-transport-connmark/pretest.dat b/testing/tests/ikev2/host2host-transport-connmark/pretest.dat new file mode 100644 index 000000000..ab6408427 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE +moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -j ACCEPT +moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16 -j ACCEPT +alice::ipsec start +venus::ipsec start +sun::ipsec start +alice::expect-connection nat-t +venus::expect-connection nat-t +alice::ipsec up nat-t +venus::ipsec up nat-t diff --git a/testing/tests/ikev2/host2host-transport-connmark/test.conf b/testing/tests/ikev2/host2host-transport-connmark/test.conf new file mode 100644 index 000000000..8c2facefd --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun alice venus moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev2/host2host-transport-nat/description.txt b/testing/tests/ikev2/host2host-transport-nat/description.txt index 6f18a88cd..fc7186c53 100644 --- a/testing/tests/ikev2/host2host-transport-nat/description.txt +++ b/testing/tests/ikev2/host2host-transport-nat/description.txt @@ -9,5 +9,6 @@ rules that let pass the decrypted IP packets. In order to test the host-to-host dropped when the IPsec policies are consulted (increases the XfrmInTmplMismatch counter in /proc/net/xfrm_stat).
  • A similar issue arises when venus also establishes an IPsec transport-mode connection to -sun, due to the conflicting IPsec policies sun declines such a connection.
    • +sun. Due to the conflicting IPsec policies sun will use the newer SA from +venus to send traffic to the common transport mode address. diff --git a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat index faa9fb265..0ec50bc92 100644 --- a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat +++ b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat @@ -1,12 +1,9 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT::YES -sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT::YES -alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES -venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::NO -venus::ipsec up nat-t::received TS_UNACCEPTABLE notify::YES -sun::cat /var/log/daemon.log::unable to install policy::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES +sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES +alice::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::NO +venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES sun::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ICMP echo request::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ICMP echo reply::NO diff --git a/testing/tests/ikev2/host2host-transport-nat/pretest.dat b/testing/tests/ikev2/host2host-transport-nat/pretest.dat index fe0f17d3d..2d2607078 100644 --- a/testing/tests/ikev2/host2host-transport-nat/pretest.dat +++ b/testing/tests/ikev2/host2host-transport-nat/pretest.dat @@ -10,3 +10,4 @@ sun::ipsec start alice::expect-connection nat-t venus::expect-connection nat-t alice::ipsec up nat-t +venus::ipsec up nat-t diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat index 65a003d23..8457ae0dd 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat @@ -1,6 +1,6 @@ moon:: cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES -moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA signature successful::YES -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA.* successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES @@ -9,8 +9,8 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*228060123456001@strongswan. carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA signature successful::YES -dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA.* successful::YES +dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES moon::cat /var/log/daemon.log::RADIUS authentication of '228060123456002' failed::YES diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem index 4e13b52d0..70b953e49 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX -BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz -MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh +BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMTQxMTI4MjIxODIyWhcNMTkwMjI1 +MjIxODIyWjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n -c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y -IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2 -30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb -jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG -veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii -ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5 -7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD -VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx -jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg +c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNBbHnfLRk +Lvxh9V7x/NoSs5qavpr8F51LnYpIfppgMvBDjpdeSnBPOOPakPlfUhKSvXIesESv +QI1HJOlGftswL9A5B1lTnsH65sqpgqgj67grh386U3O9ZccFhUj8Dw6TUo/qe4pK +sWDwUX/LG3mjOx/rOGvX8WxvZU7JVXXhU4g8TpIV3JRTQ+lF82z3qoS6dAfRt4xh +6pyLuMYbu6UtX5Al0iJDvpsWr9ZbKI2f8Dhkr0sZFRHl7Gs5jTN1Ra1EF0jCjIzo +6AkkY+ITBssvVvMFpeN/jb0ZhvLcRFU56lvLkmrj/InKUsk9qNm80+/wFBUzJ5N7 +GezXmBIPwXdlAgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD +VR0OBBYEFLPw4VsFnIRIKhjd/OF7delHM9kiMHkGA1UdIwRyMHCAFIpw4MqlHGRv +K5K5c1wBrJAb/fk1oVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo -IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3 -DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH -TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G -4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6 -Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O -3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok -BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE +IENBggEKMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3 +DQEBCwUAA4IBAQCi2vUHTZtkUGMAQsztQBLDwtqS7D+1ydO2BU/wkNRn4M7Zlkjq +O2JBgwGmeWpnZWPdNo+A5ECqcVYXp0XQw/24zxV92StTN7mGvPKVM6bYExcCT8x6 +tVkzlfyjJaVdBgl12jkQA4v6Efwc0P6nunYfxYIrfoFA4kjMnAbxLfPKFEj8b8NW +E9gvOEPy9hOv2dJEKyNxau+O5oGRZ46zSotcS0n34huoMEkXpUnpGOgZw8cl8xpP +ffHiAJqZYgqU6B++HQO6M6IQ0nQmX6OxGz+5VhEmuizgWB0B1L65BlzAysdavLZN +Yn4RdcYfpdbUgj5oRapiwWaQxpGImyQ1JBIU -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem index 48727ed9d..ce60672bc 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAui7ngouu2CBkQyj+W5MrBlmR6xa87au3pSBQjz0lMciDmKOF -Kc6+VrLztHSH3GWN2oFdjXACNt9LAE5X01KfqG3nWTB28xN1Qb0Li44CuNqMdlyF -w49t1cuPeplapcFELpYQXAITG45wW+E9Gke1gpyb388nJBMlq0zdGo0ckISRJk5/ -rKWDUF/9pYOoRJ/ytU/9z8u7Br3nhegUXpx0eS+tDUiu6lewFPoTOEdFCL4MGKs8 -UkrYBkvRugcI/UEzlsEldbboogAYkXWUgaDjdLjDKUY4BM7lXtH+FWzgiBFzvDLX -aQru0cGvbXPDsJ3i3BgmFaJq+eyikSXbwuQLNwIDAQABAoIBAGK7cOXXsTbHpqO+ -33QsjQpnAWyLuFDJWS/l/RKYuFq4HKEbRgivrFxJtdciXNHRwPH43GWe2m3C6AEX -ipd0H1qwPZkcjFfHH81mtPKismrY6tfxpLXaH8LamhHHtTxlSwTxa2d/aiaY2JjA -zyhakrTa3AZJ0lXdGYLH1hC4eEdiPghIqwL8YNB0V2ldq+bMdtQ1i3dcmseV9TI2 -DEAKWzjc7oIcuY9HtfEEAIPzSSqwrM7wUWd9dk70o7b05eK9pnTF59Lnk5U1J1Ag -QnXBHBZfLVDnTYd+dFWM8wUIpO0n6ccUToINppwSejyOs726jUuWGZCthxLBsFZp -5Pj9B6ECgYEA3lRxGRJsAfMoyOc4kLfDmlDtrP88knRlqRW7mVYjclhMbVtrtaTP -44VqmxKIVNQt1p5hB/Gn4kbhC7OnUja/FVHdosEjFhYNh+QCisyaS2V7RNyEidJX -Q61V8v0Z7MxHxxDljVvWfSdAUDRrFwWYxRXZJWwStEmtdAbiZa6aydkCgYEA1mEV -2D+gaR+oBouqcZMiSAjV/qHbnfw4EC2XFCw84JMPerBwl4noWCgvgf0lRirbI+Ar -PDOfoclLnDQRgnqkK4okSIW0SddxttbKdDhhZ2c2CoyKxUqN7/NEyy/tZ2WZRcmX -LILTLXzi/9qq8lF9odjIl5KKsRpXhqMsf5b1w48CgYEAqDT8yDo+yw7b6Xu+OQc/ -Ds5xs3P7sNYtX8qYfz9DXCxfzlDfYbMKsZlr+V0BFiTddUWoJal4GeMEOqU2TyYq -VYf1hkBXOkt++zPPlJGNnsNtisDH6bng2cwXfdpttdEr8Pjgo5063r9GkifGacmL -Nnj8K6rjT9F6UJEw0jtS0qkCgYAi3RMSYfaSYgWPWvNTGRyAHn++s0/l93iemOty -6mbUFtZzm3IUEudoPtDLEQIY0StmQDSHy9VwGC5lrsoSMCO2uPaBnMzfHVxu4at3 -Dxw4Fr7hJE4FG8TNewB7EsZHBGzSvqAJKxVw1liMR2F5musVgQ3OKJTJjIEjcjHw -Zfp93QKBgQCPp6SH510qK9Rf+HjeWXJpOB2ByruC5rBgqrxE4rbIB3/fAl86a3Kq -Q1VqdGb+CW0FlkPshDmmdi3IoCliXywadSaXi/unPfPTel0pQAC8NM7WpPoaUfnS -QgL5iNXshicKoE8U6PRhYvn81zVpt4bFn3DZRgIlau2GQnijLkGvQw== +MIIEpAIBAAKCAQEAzQWx53y0ZC78YfVe8fzaErOamr6a/BedS52KSH6aYDLwQ46X +XkpwTzjj2pD5X1ISkr1yHrBEr0CNRyTpRn7bMC/QOQdZU57B+ubKqYKoI+u4K4d/ +OlNzvWXHBYVI/A8Ok1KP6nuKSrFg8FF/yxt5ozsf6zhr1/Fsb2VOyVV14VOIPE6S +FdyUU0PpRfNs96qEunQH0beMYeqci7jGG7ulLV+QJdIiQ76bFq/WWyiNn/A4ZK9L +GRUR5exrOY0zdUWtRBdIwoyM6OgJJGPiEwbLL1bzBaXjf429GYby3ERVOepby5Jq +4/yJylLJPajZvNPv8BQVMyeTexns15gSD8F3ZQIDAQABAoIBABliJR6V7/efYZv3 +NyQavB0oo3GZO7MOcWkVPjOviQl0BQ84LkF8Ud9dGcjLvjQxAx+r2N83z6krAtLW +HROfTR/wK4WEBWk29KlNvbWy+YJJAupQwk3EW0YNvdBPKjQa4SEYTb0oQnzw7SGT +1ZCd/DdbcJ48xA1eVKCOGG0Q6aFV702mUszjZfrnyqr+zxx8ZE+YhKSXB0eGjv2+ ++kiJMf25ZpgP5Pu5AAX0/KRN9E5orbr5pdFTBgOIJ6Sdsnr/q/tJaU/bPVJEtFvd +BqSVtz87ftTdZVH5zMBkXPVwlWczQiK5J6igrMBcrHhnKUmt54kh9bEUmt2ZrBOx +xmEV/wECgYEA+a+LjA3lZgk5Qy4qKvXe4EHvRSK513ZxN8gBvj4wA7JmEGv76gMw +5o1DbpNOqumeyjrtsqVzjAu3GpowX4dfHRal9CZ57dtedjWlHPnnDtSMKzmJXiJb +HzYPngpjxfAjrZNIBlQZeAhtYCQUDM/SSitcnP1gp3DEdVyxFNafmuECgYEA0jUA +F0hSddYBo4tG84gnHQ6L0ftqn3K0UD9EcFAG2Zxv7dqSGdmCq6wo/q1UeKDVLjCX +OteuqzDG+ka6DmbcLwj9VRMQP9lqUbtGOzwyWxYdcMUZnMtWHpuvcsyHLrAKqTxJ +0Be7hlXCbSrh62CBpAgv91NMghZup3Tpku8qkQUCgYEAyWNp7uEWciJmaWVG5bfC +uKb10pGby8ngr9lGbqfCGnk+EWjHm4xPWOX/yaRPA1PDm+HD7x+7/u1EFtTex25s +rQ2jdTXDirIxkq7aKnD2iOOu2v5haefUD2yPVC2VJAX5APuWUGRs1oAVmEIBWgQV +3XT0EjvcRbGTBAZrXh9uRIECgYEAzBclZXWUilAj+zOoyZ4xy6Zp3pAqL3Fg3GDx +A9LPM80NZ3RFUc+7bQ6UJuEHGK+fC1+mFT1/mzqaljjBQGZh9VDXFhiSOEvRTFV1 +lOGXSpSoNOtJONC7ZrBloiIuRggp8bJVQDMqoPz27qMqAiwK8sX4PDumFs/M081R +UpXfUDkCgYAOa/VoXgDlFMun1qEu6LFZcLhA6SyHRT0yT9WSYkHjcQusvJAZEM67 +lfUd1J57tG6+HS7z0wBkO72HG0YZDD8dhgzsYGChUHD+yq+OZ2FHnZWRSnnHq4zD +ZBjS8PGcVu/4Ojx6B8GI41UgmdqH+US+AA6nYceb74NeIigXjtXUdA== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem index bb205a0fd..2076242cc 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem @@ -1,23 +1,23 @@ -----BEGIN CERTIFICATE----- -MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MIID0jCCArqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw -M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MTEyODIyMDcwOFoXDTE5MDQwMTIyMDcw +OFowVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN -BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu -MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa -ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO -UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD -h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY -i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB -o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2 -KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu984h2mkpbWJZc9Ydka6jC84EkPz +w6tqtEkIdftEawgc5gvlC80JXLTwnQySMTb49KByyt44S59ZWE6SHHV0u2P2ihiw +1duoY7NE+RZwODEsWVgnDRZmyume2Bj+Hpkugm6o+rL7jiGxhvNLeoFZK3RyD6IR +IcEfZeAv7URGz7xdrzmK/vWXukfEnU8DlrFDSQUb3NaJS5tVVVLFuTWQBSjuT3NX +7mdNHnpjcwT9/ruyOaNQ0DV2Bgz1nCiOup+oW396/AInb03CQ+wIqQpB9reWma0w +F0Bc9lZxnv9ppYgBPsOTjE3yyyeTptzk9Gw+DFV1cw8Crm+aew5VH18oEwIDAQAB +o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBSK +cODKpRxkbyuSuXNcAayQG/35NTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 -YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF -AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv -YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx -rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C -1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5 -wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v -DSlBqDpnqK8tEI9V9YeroihTcygrEg== +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDANBgkqhkiG9w0BAQsF +AAOCAQEAMtm7ldvd45818Ghl8+Z7PfCnRXDPbikyCJn5PXkuR3TSB62ekJSGT1Rd +i2rnDoIZpfSzDQSpKH616MuWtwJoomJh8n9wCzbdUv1sn1cfgjDSkgLqIbm/Xpc4 +zUcHnZFdwvMr3sq/xSO/SgkfgTHi8bFLLp2RQwPNsNycT94nNE7DRjSeRenpuEPM +4t4xIZCoUyX3sdusHvh+dDu4iuIVQoM0zaW9p7pVh210ALt0jac3HW0rQXtbfchE +VeuDLZ0G7baFZ9LLLWpuQB4zPRUET7puvzabsf+sHpO54y+zXRaB0tbiFIurt4gF +5n7mN4ssNQdcD86W5lnI9pT5s1uvdw== -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-rw-mark/evaltest.dat index bb8e856cc..c5390fbb6 100644 --- a/testing/tests/ikev2/nat-rw-mark/evaltest.dat +++ b/testing/tests/ikev2/nat-rw-mark/evaltest.dat @@ -1,7 +1,7 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES sun:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES sun:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES sun:: ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown index 421335ffb..e0c15f56a 100755 --- a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown +++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown @@ -1,4 +1,4 @@ -#! /bin/sh +#!/bin/sh # updown script setting inbound marks on ESP traffic in the mangle chain # # Copyright (C) 2003-2004 Nigel Meteringham @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,20 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA # # PLUTO_ME # is the IP address of our host. @@ -63,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -85,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -93,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -143,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -157,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -193,119 +166,45 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - parms1="$PLUTO_PEER_CLIENT" +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac - if [ -n "$PLUTO_NEXT_HOP" ] +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] then - parms2="via $PLUTO_NEXT_HOP" + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" fi - if test " $oops" != " " -o " $st" != " 0" +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] then - echo "$0: doroute \`$it' failed ($oops)" >&2 + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" fi # is there an inbound mark to be set? @@ -313,82 +212,18 @@ if [ -n "$PLUTO_MARK_IN" ] then if [ -n "$PLUTO_UDP_ENC" ] then - SET_MARK="-p udp --sport $PLUTO_UDP_ENC" + SET_MARK="-p udp --sport $PLUTO_UDP_ENC" else - SET_MARK="-p esp" + SET_MARK="-p $PLUTO_PROTO" fi SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" fi -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" -fi - # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -403,6 +238,14 @@ up-host:) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -430,6 +273,13 @@ down-host:) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -472,6 +322,15 @@ up-client:) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -518,6 +377,13 @@ down-client:) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then diff --git a/testing/tests/ikev2/nat-rw-psk/evaltest.dat b/testing/tests/ikev2/nat-rw-psk/evaltest.dat index 6ec29c779..86fc1975e 100644 --- a/testing/tests/ikev2/nat-rw-psk/evaltest.dat +++ b/testing/tests/ikev2/nat-rw-psk/evaltest.dat @@ -1,6 +1,6 @@ -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL, ESP in UDP::YES -sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL.*ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES sun:: ipsec status 2> /dev/null::nat-t.*\[PH_IP_ALICE\]::YES sun:: ipsec status 2> /dev/null::nat-t.*\[PH_IP_VENUS\]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES diff --git a/testing/tests/ikev2/nat-rw/evaltest.dat b/testing/tests/ikev2/nat-rw/evaltest.dat index 387dbae23..36d9f8456 100644 --- a/testing/tests/ikev2/nat-rw/evaltest.dat +++ b/testing/tests/ikev2/nat-rw/evaltest.dat @@ -2,10 +2,10 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun. venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES sun:: ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES sun:: ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES -sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES moon:: sleep 6::no output expected::NO diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown index aab1df687..1afd70df8 100755 --- a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown @@ -1,4 +1,4 @@ -#! /bin/sh +#!/bin/sh # NAT updown script # # Copyright (C) 2010 Andreas Steffen @@ -13,8 +13,6 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -32,15 +30,20 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA # # PLUTO_ME # is the IP address of our host. @@ -54,25 +57,21 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP -# if non-empty, then the source address for the route will be -# set to this IP address. +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first +# virtual IP, IPv4 or IPv6. # # PLUTO_MY_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -80,31 +79,38 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. # # define a minimum PATH environment in case it is not set @@ -129,22 +135,22 @@ up-client:) # If you are doing a custom version, firewall commands go here. iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \ -d $PLUTO_PEER_CLIENT -j ACCEPT - iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ - -s $PLUTO_PEER_CLIENT -j ACCEPT + iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ + -s $PLUTO_PEER_CLIENT -j ACCEPT iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \ -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP - echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 + echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 ;; down-client:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. - iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \ - -d $PLUTO_PEER_CLIENT -j ACCEPT - iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ - -s $PLUTO_PEER_CLIENT -j ACCEPT - iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \ - -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP - echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 + iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \ + -d $PLUTO_PEER_CLIENT -j ACCEPT + iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ + -s $PLUTO_PEER_CLIENT -j ACCEPT + iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \ + -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP + echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 diff --git a/testing/tests/ikev2/net2net-cert-sha2/description.txt b/testing/tests/ikev2/net2net-cert-sha2/description.txt new file mode 100644 index 000000000..c659b4c47 --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/description.txt @@ -0,0 +1,7 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates using SHA-2 to create signatures +as enabled by the IKEv2 Signature Authentication extension described in RFC 7427. +Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat new file mode 100644 index 000000000..65737ba1f --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat @@ -0,0 +1,9 @@ +moon:: cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with RSA_EMSA_PKCS1_SHA512 successful::YES +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PKCS1_SHA384 successful::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..5af6d2bbc --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.pem + leftauth=rsa-sha384 + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..2127105da --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..3c3d1e51d --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.pem + leftauth=rsa-sha512 + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..2127105da --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/net2net-cert-sha2/posttest.dat b/testing/tests/ikev2/net2net-cert-sha2/posttest.dat new file mode 100644 index 000000000..837738fc6 --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush + diff --git a/testing/tests/ikev2/net2net-cert-sha2/pretest.dat b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat new file mode 100644 index 000000000..81a98fa41 --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-cert-sha2/test.conf b/testing/tests/ikev2/net2net-cert-sha2/test.conf new file mode 100644 index 000000000..afa2accbe --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf index a26295090..6e5c24063 100644 --- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf @@ -3,4 +3,5 @@ charon { load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + signature_authentication = no } diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf index a26295090..6e5c24063 100644 --- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf @@ -3,4 +3,5 @@ charon { load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + signature_authentication = no } diff --git a/testing/tests/ikev2/net2net-fragmentation/evaltest.dat b/testing/tests/ikev2/net2net-fragmentation/evaltest.dat index 7f227fd62..c7437c8bb 100644 --- a/testing/tests/ikev2/net2net-fragmentation/evaltest.dat +++ b/testing/tests/ikev2/net2net-fragmentation/evaltest.dat @@ -1,7 +1,7 @@ moon::cat /var/log/daemon.log::IKE_SA_INIT request 0.*FRAG_SUP::YES sun::cat /var/log/daemon.log::IKE_SA_INIT response 0.*FRAG_SUP::YES -moon::cat /var/log/daemon.log::splitting IKE message with length of 1804 bytes into 2 fragments::YES -sun::cat /var/log/daemon.log::splitting IKE message with length of 1596 bytes into 2 fragments::YES +moon::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES +sun::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES moon::cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES moon::cat /var/log/daemon.log::received fragment #2 of 2, reassembling fragmented IKE message::YES sun::cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem index 7f5f8d703..124e2ae46 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem @@ -1,28 +1,28 @@ -----BEGIN CERTIFICATE----- -MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0 -MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5 +MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh -bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm -RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG -aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs -BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU -lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO -wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51 -vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV -HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ +bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6 +GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu +uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA +PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2 +jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd +D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK +KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV +HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY -AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX -QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S -smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1 -Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O -vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC -kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6 -Y0Y2hqCja6SsIjVc +AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL +aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo +830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5 +lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2 +NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR +pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu +Mc/lk4Nl8pHRO+Xm -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem index 8295f97c1..11607c8cb 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q -t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/ -rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW -B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi -aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi -81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot -teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI -B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT -p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd -yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq -+IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea -zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv -AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/ -dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn -UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2 -1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9 -yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu -fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc -3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC -reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb -zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV -3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu -uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR -OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn -gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA== +MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0 +unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd +GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb +kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg +z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY +pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ +ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB +u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9 +ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt +pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV +VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/ +ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/ +intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku +4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I +HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd +iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE +caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX +b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0 +8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04 +J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7 +3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09 +NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh +VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU +KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof +50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem index 9ccd47a2c..a93121da1 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem @@ -1,28 +1,28 @@ -----BEGIN CERTIFICATE----- -MIIEtjCCA56gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzUyMVoXDTE0 -MTIyMjEzMzUyMVowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5 +MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu -Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1HhvoVh/fM14RE -CTXr4to9ZEeGSqHLl5du+eYZl1fC7qLYaCtlaH+eLfDsCgYpe+XsDLHIxpTK9R6k -XgLP1Jraxz3rtv5qJKkV3aDTjQ2d+cFc0EgiZmn53VEmI/IlcJS/VZzHhNvEJk7H -k0YpoazpGPtNzFGaehV5mXUAeVPx4RH8fjcSiPbuPS3WC7cqtYvVwk97dj05VfEC -VnG+90+eFKztvawBzNGwGQ7xZV7kSiPHNyGAV0qrKvhXZ0VPnm/OEiGCAlIo8uno -Yb/4UMM/a5usCaA9Hgbf8+qqmrzavSUkFEa0y/p9bOBHaqfNP002xktbqBCCodRr -6QgmiysCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud -DgQWBBTaKhy7PH1ihWsD+3/bJQ3e3Isj+DCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj +Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5 +oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf +pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw +ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1 +Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd +0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd +bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud +DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4 IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3 YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR -AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAOqdCIldA -mPp2aAWVPBiKXNrk4VJoIGlwZaUtYNxGQ46wUqAro/taKwZd4B1yvwsX/cHX3Y6j -C1mQtiXw9onJm1qJM1a804U9yPcgdI+9RMiU0hA+aVmyMlS6WQsKFubU17qP2Ljd -4hOwVQ681Hi8zfQjJdYpaO1yLcpy2dkotreJS3wA24ssnskRBI/cuAN0dfbV6SDQ -TK91qz0emHoK3efgtvX4oEpsxI4NrwMstaZSVsHn4npKTGYu82dmPoK6WPblGEHZ -Iavl08lGcYBV5I2ZGuWOekWQzUuBSveV3AFjieeaDIG3Ue3AKaihn6dCLz6l+t7E -dXN+1axy9zQ34g== +AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu +7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p +nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg +oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx +k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD +yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug +NnBR3lf2HB2lWA== -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem index 6e047af69..55f5f8037 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArUeG+hWH98zXhEQJNevi2j1kR4ZKocuXl2755hmXV8Luotho -K2Vof54t8OwKBil75ewMscjGlMr1HqReAs/UmtrHPeu2/mokqRXdoNONDZ35wVzQ -SCJmafndUSYj8iVwlL9VnMeE28QmTseTRimhrOkY+03MUZp6FXmZdQB5U/HhEfx+ -NxKI9u49LdYLtyq1i9XCT3t2PTlV8QJWcb73T54UrO29rAHM0bAZDvFlXuRKI8c3 -IYBXSqsq+FdnRU+eb84SIYICUijy6ehhv/hQwz9rm6wJoD0eBt/z6qqavNq9JSQU -RrTL+n1s4Edqp80/TTbGS1uoEIKh1GvpCCaLKwIDAQABAoIBAHKb86/nm9YPu6B1 -K65phdMZdgFE1oorUenMcid6V7qpaRN2lXfWjAaUxggq5vpqZ9OMjFzu0kHJ99S7 -nJ65fgKqn8vZ42BlLjhUCRH9urb9/Rqi2/RKJHkF1hd9ZZscnlkUMHkRElQVac0D -feqTUKdASdC2BWUYCpW3pwNXO+iD5bA9/wB2J/RYYmm6Qo7UZQU8C0lken/8EOEL -/ch0ID7C5PC0vWvLT0fM9j2JKDq8T6NRhF1MluISGDOp4pW7tEbkHo5I6zD0aPO2 -K9leN3aSUYsOVJk39VXkThwgJ4lqNEXI2xRbtW8sAf7TL1YDxLR2JN3UGvy/By5B -UblJUnECgYEA2nO+iXScKd3qqmHrdXcxf2ExZQr8QgTAsZOkb6LQ9kGQll0lBcFc -T2HlobzOaQktpF44C41zf2QpGDllbpyNT8VyQkI+CJ4pntjtKPkoPkxUeVlciFsm -7THqCGe0zQBWDnXFVfTKR12aRwkhjG+QCQyyaAaV8YztEsDI5SRCjykCgYEAyxAb -t/NTh9DBDrfJCkT21Rm9Ow70vhDaAyQLq3nJMF+BTXYDrnVMmFHCIHd+nbNP0CLs -cV/fWAF6626ko5B6ewPFQ4wXRvtNAiDNZSfeaZgvxCrvoDgVrHWhfwHSXWFqny0o -WHwIJJQvdkLW9BHwbpAQRoD1c2sy7pWIVTEyljMCgYEA0zZXwkUp/FzhWG2moANn -qzZI8N4nOpmnycnrkjiE+6Q27PsQIblrzCDmSnPnyqyiIasrWxgf1Mr95LsR9FmP -U9Ke/6tWmTR7H2e0HgqRO3LHtjCNhBVF1M6O7iN/Lzqk+gQqkUpGDaxVz1rnwgXX -6LgLAwNjFJJiYeBeHRbq98kCgYAwBdg4UbBgf0sY+vftmM+zKAorjGbvCDc25PBp -ljyxVvTSZ+WI/a6mmzdIzFnCW+S1OX0ndt/wBTGXuivvjryYmRSu29OpcscMiMtq -b9pWqKorP2g6QOlHRu5xhfHFKcO4b0qKWpLma7Epy7bgM9njm+htdBQYPrLl37FF -TIRFJwKBgGnZR5rm5iCrcIoAUMlH4/5ye5BPjHDn1NNv7Q7PZR9jhaEuoiBgvk6v -h+YVi9A9nhbaqS4/rumsNPlObeIw78713pendaWCjC4hA0urrJ4fElfuaIyZMyKE -FD64V78iaYVlmwKMJxZUnS1EFzb0XQZM7wxhB/i0wwjh+48rBHbd +MIIEpAIBAAKCAQEA77sDqGEX7iTEK/mhH0MSm/WCekaY+mfqLsl+4sYgn2mFDdtS +dIwjHz6anckThItcg0tzIIeKUrvi0h+nBjHYrRza3FMUhYtC8FodaiEn1KCDgSVV +eZJr9vQ3KbkVy211xGA0Z3/4Ms+z1PBmiJ4a8lxlaI4E/7HE9sSjbFyiLcZ60835 +dJb6bUG9TzxiyunSj7j6ss8HmKKlQHUiSxvnVK8XiIbgEd+hMoaUcvBXKMmentid +gm2NjpdrDUZsJ/rBzAuWrvW6gyPf1x3RyWdymL+zXcrZKHRgeIJxAPm8iQ/0FGah +tYBex4Fl69gj+tTl3PvrUSod/vZNGt1szf8rJwIDAQABAoIBAQDf/YrzXpTva+bn +d7y16wOOORyKh0AUZ9eFk7s8xAZjLEKnqc8nGnEOln39A417AIOWIX8WW85Ac1EB +J5X10ck0JovP5Mh95prK3Egzi3sdzkRQ/MMablb2TUTldQwKIOIyc/lC42zSfQL3 +6Q7Eg4WGAhK2WEwPZNg2AZD4hKz7unK+IAar9uLi39E4iVzDavzwK5y+fsy3HVFD +cJbPWAr4+4teinF5wkRzK7OInwkPc9IrUF/9wp1ZWp/Rc1YEkCVwmu5v7kPzALI0 +SLwYLil8mXfvG0VZjYIlhCSOJJRuw/0JR2cCDJ9WFppK+YKNh+uLoPXhJxbXM8fB +BmCHhpdRAoGBAPpc7DhUQv8mxGCOy9O/ec50GTPj0bWD0WLrJoqvHu+LyN8OwTdG +KMdV4Mp/tpAWbAlKH22/+7P/QCOCwByHQaUisnbkqx+5/JhZsQB7rLAdQ8SHLdj2 +iO2+6cgYPOFm6W4QT7/vl4BHAK4Glw5NPyS5sN9JBTY4bpzFHunsRe27AoGBAPUg +zoUZnZ/6g+8XRSH77aLAbKScMBGusyxfhFAesqaXcrCrg8FG6Wcpuv2HsBE1v0d0 +7/1oJdT+p+uB2V3iZqTOeJeOCVYXgU82NRZl7R8hqYzkD8rFUZVg6hlm2xi+IUpE +ya4itKWIckSvnexEqiBov7k8sPmb7R/7HWGWUOuFAoGADz8PZ5LCDbW3qcWoZfm4 +Gjl5u245PBuN6b82NqXZdW8GyYalf483NoRlTw+d94JWC+7GoTFay6hUqJTyzAn0 +lnDZe2ILhcAWwNRdchEWABeYI+Szhw3kYs4IgJXxRyy0NG6r3J1jlX09bluaYVWU +7dCdE8vnlFi1a7iZXFd2HrcCgYBknEGHqdrjdbw/Hwr2BuQjf91Xtu+X4l+SH+Y7 +yE3FSLX/Q3aBluxntl4Uf2PJvIi0+I8kMGIOyTL827/u4+UDUed3NQop9t3ROEuT +1OP9eiCQPm8o59IzgKK1KF1XC3q4dAFfYslIg/d6r6Ye+pPlV3kRu5Jb8R7jmHsX +uc2ezQKBgQDgouR4ipkb+sQcMKkhzHUEx67aHEVH69v2R9lm8YgPHjvPCA++DgPZ +dwWALnW5wKRfdGy4b1yTIICUgjKIIlD2owJB/J5Z4SzrzbOAEJkNURGAhp6njsf+ +QYRyoXLOb/8jAQqLx9hOB8L2gsRSDddvvYw/DTP2cKM8vJtYFWam+A== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown index bdba3fb05..e9ab41c7f 100755 --- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown +++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown @@ -1,4 +1,4 @@ -#! /bin/sh +#!/bin/sh # updown script setting inbound marks on ESP traffic in the mangle chain # # Copyright (C) 2003-2004 Nigel Meteringham @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,20 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA # # PLUTO_ME # is the IP address of our host. @@ -63,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -85,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -93,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -186,7 +169,6 @@ fi PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in up-client:) # connection to my client subnet coming up diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt b/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt new file mode 100644 index 000000000..dfec6a3b6 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt @@ -0,0 +1,8 @@ +This scenario tests make-before-break reauthentication using overlapping +IKE_SAs by setting the make_before_break strongswan.conf option for +clients using an assigned virtual IP. The initiator carol reauthenticates +the IKE_SA with host moon using ikelifetime=10s, but does not +close the old IKE_SA before the replacement CHILD_SA using the same virtual IP +is in place. A constant ping from carol to client alice +hiding in the subnet behind moon tests if the CHILD_SA works during the +whole procedure. diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat new file mode 100644 index 000000000..509457418 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..6447b1cca --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + keylife=20m + ikelifetime=10s + rekeymargin=5s + rekeyfuzz=0% + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftsourceip=%config + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..f89437e43 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown + + make_before_break = yes +} diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..121ea7eab --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=30m + keylife=20m + rekeymargin=0s + keyingtries=1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + rightsourceip=10.3.0.0/24 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f585edfca --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat new file mode 100644 index 000000000..046d4cfdc --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat new file mode 100644 index 000000000..baacc1605 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf new file mode 100644 index 000000000..4a5fc470f --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/reauth-mbb/description.txt b/testing/tests/ikev2/reauth-mbb/description.txt new file mode 100644 index 000000000..ab92d7df8 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/description.txt @@ -0,0 +1,7 @@ +This scenario tests make-before-break reauthentication using overlapping +IKE_SAs by setting the make_before_break strongswan.conf option. The +initiator carol reauthenticates the IKE_SA with host moon using +ikelifetime=10s, but does not close the old IKE_SA before the replacement +CHILD_SA is in place. A constant ping from carol to client alice +hiding in the subnet behind moon tests if the CHILD_SA works during the +whole procedure. diff --git a/testing/tests/ikev2/reauth-mbb/evaltest.dat b/testing/tests/ikev2/reauth-mbb/evaltest.dat new file mode 100644 index 000000000..509457418 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..f46405a47 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + keylife=20m + ikelifetime=10s + rekeymargin=5s + rekeyfuzz=0% + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..f89437e43 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown + + make_before_break = yes +} diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..2f4557447 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=30m + keylife=20m + rekeymargin=0s + keyingtries=1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f585edfca --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/reauth-mbb/posttest.dat b/testing/tests/ikev2/reauth-mbb/posttest.dat new file mode 100644 index 000000000..046d4cfdc --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/reauth-mbb/pretest.dat b/testing/tests/ikev2/reauth-mbb/pretest.dat new file mode 100644 index 000000000..baacc1605 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev2/reauth-mbb/test.conf b/testing/tests/ikev2/reauth-mbb/test.conf new file mode 100644 index 000000000..4a5fc470f --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat index d59eef513..20f1f132c 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat index 0ea4e21ab..77e306bf9 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf index b4825fb82..c2efc3fcd 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf @@ -11,7 +11,6 @@ conn %default conn home left=PH_IP_CAROL - leftnexthop=%direct leftid=carol@strongswan.org leftauth=eap leftfirewall=yes diff --git a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat index 6a20b8e8c..e09765fb6 100644 --- a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat @@ -1,7 +1,7 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES carol::cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES dave:: cat /var/log/daemon.log::requesting EAP_TLS authentication, sending EAP_NAK::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::EAP method EAP_TLS succeeded, MSK established::YES diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat index 1460ec8f9..10ce861b1 100644 --- a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES @@ -8,7 +8,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswa moon ::ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES -dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat index aa6d4291b..47a4977a2 100644 --- a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES @@ -8,7 +8,7 @@ carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongsw moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO -dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat index 42d2c319e..5853deb26 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat @@ -1,6 +1,6 @@ carol::cat /var/log/daemon.log::configured EAP-Identity carol::YES carol::cat /var/log/daemon.log::added EAP secret for carol moon.strongswan.org::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat index 8f813395a..109407b96 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf index 881971e80..87c37f3a3 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf @@ -11,7 +11,6 @@ conn %default conn home left=PH_IP_CAROL - leftnexthop=%direct leftid=carol@strongswan.org leftauth=eap leftfirewall=yes diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat index a8019b3e7..49045c9ef 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf index b4825fb82..c2efc3fcd 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf @@ -11,7 +11,6 @@ conn %default conn home left=PH_IP_CAROL - leftnexthop=%direct leftid=carol@strongswan.org leftauth=eap leftfirewall=yes diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat index 84f41fd93..88ab87d29 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf index b4825fb82..c2efc3fcd 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf @@ -11,7 +11,6 @@ conn %default conn home left=PH_IP_CAROL - leftnexthop=%direct leftid=carol@strongswan.org leftauth=eap leftfirewall=yes diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat index 010f48315..892fdd6ef 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES diff --git a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat index 95c29b7f5..d3d97dc38 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat @@ -1,9 +1,9 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat index f1a68bc19..0dfc89e07 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat index 21cfe429a..a514f48b7 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat index ab27b4510..f33e7bc36 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: ipsec status 2> /dev/null::rw-eap-sim.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf index b4825fb82..c2efc3fcd 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf @@ -11,7 +11,6 @@ conn %default conn home left=PH_IP_CAROL - leftnexthop=%direct leftid=carol@strongswan.org leftauth=eap leftfirewall=yes diff --git a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat index 7584e14dc..75349b031 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat index a471a2cfa..f250c0cb3 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat @@ -1,9 +1,9 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown index 421335ffb..b8b45e3b0 100755 --- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown @@ -1,4 +1,4 @@ -#! /bin/sh +#!/bin/sh # updown script setting inbound marks on ESP traffic in the mangle chain # # Copyright (C) 2003-2004 Nigel Meteringham @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,20 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA # # PLUTO_ME # is the IP address of our host. @@ -63,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -85,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -93,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -143,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -157,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -193,119 +166,45 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - parms1="$PLUTO_PEER_CLIENT" +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac - if [ -n "$PLUTO_NEXT_HOP" ] +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] then - parms2="via $PLUTO_NEXT_HOP" + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" fi - if test " $oops" != " " -o " $st" != " 0" +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] then - echo "$0: doroute \`$it' failed ($oops)" >&2 + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" fi # is there an inbound mark to be set? @@ -320,75 +219,11 @@ then SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" fi -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" -fi - # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -403,6 +238,14 @@ up-host:) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -430,6 +273,13 @@ down-host:) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -472,6 +322,15 @@ up-client:) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -518,6 +377,13 @@ down-client:) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then diff --git a/testing/tests/ikev2/rw-ntru-bliss/description.txt b/testing/tests/ikev2/rw-ntru-bliss/description.txt new file mode 100644 index 000000000..b81fdb7cf --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/description.txt @@ -0,0 +1,15 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and +192 bit for carol and dave, respectively. Authentication is based on the BLISS +algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for +carol, dave and moon, respectively. +

    +Both carol and dave request a virtual IP via the IKEv2 configuration payload +by using the leftsourceip=%config parameter. The gateway moon assigns virtual +IP addresses from a simple pool defined by rightsourceip=10.3.0.0/28 in a monotonously +increasing order. +

    +leftfirewall=yes automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnels, carol and dave then ping +the client alice behind the gateway moon. The source IP addresses of the two +pings will be the virtual IPs carol1 and dave1, respectively. diff --git a/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat new file mode 100644 index 000000000..5a88b6641 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat @@ -0,0 +1,26 @@ +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA512 successful::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA512 successful::YES +dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA256 successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA384 successful::YES +moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES +moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..f13e47a71 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-sha256-ntru128! + esp=aes128-sha256! + authby=pubkey + fragmentation=yes + +conn home + left=PH_IP_CAROL + leftsourceip=%config + leftcert=carolCert.der + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der new file mode 100644 index 000000000..cbc7e09c1 Binary files /dev/null and b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der differ diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der new file mode 100644 index 000000000..491e245dd Binary files /dev/null and b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der differ diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der new file mode 100644 index 000000000..b2831a8ed Binary files /dev/null and b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der differ diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..c2225646d --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: BLISS carolKey.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ab824c993 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown + send_vendor_id = yes + fragment_size = 1500 +} diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..5f605a43d --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes192-sha384-ntru192! + esp=aes192-sha384! + authby=pubkey + fragmentation=yes + +conn home + left=PH_IP_DAVE + leftsourceip=%config + leftcert=daveCert.der + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der new file mode 100644 index 000000000..cbc7e09c1 Binary files /dev/null and b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der differ diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der new file mode 100644 index 000000000..83a213710 Binary files /dev/null and b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der differ diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der new file mode 100644 index 000000000..0ec528ddf Binary files /dev/null and b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der differ diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..fe2643204 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: BLISS daveKey.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ab824c993 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown + send_vendor_id = yes + fragment_size = 1500 +} diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..2a9b33aae --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-sha256-ntru128,aes192-sha384-ntru192! + esp=aes128-sha256,aes192-sha384! + authby=pubkey + fragmentation=yes + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.der + leftauth=bliss-sha512 + leftid=moon.strongswan.org + leftfirewall=yes + right=%any + rightsourceip=10.3.0.0/28 + auto=add diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der new file mode 100644 index 000000000..cbc7e09c1 Binary files /dev/null and b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der differ diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der new file mode 100644 index 000000000..1ab7d21f7 Binary files /dev/null and b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der differ diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der new file mode 100644 index 000000000..c989f91e5 Binary files /dev/null and b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der differ diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..b4a9ee68d --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: BLISS moonKey.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ab824c993 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown + send_vendor_id = yes + fragment_size = 1500 +} diff --git a/testing/tests/ikev2/rw-ntru-bliss/posttest.dat b/testing/tests/ikev2/rw-ntru-bliss/posttest.dat new file mode 100644 index 000000000..9ba8c5f55 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/posttest.dat @@ -0,0 +1,9 @@ +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der +carol::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der +dave::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/pretest.dat b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat new file mode 100644 index 000000000..24249435e --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem +carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem +dave::rm /etc/ipsec.d/cacerts/strongswanCert.pem +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/rw-ntru-bliss/test.conf b/testing/tests/ikev2/rw-ntru-bliss/test.conf new file mode 100644 index 000000000..164b07ff9 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat index ab398a3bb..55b295781 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat @@ -2,8 +2,8 @@ moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pr moon:: cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre-shared key::YES moon:: ipsec status 2> /dev/null::rw-psk.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*\[PH_IP_MOON]::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES -moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES +moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES +moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES moon:: ipsec status 2> /dev/null::rw-rsasig.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES diff --git a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat index 1648c9557..1206ea4b7 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat +++ b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat @@ -1,6 +1,6 @@ moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES -moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES +moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES diff --git a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat index ccbc769e2..b192f788f 100644 --- a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat +++ b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf index 438e1c14c..6ebb7c356 100644 --- a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf @@ -11,7 +11,6 @@ conn %default conn home left=PH_IP_CAROL - leftnexthop=%direct leftid=carol@strongswan.org leftauth=eap leftfirewall=yes diff --git a/testing/tests/ikev2/rw-sig-auth/description.txt b/testing/tests/ikev2/rw-sig-auth/description.txt new file mode 100644 index 000000000..569d7e054 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol an dave set up a connection to gateway +moon. They authenticate themselves using RSA signatures but +they use different hash algorithms. moon uses signature scheme constraints +to only allow access to the research and accounting subnets if +specific algorithms are used. Note: Because the client certificate's are signed +with SHA-256 we have to accept that algorithm too because signature schemes in +rightauth are also used as constraints for the whole certificate chain. +Therefore, carol obtains access to the research subnet behind gateway +moon whereas dave has access to the accounting subnet, but not +vice-versa. diff --git a/testing/tests/ikev2/rw-sig-auth/evaltest.dat b/testing/tests/ikev2/rw-sig-auth/evaltest.dat new file mode 100644 index 000000000..261475f56 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/evaltest.dat @@ -0,0 +1,20 @@ +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES +moon ::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA_EMSA_PKCS1_SHA384 successful::YES +moon ::ipsec status 2> /dev/null::research.*ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES +carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES +moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO +dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES +moon ::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA_EMSA_PKCS1_SHA512 successful::YES +moon ::ipsec status 2> /dev/null::accounting.*ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES +dave ::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES +moon ::ipsec status 2> /dev/null::accounting.*INSTALLED, TUNNEL::YES +dave ::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::NO +dave ::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..b1aa2d99a --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn alice + rightsubnet=10.1.0.10/32 + also=home + auto=add + +conn venus + rightsubnet=10.1.0.20/32 + also=home + auto=add + +conn home + left=%any + leftcert=carolCert.pem + leftauth=pubkey-sha384 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=pubkey diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..044d73ac3 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown +} diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..eef3e2622 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn alice + rightsubnet=10.1.0.10/32 + also=home + auto=add + +conn venus + rightsubnet=10.1.0.20/32 + also=home + auto=add + +conn home + left=%any + leftcert=daveCert.pem + leftauth=pubkey-sha512 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=pubkey diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..044d73ac3 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown +} diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..9f9051eeb --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn research + rightauth=pubkey-sha384-sha256 + leftsubnet=10.1.0.0/28 + also=rw + auto=add + +conn accounting + rightauth=pubkey-sha512-sha256 + leftsubnet=10.1.0.16/28 + also=rw + auto=add + +conn rw + left=PH_IP_MOON + leftid=@moon.strongswan.org + leftcert=moonCert.pem + leftauth=pubkey + leftfirewall=yes + right=%any diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..044d73ac3 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown +} diff --git a/testing/tests/ikev2/rw-sig-auth/posttest.dat b/testing/tests/ikev2/rw-sig-auth/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-sig-auth/pretest.dat b/testing/tests/ikev2/rw-sig-auth/pretest.dat new file mode 100644 index 000000000..bec31cc68 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/pretest.dat @@ -0,0 +1,12 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up alice +carol::ipsec up venus +dave::ipsec up alice +dave::ipsec up venus +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-sig-auth/test.conf b/testing/tests/ikev2/rw-sig-auth/test.conf new file mode 100644 index 000000000..b9e97e43b --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou moon" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="" + diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2/rw-whitelist/evaltest.dat index 9418d6ee1..3522c3d79 100644 --- a/testing/tests/ikev2/rw-whitelist/evaltest.dat +++ b/testing/tests/ikev2/rw-whitelist/evaltest.dat @@ -1,6 +1,6 @@ moon:: cat /var/log/daemon.log::whitelist functionality was already enabled::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA signature successful::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA.* successful::YES +moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES moon:: cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem index 7f5f8d703..124e2ae46 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem @@ -1,28 +1,28 @@ -----BEGIN CERTIFICATE----- -MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0 -MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5 +MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh -bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm -RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG -aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs -BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU -lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO -wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51 -vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV -HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ +bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6 +GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu +uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA +PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2 +jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd +D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK +KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV +HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY -AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX -QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S -smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1 -Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O -vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC -kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6 -Y0Y2hqCja6SsIjVc +AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL +aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo +830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5 +lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2 +NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR +pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu +Mc/lk4Nl8pHRO+Xm -----END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem index 8295f97c1..11607c8cb 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q -t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/ -rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW -B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi -aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi -81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot -teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI -B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT -p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd -yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq -+IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea -zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv -AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/ -dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn -UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2 -1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9 -yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu -fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc -3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC -reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb -zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV -3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu -uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR -OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn -gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA== +MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0 +unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd +GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb +kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg +z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY +pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ +ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB +u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9 +ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt +pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV +VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/ +ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/ +intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku +4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I +HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd +iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE +caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX +b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0 +8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04 +J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7 +3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09 +NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh +VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU +KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof +50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem index 9ccd47a2c..a93121da1 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem @@ -1,28 +1,28 @@ -----BEGIN CERTIFICATE----- -MIIEtjCCA56gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzUyMVoXDTE0 -MTIyMjEzMzUyMVowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5 +MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu -Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1HhvoVh/fM14RE -CTXr4to9ZEeGSqHLl5du+eYZl1fC7qLYaCtlaH+eLfDsCgYpe+XsDLHIxpTK9R6k -XgLP1Jraxz3rtv5qJKkV3aDTjQ2d+cFc0EgiZmn53VEmI/IlcJS/VZzHhNvEJk7H -k0YpoazpGPtNzFGaehV5mXUAeVPx4RH8fjcSiPbuPS3WC7cqtYvVwk97dj05VfEC -VnG+90+eFKztvawBzNGwGQ7xZV7kSiPHNyGAV0qrKvhXZ0VPnm/OEiGCAlIo8uno -Yb/4UMM/a5usCaA9Hgbf8+qqmrzavSUkFEa0y/p9bOBHaqfNP002xktbqBCCodRr -6QgmiysCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud -DgQWBBTaKhy7PH1ihWsD+3/bJQ3e3Isj+DCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj +Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5 +oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf +pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw +ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1 +Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd +0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd +bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud +DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4 IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3 YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR -AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAOqdCIldA -mPp2aAWVPBiKXNrk4VJoIGlwZaUtYNxGQ46wUqAro/taKwZd4B1yvwsX/cHX3Y6j -C1mQtiXw9onJm1qJM1a804U9yPcgdI+9RMiU0hA+aVmyMlS6WQsKFubU17qP2Ljd -4hOwVQ681Hi8zfQjJdYpaO1yLcpy2dkotreJS3wA24ssnskRBI/cuAN0dfbV6SDQ -TK91qz0emHoK3efgtvX4oEpsxI4NrwMstaZSVsHn4npKTGYu82dmPoK6WPblGEHZ -Iavl08lGcYBV5I2ZGuWOekWQzUuBSveV3AFjieeaDIG3Ue3AKaihn6dCLz6l+t7E -dXN+1axy9zQ34g== +AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu +7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p +nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg +oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx +k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD +yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug +NnBR3lf2HB2lWA== -----END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem index 6e047af69..55f5f8037 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArUeG+hWH98zXhEQJNevi2j1kR4ZKocuXl2755hmXV8Luotho -K2Vof54t8OwKBil75ewMscjGlMr1HqReAs/UmtrHPeu2/mokqRXdoNONDZ35wVzQ -SCJmafndUSYj8iVwlL9VnMeE28QmTseTRimhrOkY+03MUZp6FXmZdQB5U/HhEfx+ -NxKI9u49LdYLtyq1i9XCT3t2PTlV8QJWcb73T54UrO29rAHM0bAZDvFlXuRKI8c3 -IYBXSqsq+FdnRU+eb84SIYICUijy6ehhv/hQwz9rm6wJoD0eBt/z6qqavNq9JSQU -RrTL+n1s4Edqp80/TTbGS1uoEIKh1GvpCCaLKwIDAQABAoIBAHKb86/nm9YPu6B1 -K65phdMZdgFE1oorUenMcid6V7qpaRN2lXfWjAaUxggq5vpqZ9OMjFzu0kHJ99S7 -nJ65fgKqn8vZ42BlLjhUCRH9urb9/Rqi2/RKJHkF1hd9ZZscnlkUMHkRElQVac0D -feqTUKdASdC2BWUYCpW3pwNXO+iD5bA9/wB2J/RYYmm6Qo7UZQU8C0lken/8EOEL -/ch0ID7C5PC0vWvLT0fM9j2JKDq8T6NRhF1MluISGDOp4pW7tEbkHo5I6zD0aPO2 -K9leN3aSUYsOVJk39VXkThwgJ4lqNEXI2xRbtW8sAf7TL1YDxLR2JN3UGvy/By5B -UblJUnECgYEA2nO+iXScKd3qqmHrdXcxf2ExZQr8QgTAsZOkb6LQ9kGQll0lBcFc -T2HlobzOaQktpF44C41zf2QpGDllbpyNT8VyQkI+CJ4pntjtKPkoPkxUeVlciFsm -7THqCGe0zQBWDnXFVfTKR12aRwkhjG+QCQyyaAaV8YztEsDI5SRCjykCgYEAyxAb -t/NTh9DBDrfJCkT21Rm9Ow70vhDaAyQLq3nJMF+BTXYDrnVMmFHCIHd+nbNP0CLs -cV/fWAF6626ko5B6ewPFQ4wXRvtNAiDNZSfeaZgvxCrvoDgVrHWhfwHSXWFqny0o -WHwIJJQvdkLW9BHwbpAQRoD1c2sy7pWIVTEyljMCgYEA0zZXwkUp/FzhWG2moANn -qzZI8N4nOpmnycnrkjiE+6Q27PsQIblrzCDmSnPnyqyiIasrWxgf1Mr95LsR9FmP -U9Ke/6tWmTR7H2e0HgqRO3LHtjCNhBVF1M6O7iN/Lzqk+gQqkUpGDaxVz1rnwgXX -6LgLAwNjFJJiYeBeHRbq98kCgYAwBdg4UbBgf0sY+vftmM+zKAorjGbvCDc25PBp -ljyxVvTSZ+WI/a6mmzdIzFnCW+S1OX0ndt/wBTGXuivvjryYmRSu29OpcscMiMtq -b9pWqKorP2g6QOlHRu5xhfHFKcO4b0qKWpLma7Epy7bgM9njm+htdBQYPrLl37FF -TIRFJwKBgGnZR5rm5iCrcIoAUMlH4/5ye5BPjHDn1NNv7Q7PZR9jhaEuoiBgvk6v -h+YVi9A9nhbaqS4/rumsNPlObeIw78713pendaWCjC4hA0urrJ4fElfuaIyZMyKE -FD64V78iaYVlmwKMJxZUnS1EFzb0XQZM7wxhB/i0wwjh+48rBHbd +MIIEpAIBAAKCAQEA77sDqGEX7iTEK/mhH0MSm/WCekaY+mfqLsl+4sYgn2mFDdtS +dIwjHz6anckThItcg0tzIIeKUrvi0h+nBjHYrRza3FMUhYtC8FodaiEn1KCDgSVV +eZJr9vQ3KbkVy211xGA0Z3/4Ms+z1PBmiJ4a8lxlaI4E/7HE9sSjbFyiLcZ60835 +dJb6bUG9TzxiyunSj7j6ss8HmKKlQHUiSxvnVK8XiIbgEd+hMoaUcvBXKMmentid +gm2NjpdrDUZsJ/rBzAuWrvW6gyPf1x3RyWdymL+zXcrZKHRgeIJxAPm8iQ/0FGah +tYBex4Fl69gj+tTl3PvrUSod/vZNGt1szf8rJwIDAQABAoIBAQDf/YrzXpTva+bn +d7y16wOOORyKh0AUZ9eFk7s8xAZjLEKnqc8nGnEOln39A417AIOWIX8WW85Ac1EB +J5X10ck0JovP5Mh95prK3Egzi3sdzkRQ/MMablb2TUTldQwKIOIyc/lC42zSfQL3 +6Q7Eg4WGAhK2WEwPZNg2AZD4hKz7unK+IAar9uLi39E4iVzDavzwK5y+fsy3HVFD +cJbPWAr4+4teinF5wkRzK7OInwkPc9IrUF/9wp1ZWp/Rc1YEkCVwmu5v7kPzALI0 +SLwYLil8mXfvG0VZjYIlhCSOJJRuw/0JR2cCDJ9WFppK+YKNh+uLoPXhJxbXM8fB +BmCHhpdRAoGBAPpc7DhUQv8mxGCOy9O/ec50GTPj0bWD0WLrJoqvHu+LyN8OwTdG +KMdV4Mp/tpAWbAlKH22/+7P/QCOCwByHQaUisnbkqx+5/JhZsQB7rLAdQ8SHLdj2 +iO2+6cgYPOFm6W4QT7/vl4BHAK4Glw5NPyS5sN9JBTY4bpzFHunsRe27AoGBAPUg +zoUZnZ/6g+8XRSH77aLAbKScMBGusyxfhFAesqaXcrCrg8FG6Wcpuv2HsBE1v0d0 +7/1oJdT+p+uB2V3iZqTOeJeOCVYXgU82NRZl7R8hqYzkD8rFUZVg6hlm2xi+IUpE +ya4itKWIckSvnexEqiBov7k8sPmb7R/7HWGWUOuFAoGADz8PZ5LCDbW3qcWoZfm4 +Gjl5u245PBuN6b82NqXZdW8GyYalf483NoRlTw+d94JWC+7GoTFay6hUqJTyzAn0 +lnDZe2ILhcAWwNRdchEWABeYI+Szhw3kYs4IgJXxRyy0NG6r3J1jlX09bluaYVWU +7dCdE8vnlFi1a7iZXFd2HrcCgYBknEGHqdrjdbw/Hwr2BuQjf91Xtu+X4l+SH+Y7 +yE3FSLX/Q3aBluxntl4Uf2PJvIi0+I8kMGIOyTL827/u4+UDUed3NQop9t3ROEuT +1OP9eiCQPm8o59IzgKK1KF1XC3q4dAFfYslIg/d6r6Ye+pPlV3kRu5Jb8R7jmHsX +uc2ezQKBgQDgouR4ipkb+sQcMKkhzHUEx67aHEVH69v2R9lm8YgPHjvPCA++DgPZ +dwWALnW5wKRfdGy4b1yTIICUgjKIIlD2owJB/J5Z4SzrzbOAEJkNURGAhp6njsf+ +QYRyoXLOb/8jAQqLx9hOB8L2gsRSDddvvYw/DTP2cKM8vJtYFWam+A== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem index 3243bc294..bf8a4919d 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEojCCA4qgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MIIEojCCA4qgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzYxMloXDTE0 -MTIyMjEzMzYxMlowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTEzMFoXDTE5 +MTIyMTA4NTEzMFowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3 -YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArD8OrNy0w+T2 -cru3RQgskGCGppwpvLH/QZVHD/UbumxjKVTrz4FskqN39sFxDFDSre1bps+F7jW/ -zmOFe7c7jmZhK1mPnbviYTS4LXdo1j02pPeBNBk4b6VAIKPaYmO3UIoZZ4SPnnVZ -P7Aj3mU1ztsTbUQqgRmTsdfqiPaBNZ0zylWYPDOkTS+1sbRQHkgdZvw4fYno+Rd+ -hDK1scggL4kRg4uGvFojYciSxo5lC53Am4r8T2zI0aI6L8g57j4cX1XYQwM3tkHM -2BiCRM/c1wQc+vn+xp1oh/GYM4qoSoZyLTD9A0gqmbnF9//wvSmwpDpSkDoHZ5O3 -Ur6HZ8mByQIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD -VR0OBBYEFL9rU6QFDLvUOEIFNZROVYWN5v++MIGMBgNVHSMEgYQwgYGAFCF/p+s3 +YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsSlxt8LQf1wJ +u1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1XELjKv3kcYp2McydNPq63fw9XXbu +a/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++e0xxcZS4NQ6wz57bHgARzMoCisNr +xcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5LieSMGIBQjKGCd2a3eZYhTCs6hI0vhQ +Q1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXPuMY1CwZkGcANd6vBK5YBNiZFquBj +FhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN8Xim/AewWRcKJJKdlLAAHmZD0jx2 +g/E0LGu01wIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD +VR0OBBYEFNs9CUs7SNJewkkfo1Bg7bcUEzPXMIGMBgNVHSMEgYQwgYGAFCF/p+s3 0KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n U3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry b25nc3dhbi5vcmcwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL2NybC5zdHJvbmdz d2FuLm9yZy9zdHJvbmdzd2FuX3JmYzM3NzkuY3JsMEIGCCsGAQUFBwEHAQH/BDMw MTAUBAIAATAOAwUACgMAAQMFAMCoAGQwGQQCAAIwEwMRAP7AAAAAAAAAAAAAAAAA -ABAwDQYJKoZIhvcNAQELBQADggEBAHhgG8qqLZX3uXDVX9uBZM8jErI78pyL9F8q -ibTW5UPp+rbbMDY7tphBbFkg5Q0pzJhOzB6I6Oy/QWVVEC20DE7lhOpMu7auS3Gn -z1t6DCIDR9NYXtKs6UXcMA0PSQ1r7iHQWvtZ0uD998k6UQfZCCOwBbonng2DAp/m -FKkaCYiZmJw2YBwf+oVNLQp2fHI61uoguiiRQ4AV5Htho0z6MDqpMyrg2F7Uf2cq -kQY/ZyvMe8VG5KuiaMJPIMdJPnRED2R4qiyHe8eDXgGYHsNhkt7VHRRgo3izqIdG -1oCv+CHQ2XSK+4dA42U0Vw7V/ExmcLy99bZfCEZwNWG6Y/5Qwww= +ABAwDQYJKoZIhvcNAQELBQADggEBAEYqXkheXXHiC5JnrZm5QUo11Vu4CtNRGeg0 +atuG8ZNHgQfa7wjjeCDNpj3lHvyegYsSMo7wGwN7DugH0mmXKZF9XHc4sU7/aUvl +mX52tDuUoCGD0/yFuKLlYOfwmsquC9snYDW7cJXaqMON/OMLcU44OR8E1oiw2ePT +FqyGFbfparp+Q8I7VHwJBs+mDphdNUlFbpuO9m2eEtqdYVyXlfUnbFpMMyWxxIY/ +6CIyWcRRKeWRRXxkk/dSeEWgsfWY7ITK9blP5nhIsgpCoEguGc6h4RL65VdH+Sy0 +9MLpesyGe6qkdrrg4nyaY82uuFXhUo0YiP0ddUw8eNaefFqEzL0= -----END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem index 275162721..a75622149 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArD8OrNy0w+T2cru3RQgskGCGppwpvLH/QZVHD/UbumxjKVTr -z4FskqN39sFxDFDSre1bps+F7jW/zmOFe7c7jmZhK1mPnbviYTS4LXdo1j02pPeB -NBk4b6VAIKPaYmO3UIoZZ4SPnnVZP7Aj3mU1ztsTbUQqgRmTsdfqiPaBNZ0zylWY -PDOkTS+1sbRQHkgdZvw4fYno+Rd+hDK1scggL4kRg4uGvFojYciSxo5lC53Am4r8 -T2zI0aI6L8g57j4cX1XYQwM3tkHM2BiCRM/c1wQc+vn+xp1oh/GYM4qoSoZyLTD9 -A0gqmbnF9//wvSmwpDpSkDoHZ5O3Ur6HZ8mByQIDAQABAoIBAQCSb+WlFtpjtPPF -JUwxVzqz4Cx510gwkU+GzUemDGdvfZhsWjNEri7FGE70LQ9UPh5vGd2SmtmtZGrW -J4wjWus6LFYuCa1sl4BlzfFLTjqF8XLUm0twJITzfhVf6o3OmiIOSepBNNT5DaE7 -4R8NgxRU8bG5cnuEWF9VklBl8tR04/VHIfTHltt1p69aQ6UoECBLd+/8RBIj+L/P -TzXbgLJn7dT8DrOA9rv1p0G1reADwvclKfag4S/xyC54anRsmMNWQLE0D+QzKL29 -nXqU1wjIHBtgY7uM0svtyrMXiNi0XEBWqDdOMwCZ66TU6eGIzDDevG+q8PXmuW6v -NGxoipcRAoGBANJy4uNj2SnMTdIyoe0wFjmjntKb7DX2Ie0aZr3kygQ7VJUH6w7Z -mZXNhRf8CpaD20lnyqRjhgq1gwOrLZWpAajNPJ6uCHUVSI8+qwdMVdPSZyxRlal9 -gshsGofkiqEGa/5BW4+yDgi1C4BV+lmN8jn4ilKe4JvFGuz+F31ntDXlAoGBANGH -WKCq4u9MCxM2R2ESKkLM+vlTxRB4meMt6iPn9e0yJ1BVXTILRp7hfUwKc4ivI/SO -rc4UA3I5i6QR7TVPOVreqw/CDEmjQLhTSOWY3lHbNz1q53p8Yh6JdytaA4YYgm+I -pFL+Hh/UpPEAY1ZzsSP7KhBd7ViKblz7/Act614VAoGAXTkFJqNpZGmbI3zIXBBM -GBZR2Yu2dCTm3GgwkPfTQVKi4i2Sw45Cyagzx+8fJZOdRQQUMQPhMcc8FRjz5XLr -SEI6EzSWjH70GHgzPNVkw6NVjr1JJb5ye6PfkMj9W91DY2rCS4IdU2AXiy8K6jbF -0UY2x+iXKImEpuzbrPKOUr0CgYB1lHdGyj7JPKomYNpTfecbT34zdi/rG1J4Kybu -eVgHgJKRQSYoVC2QMUen6WGGPYp2za55K7/3VJWpP6oWtVuhQ71I/YL5u9Qw3APX -XB6+Xr80Bw7ZLH2/VzL5r+y0ToK75jkYnaP4BtN8rtQQCqJIZ8TmJF9xxVVDduCq -grlHNQKBgF06eOplOy8W7euuhvEfoxv05ZVjcFv3bFzlYPb0fBfq4Ziw97SzidH9 -Wbq3gujut9gJCKZT6BJfZtqrPeVhWp+S2SD3bDCsjNZLRBEdzdyRB5CpmDE5OQBH -EtzpR4nQa/2RJ7wRP/306PE1sQPtTpNvGIgBIUxWvt5gzyVhO1sG +MIIEpAIBAAKCAQEAsSlxt8LQf1wJu1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1 +XELjKv3kcYp2McydNPq63fw9XXbua/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++ +e0xxcZS4NQ6wz57bHgARzMoCisNrxcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5Lie +SMGIBQjKGCd2a3eZYhTCs6hI0vhQQ1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXP +uMY1CwZkGcANd6vBK5YBNiZFquBjFhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN +8Xim/AewWRcKJJKdlLAAHmZD0jx2g/E0LGu01wIDAQABAoIBAQCKdl7HhX5ZHAEL +KjwVq56wgekMhKtOOgdXheuJBJRFTE7LbaI50pkjn72ss8/+yfHQV2o3Vw5K/0oG +nzS4EhnH4Ozb7L2t2c9J8XK5C36BNoLaBMUmLq+3WsnBxhKQopKU1u8ShIwKEgQo +U8NnKYYxx2NHYECBW1dI9IZF+muYbVg420PJ4DiFMSTy5+o+UsI8X0ymV2RYZAfg +qO8WgQYHZca2ffJ4rJHi8wf4IzaH//65vP+Ij7FGzfXmBd3A9F1wP7skBYZRYPp6 +MtZ5cxfNUwkGtkmt1KaEnsmg4F1/jaB0h5+xT4pj6NqaatvoKZ5zd8zpcGktuptO +zhTa63hpAoGBAOkxtwWaJAHj1GH1CzIkCP4siySSgphtcjP96XdcIaTuGx8gp/YU +0Bj3irK3KpVNrcLgc8KzylfMiAETMlRnEb28wSfqkegCR4Lrrsw3YjEAcVPC9Vtb +/wQHc9wUGCt0OUv7EE7alB/cKnjTQzF6ZgTGTUhGv4CuL6XjhEzqiA0bAoGBAMJ8 +5V/wjaDkRDHRtaDI7xX2j4uPE7FoQYCSVtKOil3rmIrmgBCXTtWB8EQ9o3Ux6sOl +lmA3sSF1ajyPu8e2+QhQF9wAF5mvN80aPj0KXKCv6Qx/H6Tjpg3eqVr6rucOyH58 +gKnuo1YISFcjcMkNEOZy6//7SkmAAN/p0Dgk6h71AoGAVKSC9jmY0EbOFDBJvA1w +ZjHs331+ga1YQp7rWzPJ0n/KwGWuEZhEYIuZgH0Tq9XiOFYYLpfr3iqTQzCgmBpB +Skl1IvP1uez53/+EFwQTVA4BFJIzVNHzopbB6yQwEbXCBl4+8SBNm7Lih7DHNvJi +jWEdNBrZ7+9JxEDtCK4oa/kCgYBbaHwd9V97aQ2sJJYq9YV5WyLoQtzMmuV+Wkk4 +OQpLTjmpvuAd7B9/Nc0JJbc3k7h1L9RXcJVt1lOSFzP4j8TH5WzxV5HAB5xAZ78s +zTvvwf3Ug8MJqn0XM7mBKyUdL9OHr1iBhcl62/W0DtIpjFyPEyBcdWza0rCWjLvy +R1dKKQKBgQCKTLKYv0c1h2e5i4mNCGWhR83x+k1ChZZLwoEC9f65tjrbOG0UEHAn +oz9N0m6jCQvnzvN8cHgFl8yoWmnOjEnsSDFQlIRvAXGzHd4ahMB+75WbLi31H2bv +XvZyakeTVfoOVArNUwLSHozr0VIUjnRirLht939dlFj4FLih/igWFA== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem index dffbc67e9..88ce01ed5 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEoDCCA4igAwIBAgIBBDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MIIEoDCCA4igAwIBAgIBCDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzczNloXDTE0 -MTIyMjEzMzczNlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTQ1N1oXDTE5 +MTIyMTA4NTQ1N1owWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dh -bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPLwvUPUNIZnbX -eyz8U0COp5RM7ZLFT2iJmSGxznZ30phUNHSy3WX9V8h2kQ2fBks2x0KYWEg8Lh2y -ggZipePRpuHRnZlcll5/HY/YOUgdV2GE6euNiWKcDB6uE51sxZ+on5KasI9EJMdp -hJpytYUFjx6pExsoqWMQLigrT6A4bYogkweOZHiUyHiqgtUQcHnmmKwxgeUAkZCb -00dk7CYnXNQZ1uHj/08TDwrS37SGXfWEIcBGEx/awqlF+s2HTI6zw7NC2HhQsiSp -Yo1nz8TBr/8XnO9KyYUg04TMkcQqBFDt/qiUswLRLapn9HSyd43BxaF+YuvJ1+ip -M4G05K1nAgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV -HQ4EFgQUJ/+79KP+Ea9vdAIMkUYx++cu6R0wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ +bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpJKRQ2CEG39rO +8nX7RpY+Ed5tyx+rkug3HrSInie+fgkDnLES2U1X3wvM2OczLp6L1ccROv+SzEW+ +OKfCZSz7T4GLwaRodi9KtHvfOCsbDx/vkFFwui2yt9rVUSpcbk1OiVQsA9R0G6vz +eqFIL9GtrtHWQ+dkvWy61i2A+T1X2QfhVfzvj5msL3CuZU6fnwGYD4LZz8RUGlB4 +WkSFWCctfQfgK+lpfuzq6OFFkARzxZ55D0MzgAvXY6osS8gMdiSD50Zlik7qZVvn +RO0j6TOg0WKinzguAokAyDCsaoqsOvi27QalfH48PUM+aUzHNCKnD6pswebHou3m +mvG3rH+9AgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV +HQ4EFgQUsBjPeVTm7TUTaXtmfv09yQS2mV8wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVgRNkYXZlQHN0cm9u Z3N3YW4ub3JnMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dh bi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNybDBCBggrBgEFBQcBBwEB/wQzMDEw FAQCAAEwDgMFAAoDAAIDBQDAqADIMBkEAgACMBMDEQD+wAAAAAAAAAAAAAAAAAAg -MA0GCSqGSIb3DQEBCwUAA4IBAQBlOlqceKqgr0putV9fUf2vekg5QtZGDtHFUOTH -0gDIe2DJ60bWY5IXpjj2KtzRdoP448fpPaprrh8VEljWoVvAF8LaePKGggqwcG+D -Z7ioDYlnV1j+/NnbZGM/hPqa841dh5jesTuTAF2giMod6P6eMiiRcnl9X3ltgSWp -Ahk5C8CNYw+sISJcCHtFQHdKOM4QN7wAWksvpjMWkSDQgf/rnDUgW8DXAwX/9K4V -G2etJ6/8drpjB115p6h+GYz8xFG28/MSf9BqNX03dBs5oyko2+FgSrb3ACK+pAO4 -Cpi2NKZfUH+M7Loo4baI+f5iavpDjDfar8KTiV610DAp0W2S +MA0GCSqGSIb3DQEBCwUAA4IBAQCNyAyUvqeCgWnPEMkfFFb1kBbd3me3aLRxXFb4 +TY44L6SBiFNy1s3UyFCLw1xXnSMgTpvZqHmB7fnzX7Aj6BNkPFIThEiHYN85ai4t +U9bO2nqwXfIINFt2Qlokd0QWHzDsL/o9Mmqs38ymlfIbsgwh7gCZ2HhGlOb7+QNU +IaDVIcKqBr07wX7qO/fEjKgFSkUT5eFNwQmyT3zUaE1PixK5w1hRxvs/KAsLgbfe +5ofLD88rfxvkqLwhRNU8PUzqIpqxfV1P+wS/k78z0tG+JI8yeEkcksuj9UOzlTr2 +jWL1QoxUEinR3N4dTqsW4u/Jz7R4MHdO+l9RoYZpQA8LV8s3 -----END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem index e79cbdd9f..f72970c4d 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAzy8L1D1DSGZ213ss/FNAjqeUTO2SxU9oiZkhsc52d9KYVDR0 -st1l/VfIdpENnwZLNsdCmFhIPC4dsoIGYqXj0abh0Z2ZXJZefx2P2DlIHVdhhOnr -jYlinAwerhOdbMWfqJ+SmrCPRCTHaYSacrWFBY8eqRMbKKljEC4oK0+gOG2KIJMH -jmR4lMh4qoLVEHB55pisMYHlAJGQm9NHZOwmJ1zUGdbh4/9PEw8K0t+0hl31hCHA -RhMf2sKpRfrNh0yOs8OzQth4ULIkqWKNZ8/Ewa//F5zvSsmFINOEzJHEKgRQ7f6o -lLMC0S2qZ/R0sneNwcWhfmLrydfoqTOBtOStZwIDAQABAoIBAQCW49qnnl6MMiPH -V6wxsKhJvP6i8Dt+fBDUdbQ2fPmG1teeK/357ojC89XJlGbpNHo+0OxNa65gNe3m -/g+MdOjw3auFMFRrPBBiX7NNdJpy1Brv5DVrhW1N3P3TJfH3MA7RjjYFdyVAKdEZ -pjud41mX7N4VoRacjJDbTeJveLRlowB2gPcxhNZlF6gPP1ZaHwR/b1+0qOTcsxj3 -hqC7zdmMM8UGQ38S3ba7dldlCVAvJgylRX+LPTx5x32wMntaSmBy0cdRqfHtznij -MZQnJiUuAvlQyjCbt0j7jycBZrMfgS+hESHaUG7wdJUraL40hlX2L4RfIyMtriwB -9Xe5fVABAoGBAP3Bphf6k/QxbCrVyyw3Q13MMug63bj3mqhjwOJUoEu+3O4+5Qcw -bIKEOxDFy82lwVHEnYU2tyxVcLBoXP0kMVkrWQIuDSPrneSQxIO1npBZTvBIvWSr -Yh3kJa15zlF4JxljwXfjLskInRlL45gBiG8FbSuDtXTxPJBtlrIHE0lnAoGBANED -/Ct5cocPPTYDGq7FxkGEOFoZM1OTsnL68NmcOhp69uWOAgNCIZEifYBz/SSx1ISJ -QjDdie3BQ0zp2CZe5Fujtz0oT4VPsrJUcND6fZnG79aA2P2S4tXOdVbElB4fOWuT -Sd1WOmgOFAn+B907PsP2BEh2BPO2/eqy3hN38PwBAoGAZzAJ9JJG+/PlAn4xwmcu -k8Pnp5vYcdDuKS93ThIPpP2WJaOZypSca26N/kIQoC2ZMUD8tSEM15Be5L1rotzG -3HXOGh7T5Rl4+WsNHmoKcrR+byOFMJyop3MRBzwS8/oiHCb+k1vkuIcyKwk7IaLt -8geI3zsN3OIEOM73iqlp5F0CgYBbSWFGX4l8oVQ7lcl+kZRQIv41o5H+K6ChhSXR -9OCPlirlAUuxvp1IdQbZJk9mSmCl7gjBrNBDzcel/O/RelpEB9HM3SE1+SPzrNuE -+hIHKpKvXaDnxtJZTQ2EcuC58ysx56c4CyQBNDzeTFuE7Q4xqe4e86SgCMkHS02g -tR7EAQKBgQCRoTsOFcCK2jXBhfcuwcrnrTJmf6LFxW08Mfl9qxKUjz20bx6jgv7f -TrRUHavmVrrGkAc6eTtoa+2cC5ffSBWHeCD48omb+DZGPF54UbEYyRUb5umKbfI3 -M3WiHTTpeTOx2MmPwiAHhPuaWMV9jWkRG01+wIX4HybGYeEAVHE9lg== +MIIEpAIBAAKCAQEA6SSkUNghBt/azvJ1+0aWPhHebcsfq5LoNx60iJ4nvn4JA5yx +EtlNV98LzNjnMy6ei9XHETr/ksxFvjinwmUs+0+Bi8GkaHYvSrR73zgrGw8f75BR +cLotsrfa1VEqXG5NTolULAPUdBur83qhSC/Rra7R1kPnZL1sutYtgPk9V9kH4VX8 +74+ZrC9wrmVOn58BmA+C2c/EVBpQeFpEhVgnLX0H4CvpaX7s6ujhRZAEc8WeeQ9D +M4AL12OqLEvIDHYkg+dGZYpO6mVb50TtI+kzoNFiop84LgKJAMgwrGqKrDr4tu0G +pXx+PD1DPmlMxzQipw+qbMHmx6Lt5prxt6x/vQIDAQABAoIBAB6pVf7X3cgUqqcq +1f9c8idpnDIeU6Tx5h5RqHaLLjjsRG04L0WGVJio2dlv8UAW8nz7eXm3o6L/wHBa +7R0wxzCp7SSfK+sdF+0gPWZG8cxWOeH8vekwYxAtA9eoHAUZ8IrSnsJHIqq+dOfJ +iep/d3j7E9e1CHqEOwd7YXKj1MB3p0Ivhyx0k9GvlbAKRiJPGhbxD+hu86lRMsEt +su6eG5JlvKyBAgNIcx29UITj5k8MbK2MeuCIZfry0yOaOsGkQkjAtyaiTIw8g2IQ +AhuuCLqVYtkpMiIfryV74b+CtQMQoU0z2Z74SZ4hJWFlbeG4Vtzq1HeDf4y1S3mm +B1Mx7CECgYEA9IKw6Fh7SBmJa5jPw7Uttvm2iDslsOR3nrPNOfMWwSK3i0j4OCIE +kCqKnJJfj2JeBupfHrIJzJ2+otGauxQt3I65VOo0PwQBb90xIHAiXdsYoXadB6MC +XUo0zKrDWC0EVyVwN+nyaCJVwsKm4XomHgSvitUSNA0dSTATfPXwQJkCgYEA9Bk1 +VN2KG6Bjcm2ISls+OOKgp2kG68ayG4ZXg+xt06+qsYq0+BwCrottQpXFpMVJbE/z +/6U294PBqJ9Z7LATptMzWhTKyO0pGBHvy8LUz/3qBF7yJFN2s+QbmKf4RIhfSDNU +CD2bPI17Kgj3sipEcbiwz9U6wpzp+IDnAfPdWsUCgYBl/5ri4f5TnmuIGhAZuRvf +552wiNP5TeVkq+bh1LlaSiw9C2yYpgA3T7fRBvKcMtG8msqhWG3kEK305/FfN1TG +XDeN58FxxC8BRkl3GbAMbRiCSqPJCsQyvID4HAgvYWAdJn4ApTQ9Io2aGG9bQgRi +o1vDU40rb4kW/dozV7koiQKBgQDoQgwiweElREkbmejyhzr/OXQPlrmFIjxaQEuJ +NS+TGjTaVda3tT9AAV5m2seCbk3ch37tIrDYdj+QSH9x3F/2fkMAVYRWBoLxai+2 +u51ugnVmz0irE9eAd21ipYBvBStUMbKlXKkWxrAIYRv+JIWXh1qFhqgwgMmHMG+d +xgI62QKBgQC2WYhZvLGrJ5g9G8E9pqOAz0FlxBqbPXJDe9n4Il8huF/+i678covC +dtbo1il8qcs0Lmm8M6vj78Meh+k4L0y7YAjUsaLpQ9rwNaZMHP+GyZWE5ygmtNhE +DP13WKX5SEbDZbClEgX+gHRmywC5m6hDSx21iekhbTfnUm2FQTA83w== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem index 7f5f8d703..124e2ae46 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem @@ -1,28 +1,28 @@ -----BEGIN CERTIFICATE----- -MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0 -MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5 +MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh -bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm -RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG -aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs -BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU -lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO -wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51 -vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV -HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ +bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6 +GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu +uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA +PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2 +jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd +D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK +KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV +HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY -AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX -QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S -smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1 -Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O -vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC -kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6 -Y0Y2hqCja6SsIjVc +AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL +aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo +830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5 +lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2 +NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR +pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu +Mc/lk4Nl8pHRO+Xm -----END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem index 8295f97c1..11607c8cb 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q -t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/ -rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW -B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi -aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi -81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot -teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI -B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT -p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd -yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq -+IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea -zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv -AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/ -dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn -UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2 -1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9 -yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu -fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc -3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC -reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb -zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV -3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu -uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR -OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn -gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA== +MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0 +unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd +GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb +kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg +z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY +pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ +ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB +u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9 +ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt +pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV +VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/ +ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/ +intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku +4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I +HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd +iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE +caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX +b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0 +8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04 +J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7 +3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09 +NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh +VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU +KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof +50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H -----END RSA PRIVATE KEY----- diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown index aea6d8555..7c510261d 100755 --- a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown +++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -421,6 +253,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -445,6 +285,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -484,6 +331,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -527,6 +383,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -543,16 +406,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown index aea6d8555..7c510261d 100755 --- a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown +++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -421,6 +253,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -445,6 +285,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -484,6 +331,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -527,6 +383,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -543,16 +406,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown index 1a68ada0e..1b362e65c 100755 --- a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown +++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -421,6 +253,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -445,6 +285,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -484,6 +331,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -527,6 +383,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -543,16 +406,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown index 1a68ada0e..1b362e65c 100755 --- a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown +++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -421,6 +253,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -445,6 +285,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -484,6 +331,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -527,6 +383,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -543,16 +406,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown index 1a68ada0e..1b362e65c 100755 --- a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown +++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -421,6 +253,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -445,6 +285,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -484,6 +331,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -527,6 +383,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -543,16 +406,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown index 1a68ada0e..1b362e65c 100755 --- a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown +++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -421,6 +253,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -445,6 +285,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -484,6 +331,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -527,6 +383,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -543,16 +406,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/rw-suite-b/evaltest.dat b/testing/tests/libipsec/rw-suite-b/evaltest.dat index d59ea3c34..3a9493ba3 100644 --- a/testing/tests/libipsec/rw-suite-b/evaltest.dat +++ b/testing/tests/libipsec/rw-suite-b/evaltest.dat @@ -1,8 +1,8 @@ carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES +dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES -moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-256 signature successful::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown index 15c239466..7d0c583b3 100755 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown +++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -395,7 +227,7 @@ down-host:) # connection to me going down # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_ME $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ @@ -406,8 +238,8 @@ up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT @@ -444,7 +276,7 @@ down-client:) if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ @@ -462,6 +294,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -486,6 +326,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -525,6 +372,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -568,6 +424,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -584,16 +447,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown index 15c239466..7d0c583b3 100755 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown +++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -395,7 +227,7 @@ down-host:) # connection to me going down # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_ME $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ @@ -406,8 +238,8 @@ up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT @@ -444,7 +276,7 @@ down-client:) if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ @@ -462,6 +294,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -486,6 +326,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -525,6 +372,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -568,6 +424,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -584,16 +447,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown index 15c239466..7d0c583b3 100755 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown +++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -395,7 +227,7 @@ down-host:) # connection to me going down # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_ME $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ @@ -406,8 +238,8 @@ up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT @@ -444,7 +276,7 @@ down-client:) if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ @@ -462,6 +294,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -486,6 +326,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -525,6 +372,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -568,6 +424,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -584,16 +447,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem new file mode 100644 index 000000000..4d99866f7 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm +MPvvkhl7dwj12//qfklihpZtdazxO9XkN3oYIdgt4QLq35ljtIkEGgsPn3a3niFQ +qjkCDj+lKmd9u4ecmGKR5PFUL+LwSU6cXJVNT6p1oXqntWZS8bFu+9y0Zpf30Lf1 +ILyZAgU2WTjSzTHyvu0w52GlbALZ3ILwze/J1DRHtqmPdiiu0qwSekqVBIOPZudR +fl4LBnLIFlR0vOaJ9zpvxuPHKyxFSY3bvAsXsEkVYG/pTyVsx3fELFNFYP+75arN +2UTMjbTSq6+KKUr1WwOmoBpU14Qwq3g4l1PChwIDAQABAoIBACBFB/Xqajv6fbn9 +K6pxrz02uXwGmacXAtVIDoPzejWmXS4QA4l17HrJDmelSnhelDKry8nnYHkTrTz7 +mn0wQ4HDWy86o/okJUG/TKRLd6bf79aRQqqohqd3iQkHk43GyzuXH+oGioVKF0fc +ACDWw4wfjL7FMNdHCZ4Bz9DrHO/ysHe9B6rvSYm3VZRhSxaneIkaLkkDadKpVx3f +XNFlMxY4qKPJYYSoJZ61iMqrO7+rnA93tmyDDs8PKU3BtnpfNrdePgleJHhk8Zqy +Ev2/NOCSUxbKE8NCtLpGTs+T0qjjnu4k3WPd3ZOBAan0uPDekHZeHB/aXGLhYcxx +J5SurqECgYEA+F1gppkER5Jtoaudt/CUpdQ1sR9wxf75VBqJ4FiYABGQz9xlG4oj +zL/o572s0iV3bwFpnQa+WuWrxGkP6ZuB/Z82npc0N/vLou/b4dxvg4n7K+eOOEf0 +8FMjsse2tqTIXKCqcmQnR0NPQ1jwuvEKsXP5w/JOlnRXAXnd4jxsJI0CgYEA0GaT +61ySttUW9jC3mxuY6jkQy8TEQqR3nOFvWwmCXIWOpN/MTTPus+Telxp/pdKhU+mo +PmX3Unyne5PvwleWDq3YzltX5ZDZGJ5UJlKuNnfGIzQ6OcHRbb7zBpQG6qSRPuug +bgo688hTnb1L59nK88zWVK45euf6pyuoI+SwIGMCgYEA7yvE8knyhBXvezuv0z1b +eGHmHp5/VDwY0DQKSEAoiBBiWrkLqLybgwXf/KJ8dZZc8En08aFX2GLJyYe/KiB1 +ys3ypEBJqgvRayP+o/9KZ+qNNRd0rqAksPXvL7ABNNt0kzapTSVDae3Yu6s/j1am +DIL5qAeERIDedG5uDPpQzdUCgYB7MtjpP63ABhLv8XbpbBQnCxtByw3W89F+Xcrt +v55gQdhE4cSuMzA/CuMH4vNpPS6AI9aBJNhj3CtKo/cOJachAGb1/wvkO5ALvLW0 +fhZdPstUTnDJain7vfF/hwzbs/PlhXgu9T9KlLfRvXFdG+Sd4g8mumRiozcLkoRw +y6XPTwKBgDJP+s9wXmdG90HST/aqC7FKrVXLpB63dY5swNUfQP6sa0pFnON0r0JC +h/YCsGFFIAebQ2uOkM3g3f9nkwTp7910ov+/5uThvRI2w2BBPy0mVuALPjyyF1Z2 +cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem new file mode 100644 index 000000000..d8fad9aad --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA35VUimfpDmNpT/8Q3qnoDlxJ9R+EErSYVraVoUVmH9jSHroB +eqqtDdf3XuHtg2xKTryijBj2H0jeA7HuE1UGwmvZWN1gL5vSrk1OFrT38DmaKa/+ +mtiPqjTJrDGg+OgOz1iHsPsp/4Xx+SCTSy2Ucllfront02sVduDXEGV34Snk6vYV +sRn1BZSlFBO6F2k23/j1i7FDn0N6Zj0hFvCysoIcfSYasmwN2p5vRqn7xC9JceMK +3V+v0w0pZoAUBAspAjh7R1rWe08IRAt4Tzff401EGAa5+TQqoZPd4BeqvFr0AQhQ +mdVw97FB2pQyNxSlcVvxY3NFYHwSCHcEMroWwQIDAQABAoIBADH51hjN2zk9HVgl +QmcTAWzcUie5cLMhrP+M9mtC8O3jcCwwFY6OwfnbMU8DHy0GMqHg5lB8b99UUVPw +HLAzjDw/ESkc6pgZs4EEhJTsxJLsvTnePgHssEgyXnXf7gRVEqJkPohfy+Zy0UCH +eIUQXiMlOQ7xg7iDMhwNa+UdWSt539DztSKilQn2xdPZjFnMT0/prvl4NA/8Zn54 +/SdWDq5yRdLWb6EK1V7yJ3687GXR1jzGtgy7TXuncUJVTYgX7RdP1Tn6gWD8YAQ/ +RfT0DdWYm4WHSgSb9/NW8lBZH2yy3hg+lNgofXEvTfBkO5QyW31LIr0tCV6zhJIc +Y9MxaKUCgYEA9sktaXfhPLe0ECjdeQEOq5EKuDrCviSKCOuAV4BDSOsdw6+5LWfY +Vb/oke8N70lL3RCblcj1pOKWUi2O/SpEJdDRduiw2gM9cXt3/bChSTHC4TsIxxN/ +Db9OGg72kZ4sRY5Au+zyAAQYBwXhFWux194Jk5qK0JblNG9J5QMqZDcCgYEA5+5h +BgHUMEO+pdME5lAiSc5PcNTejpA6j+OikCh4/HFXy3C/dLx+Cs1+egw64c8iVaIv +NEo7n7E9I0e3XqanPRXhMnBRrP+39OVsWPmZ18Li2Hi84KwJyi8Y11l3XJOqaYpF +wMVUuZpxR0dfG5k/5GwT/tEkmQBglOgG3m2zUMcCgYEA4m3Vd9ahV5dp5AXKpzKc +JjiPMFfhxJo7+FEz0ZUCp03qYljBu/Jy4MKS/grrqyiCLdQGHNlk4SNxLvdUId78 +5gGBnuuDEJU2dAAIKUE9yq2YlBUZSacOxStI2snt28/X6P3LUWHm7LLU5OS1D3Vf +mKPF/6MlSJuas5CEqVZNN+MCgYBH9Qh7IaQgmVQUBKVXg3Mv7OduvUyTdKIGtHxi +N3xZ7hxsDP4JjNWaKmlcGmFGX8pqQRheI83d3NJ4GK8GmbP3Wst0p65fezMqsudr +r30QmPFicgs/tYCQDw6o+aPzwAi2F+VOSqrfrtAIaldSq7hL+VA21dKB+cD9UgOX +jPd+TwKBgQCbKeg2QNS2qhPIG9eaqJDROuxmxb/07d7OBctgMgxVvKhqW9hW42Sy +gJ59fyz5QjFBaSfcOdf4gkKyEawVo45/q6ymIQU37R4vF4CW9Z3CfaIbwJp7LcHV +zH07so/HNsZua6GWCSCLJU5MeCRiZzk2RFiS9KIaLP4gZndv4lXOiQ== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat index 0110bb996..55ac10935 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat @@ -6,9 +6,9 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES -carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf index 4a5e52dbd..d94b17950 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + signature_authentication = no } diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat index 8a4215dcc..2d7324a9a 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat @@ -2,10 +2,10 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon. dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES -moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES -carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES -dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES +dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat index 7169a091d..a0831f746 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat @@ -1,7 +1,7 @@ dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat index 57cbee1d4..200ec3cfb 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat @@ -1,7 +1,7 @@ dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-384 signature successful::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat index e1d33feb7..73173f06b 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat +++ b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES diff --git a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat index 1648c9557..1206ea4b7 100644 --- a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat +++ b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat @@ -1,6 +1,6 @@ moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES -moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES +moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES diff --git a/testing/tests/swanctl/net2net-cert-ipv6/description.txt b/testing/tests/swanctl/net2net-cert-ipv6/description.txt deleted file mode 100755 index 5952ecc2d..000000000 --- a/testing/tests/swanctl/net2net-cert-ipv6/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -An IPv6 ESP tunnel connection between the gateways moon and sun is successfully set up. -It connects the two subnets hiding behind their respective gateways. The authentication is based on -X.509 certificates. Upon the successful establishment of the IPsec tunnel, leftfirewall=yes -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both the net-to-net tunnel and the firewall rules, client alice behind moon -sends an IPv6 ICMP request to client bob behind sun using the ping6 command. diff --git a/testing/tests/swanctl/net2net-cert-ipv6/evaltest.dat b/testing/tests/swanctl/net2net-cert-ipv6/evaltest.dat deleted file mode 100755 index cdbecd553..000000000 --- a/testing/tests/swanctl/net2net-cert-ipv6/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES -sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf deleted file mode 100755 index bd131af39..000000000 --- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici - - fragment_size = 1400 -} - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf deleted file mode 100755 index 16e145cd7..000000000 --- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - gw-gw { - local_addrs = fec0::1 - remote_addrs = fec0::2 - - local { - auth = pubkey - certs = moonCert.pem - id = moon.strongswan.org - } - remote { - auth = pubkey - id = sun.strongswan.org - } - children { - net-net { - local_ts = fec1::0/16 - remote_ts = fec2::0/16 - - start_action = none - updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 - } - } - - version = 2 - mobike = no - fragmentation = yes - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 - } -} diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf deleted file mode 100755 index bd131af39..000000000 --- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici - - fragment_size = 1400 -} - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf deleted file mode 100755 index 90aa137f0..000000000 --- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - gw-gw { - local_addrs = fec0::2 - remote_addrs = fec0::1 - - local { - auth = pubkey - certs = sunCert.pem - id = sun.strongswan.org - } - remote { - auth = pubkey - id = moon.strongswan.org - } - children { - net-net { - local_ts = fec2::0/16 - remote_ts = fec1::0/16 - - start_action = none - updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 - } - } - - version = 2 - mobike = no - fragmentation = yes - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 - } -} diff --git a/testing/tests/swanctl/net2net-cert-ipv6/posttest.dat b/testing/tests/swanctl/net2net-cert-ipv6/posttest.dat deleted file mode 100755 index a40a7dd2f..000000000 --- a/testing/tests/swanctl/net2net-cert-ipv6/posttest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null -alice::"ip route del fec2:\:/16 via fec1:\:1" -moon::"ip route del fec2:\:/16 via fec0:\:2" -sun::"ip route del fec1:\:/16 via fec0:\:1" -bob::"ip route del fec1:\:/16 via fec2:\:1" -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush -moon::ip6tables-restore < /etc/ip6tables.flush -sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/swanctl/net2net-cert-ipv6/pretest.dat b/testing/tests/swanctl/net2net-cert-ipv6/pretest.dat deleted file mode 100755 index 36e8e1999..000000000 --- a/testing/tests/swanctl/net2net-cert-ipv6/pretest.dat +++ /dev/null @@ -1,16 +0,0 @@ -moon::iptables-restore < /etc/iptables.drop -sun::iptables-restore < /etc/iptables.drop -moon::ip6tables-restore < /etc/ip6tables.rules -sun::ip6tables-restore < /etc/ip6tables.rules -alice::"ip route add fec2:\:/16 via fec1:\:1" -moon::"ip route add fec2:\:/16 via fec0:\:2" -sun::"ip route add fec1:\:/16 via fec0:\:1" -bob::"ip route add fec1:\:/16 via fec2:\:1" -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null -moon::sleep 1 -moon::swanctl --load-conns 2> /dev/null -sun::swanctl --load-conns 2> /dev/null -moon::swanctl --load-creds 2> /dev/null -sun::swanctl --load-creds 2> /dev/null -moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-cert-ipv6/test.conf b/testing/tests/swanctl/net2net-cert-ipv6/test.conf deleted file mode 100755 index 646b8b3e6..000000000 --- a/testing/tests/swanctl/net2net-cert-ipv6/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" diff --git a/testing/tests/tkm/host2host-initiator/evaltest.dat b/testing/tests/tkm/host2host-initiator/evaltest.dat index d8d44dff6..de50ab32b 100644 --- a/testing/tests/tkm/host2host-initiator/evaltest.dat +++ b/testing/tests/tkm/host2host-initiator/evaltest.dat @@ -10,3 +10,7 @@ moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES +moon::DAEMON_NAME=charon-tkm ipsec down conn1 && sleep 1::no output expected::NO +moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES +moon::cat /tmp/tkm.log::Resetting ESA context 1::YES +moon::cat /tmp/tkm.log::Deleting SA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES diff --git a/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat index 7c8c6b24a..f5143f19a 100644 --- a/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat +++ b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat @@ -5,6 +5,7 @@ sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES diff --git a/testing/tests/tkm/multiple-clients/evaltest.dat b/testing/tests/tkm/multiple-clients/evaltest.dat index 8e0042102..1f0c88b53 100644 --- a/testing/tests/tkm/multiple-clients/evaltest.dat +++ b/testing/tests/tkm/multiple-clients/evaltest.dat @@ -15,8 +15,7 @@ dave::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES sun::cat /tmp/tkm.log::RSA private key '/etc/tkm/sunKey.der' loaded::YES sun::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.2 <-> 192.168.0.100 \]::YES sun::cat /tmp/tkm.log::Adding policy \[ 2, 192.168.0.2 <-> 192.168.0.200 \]::YES -sun::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES -sun::cat /tmp/tkm.log::Checked CA certificate of CC context 2::YES +sun::cat /tmp/tkm.log | grep "Checked CA certificate of CC context 1" | wc -l::2::YES sun::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES sun::cat /tmp/tkm.log::Authentication of ISA context 2 successful::YES sun::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.2 <-> 192.168.0.100, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES diff --git a/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat index a38dba0ee..98eff247f 100644 --- a/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat +++ b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat @@ -5,6 +5,7 @@ sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES moon::cat /tmp/tkm.log::Adding policy \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16 \]::YES moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES diff --git a/testing/tests/tkm/xfrmproxy-expire/description.txt b/testing/tests/tkm/xfrmproxy-expire/description.txt new file mode 100644 index 000000000..9578cd8f3 --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/description.txt @@ -0,0 +1,6 @@ +A transport connection between the hosts moon and sun is set up. +The host moon starts the Trusted Key Manager (TKM) and the Ada XFRM +proxy, which relays XFRM kernel messages to charon. The authentication is based +on X.509 certificates. The connection is initiated by a ping from moon +to sun. The test asserts that XFRM expire messages from the kernel are +handled correctly. diff --git a/testing/tests/tkm/xfrmproxy-expire/evaltest.dat b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat new file mode 100644 index 000000000..96b486a07 --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat @@ -0,0 +1,22 @@ +moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES +sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES +moon::cat /var/log/daemon.log::ees: expire received for reqid 1, spi.*, dst 192.168.0.2::YES +moon::cat /var/log/daemon.log::creating rekey job for CHILD_SA ESP/0x.*/192.168.0.2::YES +moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES +moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES +moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES +moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES +moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES +moon::cat /tmp/tkm.log::Creating first new ESA context with ID 1 (Isa 1, Sp 1, Ea 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES +moon::cat /tmp/tkm.log::Creating ESA context with ID 2 (Isa 1, Sp 1, Ea 1, Dh_Id 1, Nc_Loc_Id 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES +moon::cat /tmp/tkm.log | grep 'Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 2, hard 60 \]' | wc -l::2::YES +moon::cat /tmp/tkm.log::Resetting ESA context 1::YES +moon::cat /tmp/tkm.log::Deleting SA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES +moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES +moon::cat /tmp/xfrm_proxy.log::Initiating ESA expire (reqid 1, proto 50, SPI.*, hard FALSE)::YES diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..cc9d6e072 --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf @@ -0,0 +1,8 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon-tkm { + dh_mapping { + 15 = 1 + 16 = 2 + } +} diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/moonKey.der new file mode 100644 index 000000000..d3748930a Binary files /dev/null and b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/moonKey.der differ diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/strongswanCert.der new file mode 100644 index 000000000..a5a631f4b Binary files /dev/null and b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/strongswanCert.der differ diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf new file mode 100644 index 000000000..23e958ab0 --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf @@ -0,0 +1,21 @@ + + + moon.strongswan.org + moonCert.pem + + + transport + + 1 + 192.168.0.1 + + + sun.strongswan.org + 192.168.0.2 + + + 2 + 60 + + + diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..e52a04f42 --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn host-host + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=sun.strongswan.org + right=PH_IP_MOON + rightid=moon.strongswan.org + ike=aes256-sha512-modp4096! + esp=aes256-sha512-modp4096! + type=transport + auto=add diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..f585edfca --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/tkm/xfrmproxy-expire/posttest.dat b/testing/tests/tkm/xfrmproxy-expire/posttest.dat new file mode 100644 index 000000000..99efe7b00 --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/posttest.dat @@ -0,0 +1,5 @@ +moon::DAEMON_NAME=charon-tkm ipsec stop +moon::killall xfrm_proxy +moon::killall tkm_keymanager +moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log +sun::ipsec stop diff --git a/testing/tests/tkm/xfrmproxy-expire/pretest.dat b/testing/tests/tkm/xfrmproxy-expire/pretest.dat new file mode 100644 index 000000000..d645ddbfe --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/pretest.dat @@ -0,0 +1,12 @@ +sun::ipsec start +moon::rm /etc/ipsec.secrets +moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +moon::cat /etc/ipsec.conf +moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 & +moon::expect-file /tmp/tkm.rpc.ike +moon::DAEMON_NAME=charon-tkm ipsec start +moon::expect-file /tmp/tkm.rpc.ees +moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 & +moon::DAEMON_NAME=charon-tkm expect-connection conn1 +sun::expect-connection host-host +moon::ping -c 3 192.168.0.2 diff --git a/testing/tests/tkm/xfrmproxy-expire/test.conf b/testing/tests/tkm/xfrmproxy-expire/test.conf new file mode 100644 index 000000000..9647dc6a2 --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat index d93407434..b9eee4f57 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat +++ b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat @@ -1,8 +1,8 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat index e22b767f7..224807860 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat @@ -1,8 +1,8 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat index e22b767f7..224807860 100644 --- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat +++ b/testing/tests/tnc/tnccs-11-radius/evaltest.dat @@ -1,8 +1,8 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES diff --git a/testing/tests/tnc/tnccs-20-fail-init/description.txt b/testing/tests/tnc/tnccs-20-fail-init/description.txt new file mode 100644 index 000000000..91fbbaad9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each to gateway moon +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the TNCCS 2.0 client-server interface +compliant with RFC 5793 PB-TNC. +

    +Unfortunately carol sends her first PB-TNC batch with a wrong version number and +dave sends a PB-TNC message not supported by moon with the NOSKIP flag set. +Therefore both connection setups fail due to fatal PB-TNC errors. diff --git a/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat b/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat new file mode 100644 index 000000000..4cbf60ff7 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat @@ -0,0 +1,10 @@ +moon:: cat /var/log/daemon.log::unsupported TNCCS batch version 0x03::YES +carol::cat /var/log/daemon.log::received fatal PB-TNC error.*Version Not Supported.*caused by bad version 0x03::YES +carol::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer carol@strongswan.org::YES +carol::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::reject PB-TNC message (0x00902a/0x00000000)::YES +dave:: cat /var/log/daemon.log::received fatal PB-TNC error.*Unsupported Mandatory Message::YES +dave::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..e2bf349d9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=any + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..fcd224651 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf @@ -0,0 +1,23 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown + + multiple_authentication = no + + plugins { + tnccs-20 { + tests { + pb_tnc_version = 3 + } + } + } +} + +libimcv { + plugins { + imc-test { + command = allow + } + } +} diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..bfa666761 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..504408488 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=moon.strongswan.org + rightauth=any + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..76f413722 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf @@ -0,0 +1,26 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + + multiple_authentication = no + + plugins { + tnc-imc { + preferred_language = ru, pl , de + } + tnccs-20 { + tests { + pb_tnc_noskip = yes + } + } + } +} + +libimcv { + plugins { + imc-test { + command = isolate + } + } +} diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..bfa666761 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..e21ef0d14 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf @@ -0,0 +1,34 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imv 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..9c13fcb67 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf @@ -0,0 +1,23 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown + + multiple_authentication = no + + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + } +} + +libimcv { + plugins { + imv-test { + rounds = 1 + } + } +} diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..61b141062 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for strongSwan client + +IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so diff --git a/testing/tests/tnc/tnccs-20-fail-init/posttest.dat b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat new file mode 100644 index 000000000..b757d8b15 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat @@ -0,0 +1,6 @@ +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat new file mode 100644 index 000000000..38c651328 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat @@ -0,0 +1,12 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/tnc/tnccs-20-fail-init/test.conf b/testing/tests/tnc/tnccs-20-fail-init/test.conf new file mode 100644 index 000000000..3c8e3996f --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/tnc/tnccs-20-fail-resp/description.txt b/testing/tests/tnc/tnccs-20-fail-resp/description.txt new file mode 100644 index 000000000..0aa07193c --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/description.txt @@ -0,0 +1,9 @@ +The roadwarrior carol sets up a connection to gateway moon +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the client doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol via the TNCCS 2.0 client-server interface +compliant with RFC 5793 PB-TNC. +

    +Unfortunately moon sends his first PB-TNC batch with a wrong version number . +Therefore the connection setup fails due to a fatal PB-TNC error. diff --git a/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat b/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat new file mode 100644 index 000000000..df4bdc857 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat @@ -0,0 +1,5 @@ +carol:: cat /var/log/daemon.log::unsupported TNCCS batch version 0x03::YES +moon::cat /var/log/daemon.log::received fatal PB-TNC error.*Version Not Supported.*caused by bad version 0x03::YES +moon::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer carol@strongswan.org::YES +carol::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..e2bf349d9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=any + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ed6d6f718 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown + + multiple_authentication = no +} + +libimcv { + plugins { + imc-test { + command = allow + } + } +} diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..bfa666761 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..e21ef0d14 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf @@ -0,0 +1,34 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imv 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..626731f58 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf @@ -0,0 +1,28 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown + + multiple_authentication = no + + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + tnccs-20 { + tests { + pb_tnc_version = 3 + } + } + } +} + +libimcv { + plugins { + imv-test { + rounds = 1 + } + } +} diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..61b141062 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for strongSwan client + +IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so diff --git a/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat new file mode 100644 index 000000000..80ce1a125 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat @@ -0,0 +1,4 @@ +carol::ipsec stop +moon::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat new file mode 100644 index 000000000..6947c4bdf --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/tnc/tnccs-20-fail-resp/test.conf b/testing/tests/tnc/tnccs-20-fail-resp/test.conf new file mode 100644 index 000000000..e8430743e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/description.txt b/testing/tests/tnc/tnccs-20-mutual-eap/description.txt new file mode 100644 index 000000000..6c79b8c49 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/description.txt @@ -0,0 +1,3 @@ +The hosts moon and sun do mutual TNC measurements over IKEv2-EAP +using the PA-TNC, PB-TNC and PT-EAP protocols. The authentication is based on +X.509 certificates. diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat new file mode 100644 index 000000000..0ef7b5d7d --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat @@ -0,0 +1,11 @@ +moon::cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES +sun:: cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES +moon::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES +sun:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..47a0283dc --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imc 2, imv 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn host-host + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=moon.strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_SUN + rightid=sun.strongswan.org + rightsendcert=never + rightauth=any + auto=add diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..953e7fcea --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf @@ -0,0 +1,26 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown + + multiple_authentication = no + plugins { + eap-ttls { + phase2_tnc =yes + } + tnccs-20 { + mutual = yes + } + } +} + +libimcv { + plugins { + imc-test { + command = allow + } + imv-test { + rounds = 1 + } + } +} diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..476e8807e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC/IMV configuration file for strongSwan endpoint + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so +IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..c20bce930 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imc 2, imv 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn host-host + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=sun.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + right=PH_IP_MOON + rightid=moon.strongswan.org + rightauth=eap-ttls + rightsendcert=never + auto=add diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..570126a0e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf @@ -0,0 +1,28 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown + + multiple_authentication = no + plugins { + eap-ttls { + request_peer_auth = yes + phase2_piggyback = yes + phase2_tnc =yes + } + tnccs-20 { + mutual = yes + } + } +} + +libimcv { + plugins { + imc-test { + command = allow + } + imv-test { + rounds = 1 + } + } +} diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config new file mode 100644 index 000000000..476e8807e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC/IMV configuration file for strongSwan endpoint + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so +IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat new file mode 100644 index 000000000..1f7aa73a1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat new file mode 100644 index 000000000..3bce9f6e5 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up host-host diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/test.conf b/testing/tests/tnc/tnccs-20-mutual-eap/test.conf new file mode 100644 index 000000000..55d6e9fd6 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt new file mode 100644 index 000000000..09ab8e9f1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt @@ -0,0 +1,3 @@ +The hosts moon and sun do mutual TNC measurements using the +PA-TNC, PB-TNC and PT-TLS protocols. The authentication is based on +X.509 certificates. diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat new file mode 100644 index 000000000..eb996192d --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::PT-TLS authentication complete::YES +sun:: cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES +moon::cat /var/log/auth.log::activating mutual PB-TNC half duplex protocol::YES +sun:: cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES +moon::cat /var/log/auth.log::PB-TNC access recommendation is.*Access Allowed::YES +sun:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..98c415edb --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf @@ -0,0 +1,3 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +/* configuration is read from /etc/pts/options */ diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options new file mode 100644 index 000000000..79ae1e866 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options @@ -0,0 +1,8 @@ +--connect sun.strongswan.org +--client moon.strongswan.org +--key /etc/ipsec.d/private/moonKey.pem +--cert /etc/ipsec.d/certs/moonCert.pem +--cert /etc/ipsec.d/cacerts/strongswanCert.pem +--mutual +--quiet +--debug 2 diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..fafdac4aa --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pt-tls-client { + load = x509 openssl pem pkcs1 random nonce revocation curl tnc-tnccs tnc-imc tnc-imv tnccs-20 +} + +libimcv { + plugins { + imc-test { + command = allow + } + imv-test { + rounds = 1 + } + } +} diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..476e8807e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC/IMV configuration file for strongSwan endpoint + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so +IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..ba629a24f --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf @@ -0,0 +1,9 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imc 2, imv 2" + +conn pdp + leftcert=sunCert.pem + leftid=sun.strongswan.org + auto=add diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..05ffdb178 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf @@ -0,0 +1,28 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default tnc-pdp tnc-tnccs tnc-imc tnc-imv tnccs-20 + + plugins { + tnc-pdp { + server = sun.strongswan.org + radius { + enable = no + } + } + tnccs-20 { + mutual = yes + } + } +} + +libimcv { + plugins { + imc-test { + command = allow + } + imv-test { + rounds = 1 + } + } +} diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config new file mode 100644 index 000000000..476e8807e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC/IMV configuration file for strongSwan endpoint + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so +IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat new file mode 100644 index 000000000..e6ccb14fe --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat @@ -0,0 +1 @@ +sun::ipsec stop diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat new file mode 100644 index 000000000..fab55d11a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat @@ -0,0 +1,4 @@ +sun::ipsec start +moon::cat /etc/pts/options +moon::sleep 1 +moon::ipsec pt-tls-client --optionsfrom /etc/pts/options diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf new file mode 100644 index 000000000..55d6e9fd6 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat index a86fcff61..f744453e6 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat @@ -1,10 +1,10 @@ -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES dave:: cat /var/log/daemon.log::collected ... SWID tags::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES carol::cat /var/log/daemon.log::collected ... SWID tag IDs::YES carol::cat /var/log/daemon.log::collected 1 SWID tag::YES -- cgit v1.2.3 From fc556ec2bc92a9d476c11406fad2c33db8bf7cb0 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Mon, 1 Jun 2015 14:46:30 +0200 Subject: Imported Upstream version 5.3.1 --- Android.common.mk | 2 +- Doxyfile.in | 4 +- Makefile.am | 6 +- Makefile.in | 6 +- NEWS | 16 + conf/Makefile.am | 1 + conf/Makefile.in | 1 + conf/options/imv_policy_manager.conf | 18 + conf/options/imv_policy_manager.opt | 13 + conf/plugins/kernel-netlink.conf | 3 + conf/plugins/kernel-netlink.opt | 3 + conf/strongswan.conf.5.main | 22 + config.h.in | 3 + configure | 182 +- configure.ac | 41 +- init/Makefile.am | 2 + init/Makefile.in | 2 +- man/ipsec.conf.5.in | 2 +- scripts/Makefile.am | 4 +- scripts/Makefile.in | 20 +- scripts/crypt_burn.c | 264 ++- scripts/timeattack.c | 418 ++++ src/charon-nm/charon-nm.c | 3 + src/charon-tkm/src/tkm/tkm_id_manager.c | 2 - src/charon-tkm/src/tkm/tkm_kernel_ipsec.c | 17 +- src/charon-tkm/src/tkm/tkm_kernel_sad.c | 89 +- src/charon-tkm/src/tkm/tkm_kernel_sad.h | 21 +- src/charon-tkm/src/tkm/tkm_keymat.c | 15 +- src/charon-tkm/src/tkm/tkm_listener.c | 9 + src/charon-tkm/src/tkm/tkm_nonceg.c | 53 +- src/charon-tkm/src/tkm/tkm_nonceg.h | 8 - src/charon-tkm/tests/kernel_sad_tests.c | 48 +- src/charon-tkm/tests/keymat_tests.c | 2 +- src/charon-tkm/tests/nonceg_tests.c | 1 - src/ipsec/_ipsec.8 | 2 +- src/libcharon/bus/bus.c | 34 +- src/libcharon/bus/bus.h | 13 +- src/libcharon/bus/listeners/listener.h | 17 +- src/libcharon/encoding/message.c | 66 +- .../encoding/payloads/encrypted_payload.c | 5 + src/libcharon/encoding/payloads/payload.c | 2 + src/libcharon/encoding/payloads/payload.h | 7 +- src/libcharon/encoding/payloads/unknown_payload.c | 8 + src/libcharon/encoding/payloads/unknown_payload.h | 8 + src/libcharon/network/receiver.c | 2 +- src/libcharon/plugins/eap_aka/eap_aka_server.c | 5 +- .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c | 3 +- .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c | 3 +- src/libcharon/plugins/eap_md5/eap_md5.c | 3 +- src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 7 +- .../plugins/eap_radius/eap_radius_accounting.c | 390 +++- src/libcharon/plugins/eap_sim/eap_sim_peer.c | 3 +- src/libcharon/plugins/eap_sim/eap_sim_server.c | 3 +- .../plugins/eap_sim_file/eap_sim_file_card.c | 3 +- src/libcharon/plugins/ha/ha_cache.c | 12 +- src/libcharon/plugins/ha/ha_cache.h | 3 +- src/libcharon/plugins/ha/ha_plugin.c | 128 +- src/libcharon/plugins/vici/libvici.h | 29 +- src/libcharon/plugins/vici/python/Makefile.am | 12 +- src/libcharon/plugins/vici/python/Makefile.in | 17 +- src/libcharon/plugins/vici/ruby/Makefile.am | 4 +- src/libcharon/plugins/vici/ruby/Makefile.in | 14 +- src/libcharon/plugins/vici/vici_config.c | 37 + src/libcharon/plugins/vici/vici_dispatcher.c | 41 + src/libcharon/plugins/vici/vici_dispatcher.h | 33 + src/libcharon/plugins/vici/vici_plugin.c | 24 + src/libcharon/plugins/vici/vici_query.c | 85 + src/libcharon/plugins/vici/vici_query.h | 28 + src/libcharon/plugins/vici/vici_socket.c | 46 +- .../plugins/xauth_generic/xauth_generic.c | 2 +- src/libcharon/processing/jobs/adopt_children_job.c | 20 +- src/libcharon/sa/ike_sa_manager.c | 4 +- .../sa/ikev1/authenticators/psk_v1_authenticator.c | 2 +- src/libcharon/sa/ikev1/task_manager_v1.c | 5 + .../sa/ikev2/authenticators/eap_authenticator.c | 2 +- .../sa/ikev2/authenticators/psk_authenticator.c | 2 +- src/libcharon/sa/ikev2/keymat_v2.c | 15 +- src/libcharon/sa/ikev2/task_manager_v2.c | 18 +- src/libcharon/sa/ikev2/tasks/child_create.c | 43 +- src/libcharon/sa/ikev2/tasks/ike_init.c | 53 +- src/libcharon/sa/ikev2/tasks/ike_mobike.c | 2 +- src/libcharon/sa/ikev2/tasks/ike_vendor.c | 10 + .../plugins/kernel_netlink/kernel_netlink_ipsec.c | 2 +- .../plugins/kernel_netlink/kernel_netlink_net.c | 24 + .../plugins/kernel_netlink/kernel_netlink_shared.c | 18 +- src/libhydra/plugins/kernel_netlink/tests.c | 2 - src/libimcv/ietf/ietf_attr_attr_request.c | 27 +- src/libimcv/ietf/ietf_attr_fwd_enabled.h | 2 +- src/libimcv/ietf/ietf_attr_numeric_version.h | 2 +- src/libimcv/ietf/ietf_attr_op_status.h | 2 +- src/libimcv/imc/imc_os_info.c | 4 +- src/libimcv/imv/imv_policy_manager.c | 22 +- src/libimcv/pa_tnc/pa_tnc_msg.c | 9 +- src/libimcv/plugins/imc_os/imc_os.c | 6 +- .../imv_attestation/imv_attestation_process.c | 7 +- src/libimcv/pts/components/ita/ita_comp_ima.c | 9 +- src/libimcv/pts/components/ita/ita_comp_tboot.c | 3 +- src/libimcv/pts/components/ita/ita_comp_tgrub.c | 2 +- src/libimcv/pts/pts_database.c | 4 +- src/libimcv/pts/pts_file_meas.c | 8 +- src/libipsec/esp_context.c | 9 +- src/libipsec/ipsec_sa_mgr.c | 2 +- src/libpttls/sasl/sasl_plain/sasl_plain.c | 2 +- src/libradius/radius_message.c | 2 +- src/libradius/radius_socket.c | 104 +- src/libsimaka/Makefile.am | 4 + src/libsimaka/Makefile.in | 11 +- src/libstrongswan/Android.mk | 9 +- src/libstrongswan/Makefile.am | 23 +- src/libstrongswan/Makefile.in | 286 +-- src/libstrongswan/asn1/asn1.c | 4 + src/libstrongswan/crypto/aead.c | 4 +- src/libstrongswan/crypto/aead.h | 3 +- src/libstrongswan/crypto/crypto_factory.c | 182 +- src/libstrongswan/crypto/crypto_factory.h | 21 +- src/libstrongswan/crypto/crypto_tester.c | 193 +- src/libstrongswan/crypto/crypto_tester.h | 41 + src/libstrongswan/crypto/diffie_hellman.h | 12 + src/libstrongswan/crypto/iv/iv_gen.c | 61 + src/libstrongswan/crypto/iv/iv_gen.h | 8 + src/libstrongswan/crypto/iv/iv_gen_seq.c | 24 + src/libstrongswan/crypto/iv/iv_gen_seq.h | 3 + src/libstrongswan/crypto/signers/mac_signer.c | 3 +- src/libstrongswan/crypto/transform.c | 32 + src/libstrongswan/crypto/transform.h | 8 + src/libstrongswan/plugins/aesni/Makefile.am | 26 + src/libstrongswan/plugins/aesni/Makefile.in | 793 +++++++ src/libstrongswan/plugins/aesni/aesni_cbc.c | 671 ++++++ src/libstrongswan/plugins/aesni/aesni_cbc.h | 48 + src/libstrongswan/plugins/aesni/aesni_ccm.c | 914 ++++++++ src/libstrongswan/plugins/aesni/aesni_ccm.h | 50 + src/libstrongswan/plugins/aesni/aesni_cmac.c | 371 ++++ src/libstrongswan/plugins/aesni/aesni_cmac.h | 52 + src/libstrongswan/plugins/aesni/aesni_ctr.c | 643 ++++++ src/libstrongswan/plugins/aesni/aesni_ctr.h | 48 + src/libstrongswan/plugins/aesni/aesni_gcm.c | 1447 +++++++++++++ src/libstrongswan/plugins/aesni/aesni_gcm.h | 50 + src/libstrongswan/plugins/aesni/aesni_key.c | 301 +++ src/libstrongswan/plugins/aesni/aesni_key.h | 65 + src/libstrongswan/plugins/aesni/aesni_plugin.c | 125 ++ src/libstrongswan/plugins/aesni/aesni_plugin.h | 42 + src/libstrongswan/plugins/aesni/aesni_xcbc.c | 367 ++++ src/libstrongswan/plugins/aesni/aesni_xcbc.h | 52 + src/libstrongswan/plugins/af_alg/af_alg_signer.c | 2 +- src/libstrongswan/plugins/ccm/ccm_aead.c | 2 +- src/libstrongswan/plugins/fips_prf/fips_prf.c | 2 - src/libstrongswan/plugins/gcm/gcm_aead.c | 2 +- src/libstrongswan/plugins/gcrypt/gcrypt_dh.c | 19 + src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c | 3 + src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c | 10 + src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 5 +- .../plugins/openssl/openssl_crypter.c | 2 + .../plugins/openssl/openssl_diffie_hellman.c | 13 + .../plugins/openssl/openssl_ec_diffie_hellman.c | 44 + src/libstrongswan/plugins/openssl/openssl_hmac.c | 22 +- src/libstrongswan/plugins/openssl/openssl_pkcs7.c | 2 +- .../plugins/openssl/openssl_rsa_public_key.c | 2 +- src/libstrongswan/plugins/padlock/padlock_plugin.c | 97 +- src/libstrongswan/plugins/pkcs12/pkcs12_decode.c | 2 +- .../plugins/pkcs7/pkcs7_signed_data.c | 2 +- src/libstrongswan/plugins/plugin_feature.c | 2 + src/libstrongswan/plugins/rdrand/rdrand_plugin.c | 55 +- src/libstrongswan/plugins/sqlite/sqlite_database.c | 27 +- src/libstrongswan/plugins/sqlite/sqlite_plugin.c | 9 +- src/libstrongswan/plugins/test_vectors/Makefile.am | 4 + src/libstrongswan/plugins/test_vectors/Makefile.in | 19 +- .../plugins/test_vectors/test_vectors.h | 32 + .../plugins/test_vectors/test_vectors/aes_ccm.c | 79 + .../plugins/test_vectors/test_vectors/aes_gcm.c | 150 ++ .../plugins/test_vectors/test_vectors/ecp.c | 134 ++ .../plugins/test_vectors/test_vectors/ecpbp.c | 113 + .../plugins/test_vectors/test_vectors/modp.c | 731 +++++++ .../plugins/test_vectors/test_vectors/modpsub.c | 164 ++ .../plugins/test_vectors/test_vectors_plugin.c | 29 +- src/libstrongswan/tests/suites/test_chunk.c | 27 + src/libstrongswan/tests/suites/test_enum.c | 10 + src/libstrongswan/tests/suites/test_threading.c | 31 + src/libstrongswan/tests/suites/test_utils.c | 86 + src/libstrongswan/tests/suites/test_vectors.c | 34 +- src/libstrongswan/tests/test_runner.c | 22 +- src/libstrongswan/tests/test_runner.h | 4 + src/libstrongswan/tests/test_suite.h | 6 +- src/libstrongswan/tests/tests.c | 3 +- src/libstrongswan/threading/thread.c | 39 +- src/libstrongswan/threading/thread.h | 10 + src/libstrongswan/threading/windows/thread.c | 20 + src/libstrongswan/utils/chunk.h | 13 + src/libstrongswan/utils/cpu_feature.c | 158 ++ src/libstrongswan/utils/cpu_feature.h | 62 + src/libstrongswan/utils/enum.c | 6 +- src/libstrongswan/utils/leak_detective.c | 5 +- src/libstrongswan/utils/utils.c | 739 +------ src/libstrongswan/utils/utils.h | 895 +------- src/libstrongswan/utils/utils/align.c | 62 + src/libstrongswan/utils/utils/align.h | 86 + src/libstrongswan/utils/utils/atomics.c | 112 + src/libstrongswan/utils/utils/atomics.h | 130 ++ src/libstrongswan/utils/utils/byteorder.h | 161 ++ src/libstrongswan/utils/utils/memory.c | 237 +++ src/libstrongswan/utils/utils/memory.h | 183 ++ src/libstrongswan/utils/utils/object.h | 126 ++ src/libstrongswan/utils/utils/path.c | 168 ++ src/libstrongswan/utils/utils/path.h | 77 + src/libstrongswan/utils/utils/status.c | 48 + src/libstrongswan/utils/utils/status.h | 72 + src/libstrongswan/utils/utils/strerror.h | 3 +- src/libstrongswan/utils/utils/string.c | 91 + src/libstrongswan/utils/utils/string.h | 103 + src/libstrongswan/utils/utils/time.c | 143 ++ src/libstrongswan/utils/utils/time.h | 91 + src/libstrongswan/utils/utils/tty.c | 86 + src/libstrongswan/utils/utils/tty.h | 65 + src/libstrongswan/utils/utils/types.h | 87 + src/libtls/tls_peer.c | 9 +- src/libtls/tls_server.c | 2 +- src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c | 2 +- .../plugins/tnccs_20/messages/pb_tnc_msg.h | 2 +- src/starter/Android.mk | 2 +- src/starter/Makefile.am | 4 - src/starter/Makefile.in | 7 +- src/starter/confread.c | 23 - src/starter/confread.h | 1 - src/starter/starter.c | 9 +- src/starter/starterstroke.c | 308 +-- src/stroke/stroke.c | 281 +-- src/stroke/stroke_msg.h | 18 +- src/swanctl/command.c | 45 +- src/swanctl/command.h | 2 +- src/swanctl/commands/list_sas.c | 86 +- testing/config/kernel/config-4.0 | 2202 ++++++++++++++++++++ .../hosts/winnetou/etc/openssl/research/index.txt | 3 +- .../winnetou/etc/openssl/research/index.txt.old | 3 +- .../winnetou/etc/openssl/research/newcerts/0B.pem | 25 + testing/hosts/winnetou/etc/openssl/research/serial | 2 +- .../hosts/winnetou/etc/openssl/research/serial.old | 2 +- testing/hosts/winnetou/etc/openssl/sales/index.txt | 3 +- .../hosts/winnetou/etc/openssl/sales/index.txt.old | 3 +- .../winnetou/etc/openssl/sales/newcerts/09.pem | 24 + testing/hosts/winnetou/etc/openssl/sales/serial | 2 +- .../hosts/winnetou/etc/openssl/sales/serial.old | 2 +- testing/scripts/build-baseimage | 4 +- testing/scripts/build-guestkernel | 2 +- testing/scripts/recipes/005_anet.mk | 2 +- testing/scripts/recipes/006_tkm-rpc.mk | 2 +- testing/scripts/recipes/010_tkm.mk | 2 +- testing/scripts/recipes/012_openssl.mk | 2 +- testing/testing.conf | 8 +- testing/tests/af-alg/rw-cert/pretest.dat | 2 +- testing/tests/gcrypt-ikev2/rw-cert/pretest.dat | 2 +- testing/tests/ha/active-passive/description.txt | 8 + testing/tests/ha/active-passive/evaltest.dat | 32 + .../ha/active-passive/hosts/alice/etc/ipsec.conf | 19 + .../hosts/alice/etc/ipsec.d/certs/marsCert.pem | 25 + .../hosts/alice/etc/ipsec.d/private/marsKey.pem | 27 + .../active-passive/hosts/alice/etc/ipsec.secrets | 3 + .../active-passive/hosts/alice/etc/iptables.rules | 57 + .../active-passive/hosts/alice/etc/strongswan.conf | 16 + .../ha/active-passive/hosts/carol/etc/ipsec.conf | 20 + .../active-passive/hosts/carol/etc/strongswan.conf | 5 + .../ha/active-passive/hosts/dave/etc/ipsec.conf | 20 + .../active-passive/hosts/dave/etc/strongswan.conf | 6 + .../ha/active-passive/hosts/moon/etc/ipsec.conf | 19 + .../hosts/moon/etc/ipsec.d/certs/marsCert.pem | 25 + .../hosts/moon/etc/ipsec.d/private/marsKey.pem | 27 + .../ha/active-passive/hosts/moon/etc/ipsec.secrets | 3 + .../active-passive/hosts/moon/etc/iptables.rules | 57 + .../active-passive/hosts/moon/etc/strongswan.conf | 15 + testing/tests/ha/active-passive/posttest.dat | 15 + testing/tests/ha/active-passive/pretest.dat | 21 + testing/tests/ha/active-passive/test.conf | 21 + .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 34 +- .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 50 +- .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 32 +- .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 50 +- .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 34 +- .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 50 +- .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 32 +- .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 50 +- .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 34 +- .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 50 +- .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 32 +- .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 50 +- .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 34 +- .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 50 +- .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 32 +- .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 50 +- .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 34 +- .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 50 +- .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 32 +- .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 50 +- .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 34 +- .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 50 +- .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 32 +- .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 50 +- .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 34 +- .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 50 +- .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 34 +- .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 50 +- .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 34 +- .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 50 +- .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 32 +- .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 50 +- .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 34 +- .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 50 +- .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 32 +- .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 50 +- .../hosts/carol/etc/ipsec.d/certs/carolCert.pem | 34 +- .../hosts/carol/etc/ipsec.d/private/carolKey.pem | 50 +- .../hosts/dave/etc/ipsec.d/certs/daveCert.pem | 32 +- .../hosts/dave/etc/ipsec.d/private/daveKey.pem | 50 +- testing/tests/ikev2/rw-cert/pretest.dat | 2 +- testing/tests/openssl-ikev2/rw-cert/pretest.dat | 2 +- .../tests/openssl-ikev2/rw-suite-b-128/pretest.dat | 2 +- .../tests/openssl-ikev2/rw-suite-b-192/pretest.dat | 2 +- testing/tests/pfkey/rw-cert/pretest.dat | 2 +- .../hosts/carol/etc/ipsec.d/data.sql | 7 +- .../hosts/carol/etc/ipsec.d/data.sql~ | 190 ++ .../multi-level-ca/hosts/dave/etc/ipsec.d/data.sql | 6 +- .../hosts/dave/etc/ipsec.d/data.sql~ | 193 ++ testing/tests/sql/rw-cert/pretest.dat | 2 +- testing/tests/tkm/host2host-initiator/evaltest.dat | 4 +- testing/tests/tkm/host2host-responder/evaltest.dat | 2 +- testing/tests/tkm/host2host-xfrmproxy/evaltest.dat | 2 +- testing/tests/tkm/multiple-clients/evaltest.dat | 4 +- testing/tests/tkm/net2net-initiator/evaltest.dat | 2 +- testing/tests/tkm/net2net-xfrmproxy/evaltest.dat | 2 +- testing/tests/tkm/xfrmproxy-expire/evaltest.dat | 4 +- testing/tests/tnc/tnccs-11-fhh/description.txt | 2 +- .../tnc/tnccs-11-radius-block/description.txt | 4 +- .../tests/tnc/tnccs-11-radius-pts/description.txt | 2 +- testing/tests/tnc/tnccs-11-radius/description.txt | 2 +- .../tests/tnc/tnccs-11-supplicant/description.txt | 2 +- testing/tests/tnc/tnccs-20-fhh/description.txt | 4 +- testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat | 4 + .../hosts/alice/etc/iptables.rules | 6 +- .../hosts/alice/etc/strongswan.conf | 5 + .../hosts/alice/etc/strongswan.conf~ | 34 + .../tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf | 3 + .../hosts/moon/etc/ipsec.secrets | 3 + .../hosts/moon/etc/strongswan.conf | 3 + testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf | 2 +- 341 files changed, 17882 insertions(+), 3748 deletions(-) create mode 100644 conf/options/imv_policy_manager.conf create mode 100644 conf/options/imv_policy_manager.opt create mode 100644 scripts/timeattack.c create mode 100644 src/libstrongswan/crypto/iv/iv_gen.c create mode 100644 src/libstrongswan/plugins/aesni/Makefile.am create mode 100644 src/libstrongswan/plugins/aesni/Makefile.in create mode 100644 src/libstrongswan/plugins/aesni/aesni_cbc.c create mode 100644 src/libstrongswan/plugins/aesni/aesni_cbc.h create mode 100644 src/libstrongswan/plugins/aesni/aesni_ccm.c create mode 100644 src/libstrongswan/plugins/aesni/aesni_ccm.h create mode 100644 src/libstrongswan/plugins/aesni/aesni_cmac.c create mode 100644 src/libstrongswan/plugins/aesni/aesni_cmac.h create mode 100644 src/libstrongswan/plugins/aesni/aesni_ctr.c create mode 100644 src/libstrongswan/plugins/aesni/aesni_ctr.h create mode 100644 src/libstrongswan/plugins/aesni/aesni_gcm.c create mode 100644 src/libstrongswan/plugins/aesni/aesni_gcm.h create mode 100644 src/libstrongswan/plugins/aesni/aesni_key.c create mode 100644 src/libstrongswan/plugins/aesni/aesni_key.h create mode 100644 src/libstrongswan/plugins/aesni/aesni_plugin.c create mode 100644 src/libstrongswan/plugins/aesni/aesni_plugin.h create mode 100644 src/libstrongswan/plugins/aesni/aesni_xcbc.c create mode 100644 src/libstrongswan/plugins/aesni/aesni_xcbc.h create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/ecp.c create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/ecpbp.c create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/modp.c create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/modpsub.c create mode 100644 src/libstrongswan/utils/cpu_feature.c create mode 100644 src/libstrongswan/utils/cpu_feature.h create mode 100644 src/libstrongswan/utils/utils/align.c create mode 100644 src/libstrongswan/utils/utils/align.h create mode 100644 src/libstrongswan/utils/utils/atomics.c create mode 100644 src/libstrongswan/utils/utils/atomics.h create mode 100644 src/libstrongswan/utils/utils/byteorder.h create mode 100644 src/libstrongswan/utils/utils/memory.c create mode 100644 src/libstrongswan/utils/utils/memory.h create mode 100644 src/libstrongswan/utils/utils/object.h create mode 100644 src/libstrongswan/utils/utils/path.c create mode 100644 src/libstrongswan/utils/utils/path.h create mode 100644 src/libstrongswan/utils/utils/status.c create mode 100644 src/libstrongswan/utils/utils/status.h create mode 100644 src/libstrongswan/utils/utils/string.c create mode 100644 src/libstrongswan/utils/utils/string.h create mode 100644 src/libstrongswan/utils/utils/time.c create mode 100644 src/libstrongswan/utils/utils/time.h create mode 100644 src/libstrongswan/utils/utils/tty.c create mode 100644 src/libstrongswan/utils/utils/tty.h create mode 100644 src/libstrongswan/utils/utils/types.h create mode 100644 testing/config/kernel/config-4.0 create mode 100644 testing/hosts/winnetou/etc/openssl/research/newcerts/0B.pem create mode 100644 testing/hosts/winnetou/etc/openssl/sales/newcerts/09.pem create mode 100644 testing/tests/ha/active-passive/description.txt create mode 100644 testing/tests/ha/active-passive/evaltest.dat create mode 100644 testing/tests/ha/active-passive/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/ha/active-passive/hosts/alice/etc/ipsec.d/certs/marsCert.pem create mode 100644 testing/tests/ha/active-passive/hosts/alice/etc/ipsec.d/private/marsKey.pem create mode 100644 testing/tests/ha/active-passive/hosts/alice/etc/ipsec.secrets create mode 100644 testing/tests/ha/active-passive/hosts/alice/etc/iptables.rules create mode 100644 testing/tests/ha/active-passive/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/ha/active-passive/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ha/active-passive/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ha/active-passive/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ha/active-passive/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ha/active-passive/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ha/active-passive/hosts/moon/etc/ipsec.d/certs/marsCert.pem create mode 100644 testing/tests/ha/active-passive/hosts/moon/etc/ipsec.d/private/marsKey.pem create mode 100644 testing/tests/ha/active-passive/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ha/active-passive/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/ha/active-passive/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ha/active-passive/posttest.dat create mode 100644 testing/tests/ha/active-passive/pretest.dat create mode 100644 testing/tests/ha/active-passive/test.conf create mode 100644 testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql~ create mode 100644 testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql~ create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf~ create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/strongswan.conf (limited to 'configure') diff --git a/Android.common.mk b/Android.common.mk index d33062aa7..f75efedca 100644 --- a/Android.common.mk +++ b/Android.common.mk @@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \ ) # strongSwan version, replaced by top Makefile -strongswan_VERSION := "5.3.0" +strongswan_VERSION := "5.3.1" diff --git a/Doxyfile.in b/Doxyfile.in index eaf02d7de..7608ffef1 100644 --- a/Doxyfile.in +++ b/Doxyfile.in @@ -416,7 +416,7 @@ EXTRACT_PACKAGE = NO # included in the documentation. # The default value is: NO. -EXTRACT_STATIC = NO +EXTRACT_STATIC = YES # If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) defined # locally in source files will be included in the documentation. If set to NO @@ -683,7 +683,7 @@ CITE_BIB_FILES = # messages are off. # The default value is: NO. -QUIET = NO +QUIET = YES # The WARNINGS tag can be used to turn on/off the warning messages that are # generated to standard error ( stderr) by doxygen. If WARNINGS is set to YES diff --git a/Makefile.am b/Makefile.am index bea4ba7c0..898b26205 100644 --- a/Makefile.am +++ b/Makefile.am @@ -38,7 +38,9 @@ Doxyfile : Doxyfile.in $(srcdir)/$@.in > $@ apidoc : Doxyfile - doxygen + @test -d apidoc || doxygen + @! find Doxyfile $(top_srcdir)/src/ \( -name '*.h' -o -name '*.md' \) -newer apidoc | \ + grep -q '' || doxygen && touch apidoc cov-reset-common: @rm -rf $(top_builddir)/coverage @@ -75,4 +77,4 @@ clean-local: cov-reset-common @find $(top_builddir)/src $(top_builddir)/scripts -name "*.gcno" -delete @rm -rf apidoc -.PHONY: cov-reset-common cov-reset cov-report coverage +.PHONY: cov-reset-common cov-reset cov-report coverage apidoc diff --git a/Makefile.in b/Makefile.in index e10818f54..22286fe9f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1000,7 +1000,9 @@ Doxyfile : Doxyfile.in $(srcdir)/$@.in > $@ apidoc : Doxyfile - doxygen + @test -d apidoc || doxygen + @! find Doxyfile $(top_srcdir)/src/ \( -name '*.h' -o -name '*.md' \) -newer apidoc | \ + grep -q '' || doxygen && touch apidoc cov-reset-common: @rm -rf $(top_builddir)/coverage @@ -1034,7 +1036,7 @@ clean-local: cov-reset-common @find $(top_builddir)/src $(top_builddir)/scripts -name "*.gcno" -delete @rm -rf apidoc -.PHONY: cov-reset-common cov-reset cov-report coverage +.PHONY: cov-reset-common cov-reset cov-report coverage apidoc # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/NEWS b/NEWS index 81a7fc5fc..b2e8cb2e6 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,19 @@ +strongswan-5.3.1 +---------------- + +- Fixed a denial-of-service and potential remote code execution vulnerability + triggered by IKEv1/IKEv2 messages that contain payloads for the respective + other IKE version. Such payload are treated specially since 5.2.2 but because + they were still identified by their original payload type they were used as + such in some places causing invalid function pointer dereferences. + The vulnerability has been registered as CVE-2015-3991. + +- The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and GCM crypto + primitives for AES-128/192/256. The plugin requires AES-NI and PCLMULQDQ + instructions and works on both x86 and x64 architectures. It provides + superior crypto performance in userland without any external libraries. + + strongswan-5.3.0 ---------------- diff --git a/conf/Makefile.am b/conf/Makefile.am index f10af25a2..7cee0cbd6 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -14,6 +14,7 @@ options = \ options/charon-logging.opt \ options/charon-systemd.opt \ options/imcv.opt \ + options/imv_policy_manager.opt \ options/manager.opt \ options/medsrv.opt \ options/pacman.opt \ diff --git a/conf/Makefile.in b/conf/Makefile.in index 4b391402a..fb3082b1d 100644 --- a/conf/Makefile.in +++ b/conf/Makefile.in @@ -396,6 +396,7 @@ options = \ options/charon-logging.opt \ options/charon-systemd.opt \ options/imcv.opt \ + options/imv_policy_manager.opt \ options/manager.opt \ options/medsrv.opt \ options/pacman.opt \ diff --git a/conf/options/imv_policy_manager.conf b/conf/options/imv_policy_manager.conf new file mode 100644 index 000000000..8979b28bc --- /dev/null +++ b/conf/options/imv_policy_manager.conf @@ -0,0 +1,18 @@ +imv_policy_manager { + + # Shell command to be executed with recommendation allow. + # command_allow = + + # Shell command to be executed with all other recommendations. + # command_block = + + # Database URI for the database that stores the package information. If it + # contains a password, make sure to adjust the permissions of the config + # file accordingly. + # database = + + # Plugins to load in IMV policy manager. + # load = sqlite + +} + diff --git a/conf/options/imv_policy_manager.opt b/conf/options/imv_policy_manager.opt new file mode 100644 index 000000000..6ed0efc2a --- /dev/null +++ b/conf/options/imv_policy_manager.opt @@ -0,0 +1,13 @@ +imv_policy_manager.database = + Database URI for the database that stores the package information. If it + contains a password, make sure to adjust the permissions of the config file + accordingly. + +imv_policy_manager.load = sqlite + Plugins to load in IMV policy manager. + +imv_policy_manager.command_allow = + Shell command to be executed with recommendation allow. + +imv_policy_manager.command_block = + Shell command to be executed with all other recommendations. diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf index 723bf0a49..6ea341fbe 100644 --- a/conf/plugins/kernel-netlink.conf +++ b/conf/plugins/kernel-netlink.conf @@ -1,5 +1,8 @@ kernel-netlink { + # Buffer size for received Netlink messages. + # buflen = 4096 + # Firewall mark to set on the routing rule that directs traffic to our # routing table. # fwmark = diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt index 800ba20c0..4338a5fbd 100644 --- a/conf/plugins/kernel-netlink.opt +++ b/conf/plugins/kernel-netlink.opt @@ -1,3 +1,6 @@ +charon.plugins.kernel-netlink.buflen = 4096 + Buffer size for received Netlink messages. + charon.plugins.kernel-netlink.fwmark = Firewall mark to set on the routing rule that directs traffic to our routing table. diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index b6db9c914..b81b58ca0 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -852,6 +852,10 @@ and plugins can be used to circumvent that problem. +.TP +.BR charon.plugins.kernel-netlink.buflen " [4096]" +Buffer size for received Netlink messages. + .TP .BR charon.plugins.kernel-netlink.fwmark " []" Firewall mark to set on the routing rule that directs traffic to our routing @@ -1660,6 +1664,24 @@ Loglevel for a specific subsystem. Specifies the default loglevel to be used for subsystems for which no specific loglevel is defined. +.TP +.BR imv_policy_manager.command_allow " []" +Shell command to be executed with recommendation allow. + +.TP +.BR imv_policy_manager.command_block " []" +Shell command to be executed with all other recommendations. + +.TP +.BR imv_policy_manager.database " []" +Database URI for the database that stores the package information. If it +contains a password, make sure to adjust the permissions of the config file +accordingly. + +.TP +.BR imv_policy_manager.load " [sqlite]" +Plugins to load in IMV policy manager. + .TP .BR libimcv.debug_level " [1]" Debug level for a stand\-alone diff --git a/config.h.in b/config.h.in index ad095d02e..763340934 100644 --- a/config.h.in +++ b/config.h.in @@ -97,6 +97,9 @@ /* have struct in6_pktinfo.ipi6_ifindex */ #undef HAVE_IN6_PKTINFO +/* have __int128 type support */ +#undef HAVE_INT128 + /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H diff --git a/configure b/configure index 811e45288..a7e5faa97 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for strongSwan 5.3.0. +# Generated by GNU Autoconf 2.69 for strongSwan 5.3.1. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='5.3.0' -PACKAGE_STRING='strongSwan 5.3.0' +PACKAGE_VERSION='5.3.1' +PACKAGE_STRING='strongSwan 5.3.1' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -963,6 +963,8 @@ USE_NONCE_FALSE USE_NONCE_TRUE USE_RANDOM_FALSE USE_RANDOM_TRUE +USE_AESNI_FALSE +USE_AESNI_TRUE USE_RDRAND_FALSE USE_RDRAND_TRUE USE_GMP_FALSE @@ -1015,9 +1017,13 @@ attest_plugins pool_plugins starter_plugins charon_plugins +PYTHON_EGGS_INSTALL_FALSE +PYTHON_EGGS_INSTALL_TRUE PY_TEST PYTHONEGGINSTALLDIR EASY_INSTALL +RUBY_GEMS_INSTALL_FALSE +RUBY_GEMS_INSTALL_TRUE RUBYGEMDIR GEM COVERAGE_LDFLAGS @@ -1281,6 +1287,7 @@ enable_padlock enable_random enable_rc2 enable_rdrand +enable_aesni enable_sha1 enable_sha2 enable_xcbc @@ -1417,7 +1424,9 @@ enable_load_warning enable_mediation enable_unwind_backtraces enable_ruby_gems +enable_ruby_gems_install enable_python_eggs +enable_python_eggs_install enable_coverage enable_leak_detective enable_lock_profiler @@ -2009,7 +2018,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 5.3.0 to adapt to many kinds of systems. +\`configure' configures strongSwan 5.3.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -2079,7 +2088,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 5.3.0:";; + short | recursive ) echo "Configuration of strongSwan 5.3.1:";; esac cat <<\_ACEOF @@ -2112,6 +2121,7 @@ Optional Features: --disable-random disable RNG implementation on top of /dev/(u)random. --disable-rc2 disable RC2 software implementation plugin. --enable-rdrand enable Intel RDRAND random generator plugin. + --enable-aesni enable Intel AES-NI crypto plugin. --disable-sha1 disable SHA1 software implementation plugin. --disable-sha2 disable SHA256/SHA384/SHA512 software implementation plugin. @@ -2293,8 +2303,12 @@ Optional Features: --enable-unwind-backtraces use libunwind to create backtraces for memory leaks and segfaults. - --enable-ruby-gems enable installation of provided ruby gems. - --enable-python-eggs enable installation of provided python eggs. + --enable-ruby-gems enable build of provided ruby gems. + --enable-ruby-gems-install + enable installation of provided ruby gems. + --enable-python-eggs enable build of provided python eggs. + --enable-python-eggs-install + enable installation of provided python eggs. --enable-coverage enable lcov coverage report generation. --enable-leak-detective enable malloc hooks to find memory leaks. --enable-lock-profiler enable lock/mutex profiling code. @@ -2512,7 +2526,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 5.3.0 +strongSwan configure 5.3.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3034,7 +3048,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 5.3.0, which was +It was created by strongSwan $as_me 5.3.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3897,7 +3911,7 @@ fi # Define the identity of the package. PACKAGE='strongswan' - VERSION='5.3.0' + VERSION='5.3.1' cat >>confdefs.h <<_ACEOF @@ -5102,6 +5116,22 @@ fi disabled_by_default=${disabled_by_default}" rdrand" +# Check whether --enable-aesni was given. +if test "${enable_aesni+set}" = set; then : + enableval=$enable_aesni; aesni_given=true + if test x$enableval = xyes; then + aesni=true + else + aesni=false + fi +else + aesni=false + aesni_given=false + +fi + + disabled_by_default=${disabled_by_default}" aesni" + # Check whether --enable-sha1 was given. if test "${enable_sha1+set}" = set; then : enableval=$enable_sha1; sha1_given=true @@ -7289,6 +7319,22 @@ fi disabled_by_default=${disabled_by_default}" ruby_gems" +# Check whether --enable-ruby-gems-install was given. +if test "${enable_ruby_gems_install+set}" = set; then : + enableval=$enable_ruby_gems_install; ruby_gems_install_given=true + if test x$enableval = xyes; then + ruby_gems_install=true + else + ruby_gems_install=false + fi +else + ruby_gems_install=false + ruby_gems_install_given=false + +fi + + disabled_by_default=${disabled_by_default}" ruby_gems_install" + # Check whether --enable-python-eggs was given. if test "${enable_python_eggs+set}" = set; then : enableval=$enable_python_eggs; python_eggs_given=true @@ -7305,6 +7351,22 @@ fi disabled_by_default=${disabled_by_default}" python_eggs" +# Check whether --enable-python-eggs-install was given. +if test "${enable_python_eggs_install+set}" = set; then : + enableval=$enable_python_eggs_install; python_eggs_install_given=true + if test x$enableval = xyes; then + python_eggs_install=true + else + python_eggs_install=false + fi +else + python_eggs_install=false + python_eggs_install_given=false + +fi + + disabled_by_default=${disabled_by_default}" python_eggs_install" + # compile options # Check whether --enable-coverage was given. if test "${enable_coverage+set}" = set; then : @@ -17175,6 +17237,14 @@ if test x$medcli = xtrue; then mediation=true fi +if test x$ruby_gems_install = xtrue; then + ruby_gems=true +fi + +if test x$python_eggs_install = xtrue; then + python_eggs=true +fi + # =========================================== # check required libraries and header files # =========================================== @@ -18437,6 +18507,33 @@ $as_echo "no" >&6; } fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for __int128" >&5 +$as_echo_n "checking for __int128... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +__int128 x = 0; + return x; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; }; + +$as_echo "#define HAVE_INT128 /**/" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GCC __sync operations" >&5 $as_echo_n "checking for GCC __sync operations... " >&6; } if test "$cross_compiling" = yes; then : @@ -21529,9 +21626,18 @@ fi RUBYGEMDIR="$rubygemdir" fi + if test "x$ruby_gems_install" = xtrue; then + RUBY_GEMS_INSTALL_TRUE= + RUBY_GEMS_INSTALL_FALSE='#' +else + RUBY_GEMS_INSTALL_TRUE='#' + RUBY_GEMS_INSTALL_FALSE= +fi + if test x$python_eggs = xtrue; then - # Extract the first word of "easy_install", so it can be a program name with args. + if test x$python_eggs_install = xtrue; then + # Extract the first word of "easy_install", so it can be a program name with args. set dummy easy_install; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } @@ -21572,8 +21678,9 @@ $as_echo "no" >&6; } fi - if test x$EASY_INSTALL = x; then - as_fn_error $? "Python easy_install not found" "$LINENO" 5 + if test x$EASY_INSTALL = x; then + as_fn_error $? "Python easy_install not found" "$LINENO" 5 + fi fi if test "x$pythoneggdir" = "xmain site-packages directory"; then PYTHONEGGINSTALLDIR="" @@ -21624,6 +21731,14 @@ fi fi + if test "x$python_eggs_install" = xtrue; then + PYTHON_EGGS_INSTALL_TRUE= + PYTHON_EGGS_INSTALL_FALSE='#' +else + PYTHON_EGGS_INSTALL_TRUE='#' + PYTHON_EGGS_INSTALL_FALSE= +fi + # =============================================== # collect plugin list for strongSwan components @@ -21690,6 +21805,20 @@ if test x$pkcs11 = xtrue; then fi +if test x$aesni = xtrue; then + s_plugins=${s_plugins}" aesni" + charon_plugins=${charon_plugins}" aesni" + scepclient_plugins=${scepclient_plugins}" aesni" + pki_plugins=${pki_plugins}" aesni" + scripts_plugins=${scripts_plugins}" aesni" + medsrv_plugins=${medsrv_plugins}" aesni" + attest_plugins=${attest_plugins}" aesni" + nm_plugins=${nm_plugins}" aesni" + cmd_plugins=${cmd_plugins}" aesni" + aikgen_plugins=${aikgen_plugins}" aesni" + + fi + if test x$aes = xtrue; then s_plugins=${s_plugins}" aes" charon_plugins=${charon_plugins}" aes" @@ -22817,6 +22946,14 @@ else USE_RDRAND_FALSE= fi + if test x$aesni = xtrue; then + USE_AESNI_TRUE= + USE_AESNI_FALSE='#' +else + USE_AESNI_TRUE='#' + USE_AESNI_FALSE= +fi + if test x$random = xtrue; then USE_RANDOM_TRUE= USE_RANDOM_FALSE='#' @@ -24229,7 +24366,7 @@ fi # build Makefiles # ================= -ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/files/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/bliss/Makefile src/libstrongswan/plugins/bliss/tests/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/tests/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/connmark/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/vici/python/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/load_tester/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/attr/Makefile src/libcharon/plugins/attr_sql/Makefile src/libcharon/tests/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile" +ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/aesni/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/files/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/bliss/Makefile src/libstrongswan/plugins/bliss/tests/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/tests/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/connmark/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/vici/python/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/load_tester/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/attr/Makefile src/libcharon/plugins/attr_sql/Makefile src/libcharon/tests/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile" # ================= @@ -24385,6 +24522,14 @@ if test -z "${USE_DEV_HEADERS_TRUE}" && test -z "${USE_DEV_HEADERS_FALSE}"; then as_fn_error $? "conditional \"USE_DEV_HEADERS\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${RUBY_GEMS_INSTALL_TRUE}" && test -z "${RUBY_GEMS_INSTALL_FALSE}"; then + as_fn_error $? "conditional \"RUBY_GEMS_INSTALL\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${PYTHON_EGGS_INSTALL_TRUE}" && test -z "${PYTHON_EGGS_INSTALL_FALSE}"; then + as_fn_error $? "conditional \"PYTHON_EGGS_INSTALL\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_TEST_VECTORS_TRUE}" && test -z "${USE_TEST_VECTORS_FALSE}"; then as_fn_error $? "conditional \"USE_TEST_VECTORS\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -24457,6 +24602,10 @@ if test -z "${USE_RDRAND_TRUE}" && test -z "${USE_RDRAND_FALSE}"; then as_fn_error $? "conditional \"USE_RDRAND\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_AESNI_TRUE}" && test -z "${USE_AESNI_FALSE}"; then + as_fn_error $? "conditional \"USE_AESNI\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_RANDOM_TRUE}" && test -z "${USE_RANDOM_FALSE}"; then as_fn_error $? "conditional \"USE_RANDOM\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -25514,7 +25663,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 5.3.0, which was +This file was extended by strongSwan $as_me 5.3.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -25580,7 +25729,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -strongSwan config.status 5.3.0 +strongSwan config.status 5.3.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -26010,6 +26159,7 @@ do "src/libstrongswan/plugins/fips_prf/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/fips_prf/Makefile" ;; "src/libstrongswan/plugins/gmp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gmp/Makefile" ;; "src/libstrongswan/plugins/rdrand/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/rdrand/Makefile" ;; + "src/libstrongswan/plugins/aesni/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/aesni/Makefile" ;; "src/libstrongswan/plugins/random/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/random/Makefile" ;; "src/libstrongswan/plugins/nonce/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/nonce/Makefile" ;; "src/libstrongswan/plugins/hmac/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/hmac/Makefile" ;; diff --git a/configure.ac b/configure.ac index 73c288495..d8278db54 100644 --- a/configure.ac +++ b/configure.ac @@ -19,7 +19,7 @@ # initialize & set some vars # ============================ -AC_INIT([strongSwan],[5.3.0]) +AC_INIT([strongSwan],[5.3.1]) AM_INIT_AUTOMAKE(m4_esyscmd([ echo tar-ustar echo subdir-objects @@ -144,6 +144,7 @@ ARG_ENABL_SET([padlock], [enables VIA Padlock crypto plugin.]) ARG_DISBL_SET([random], [disable RNG implementation on top of /dev/(u)random.]) ARG_DISBL_SET([rc2], [disable RC2 software implementation plugin.]) ARG_ENABL_SET([rdrand], [enable Intel RDRAND random generator plugin.]) +ARG_ENABL_SET([aesni], [enable Intel AES-NI crypto plugin.]) ARG_DISBL_SET([sha1], [disable SHA1 software implementation plugin.]) ARG_DISBL_SET([sha2], [disable SHA256/SHA384/SHA512 software implementation plugin.]) ARG_DISBL_SET([xcbc], [disable xcbc crypto implementation plugin.]) @@ -290,8 +291,10 @@ ARG_ENABL_SET([integrity-test], [enable integrity testing of libstrongswan and p ARG_DISBL_SET([load-warning], [disable the charon plugin load option warning in starter.]) ARG_ENABL_SET([mediation], [enable IKEv2 Mediation Extension.]) ARG_ENABL_SET([unwind-backtraces],[use libunwind to create backtraces for memory leaks and segfaults.]) -ARG_ENABL_SET([ruby-gems], [enable installation of provided ruby gems.]) -ARG_ENABL_SET([python-eggs], [enable installation of provided python eggs.]) +ARG_ENABL_SET([ruby-gems], [enable build of provided ruby gems.]) +ARG_ENABL_SET([ruby-gems-install],[enable installation of provided ruby gems.]) +ARG_ENABL_SET([python-eggs], [enable build of provided python eggs.]) +ARG_ENABL_SET([python-eggs-install],[enable installation of provided python eggs.]) # compile options ARG_ENABL_SET([coverage], [enable lcov coverage report generation.]) ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.]) @@ -432,6 +435,14 @@ if test x$medcli = xtrue; then mediation=true fi +if test x$ruby_gems_install = xtrue; then + ruby_gems=true +fi + +if test x$python_eggs_install = xtrue; then + python_eggs=true +fi + # =========================================== # check required libraries and header files # =========================================== @@ -697,6 +708,17 @@ AC_COMPILE_IFELSE( [AC_MSG_RESULT([no])] ) +AC_MSG_CHECKING([for __int128]) +AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[#include ]], + [[__int128 x = 0; + return x;]])], + [AC_MSG_RESULT([yes]); + AC_DEFINE([HAVE_INT128], [], [have __int128 type support])], + [AC_MSG_RESULT([no])] +) + AC_MSG_CHECKING([for GCC __sync operations]) AC_RUN_IFELSE([AC_LANG_SOURCE( [[ @@ -1187,11 +1209,14 @@ if test x$ruby_gems = xtrue; then fi AC_SUBST(RUBYGEMDIR, "$rubygemdir") fi +AM_CONDITIONAL(RUBY_GEMS_INSTALL, [test "x$ruby_gems_install" = xtrue]) if test x$python_eggs = xtrue; then - AC_PATH_PROG([EASY_INSTALL], [easy_install], [], [$PATH:/bin:/usr/bin:/usr/local/bin]) - if test x$EASY_INSTALL = x; then - AC_MSG_ERROR(Python easy_install not found) + if test x$python_eggs_install = xtrue; then + AC_PATH_PROG([EASY_INSTALL], [easy_install], [], [$PATH:/bin:/usr/bin:/usr/local/bin]) + if test x$EASY_INSTALL = x; then + AC_MSG_ERROR(Python easy_install not found) + fi fi if test "x$pythoneggdir" = "xmain site-packages directory"; then AC_SUBST(PYTHONEGGINSTALLDIR, "") @@ -1200,6 +1225,7 @@ if test x$python_eggs = xtrue; then fi AC_PATH_PROG([PY_TEST], [py.test], [], [$PATH:/bin:/usr/bin:/usr/local/bin]) fi +AM_CONDITIONAL(PYTHON_EGGS_INSTALL, [test "x$python_eggs_install" = xtrue]) # =============================================== # collect plugin list for strongSwan components @@ -1232,6 +1258,7 @@ ADD_PLUGIN([test-vectors], [s charon scepclient pki]) ADD_PLUGIN([unbound], [s charon scripts]) ADD_PLUGIN([ldap], [s charon scepclient scripts nm cmd]) ADD_PLUGIN([pkcs11], [s charon pki nm cmd]) +ADD_PLUGIN([aesni], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) ADD_PLUGIN([aes], [s charon scepclient pki scripts nm cmd]) ADD_PLUGIN([des], [s charon scepclient pki scripts nm cmd]) ADD_PLUGIN([blowfish], [s charon scepclient pki scripts nm cmd]) @@ -1395,6 +1422,7 @@ AM_CONDITIONAL(USE_SHA2, test x$sha2 = xtrue) AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue) AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue) AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue) +AM_CONDITIONAL(USE_AESNI, test x$aesni = xtrue) AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue) AM_CONDITIONAL(USE_NONCE, test x$nonce = xtrue) AM_CONDITIONAL(USE_X509, test x$x509 = xtrue) @@ -1638,6 +1666,7 @@ AC_CONFIG_FILES([ src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile + src/libstrongswan/plugins/aesni/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile diff --git a/init/Makefile.am b/init/Makefile.am index a72706c99..6fff4221b 100644 --- a/init/Makefile.am +++ b/init/Makefile.am @@ -2,8 +2,10 @@ SUBDIRS = if USE_LEGACY_SYSTEMD +if USE_CHARON SUBDIRS += systemd endif +endif if USE_SYSTEMD if USE_SWANCTL diff --git a/init/Makefile.in b/init/Makefile.in index 18c69f1b0..883d42403 100644 --- a/init/Makefile.in +++ b/init/Makefile.in @@ -77,7 +77,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -@USE_LEGACY_SYSTEMD_TRUE@am__append_1 = systemd +@USE_CHARON_TRUE@@USE_LEGACY_SYSTEMD_TRUE@am__append_1 = systemd @USE_SWANCTL_TRUE@@USE_SYSTEMD_TRUE@am__append_2 = systemd-swanctl subdir = init DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 39c3b2b79..6501217bd 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -237,7 +237,7 @@ or .B esp keyword may be used, AH+ESP bundles are not supported. -There is no default, by default ESP is used. +There is no default AH cipher suite since by default ESP is used. The daemon adds its extensive default proposal to the configured value. To restrict it to the configured proposal an exclamation mark diff --git a/scripts/Makefile.am b/scripts/Makefile.am index abc6d75dd..c5155efc2 100644 --- a/scripts/Makefile.am +++ b/scripts/Makefile.am @@ -5,7 +5,7 @@ AM_CPPFLAGS = \ noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql oid2der \ thread_analysis dh_speed pubkey_speed crypt_burn hash_burn fetch \ - dnssec malloc_speed aes-test settings-test + dnssec malloc_speed aes-test settings-test timeattack if USE_TLS noinst_PROGRAMS += tls_test @@ -28,6 +28,7 @@ hash_burn_SOURCES = hash_burn.c malloc_speed_SOURCES = malloc_speed.c fetch_SOURCES = fetch.c dnssec_SOURCES = dnssec.c +timeattack_SOURCES = timeattack.c id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la @@ -41,6 +42,7 @@ fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la aes_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la settings_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +timeattack_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la key2keyid.o : $(top_builddir)/config.status diff --git a/scripts/Makefile.in b/scripts/Makefile.in index d28783b4c..b03ff9d4f 100644 --- a/scripts/Makefile.in +++ b/scripts/Makefile.in @@ -83,7 +83,8 @@ noinst_PROGRAMS = bin2array$(EXEEXT) bin2sql$(EXEEXT) id2sql$(EXEEXT) \ thread_analysis$(EXEEXT) dh_speed$(EXEEXT) \ pubkey_speed$(EXEEXT) crypt_burn$(EXEEXT) hash_burn$(EXEEXT) \ fetch$(EXEEXT) dnssec$(EXEEXT) malloc_speed$(EXEEXT) \ - aes-test$(EXEEXT) settings-test$(EXEEXT) $(am__EXEEXT_1) + aes-test$(EXEEXT) settings-test$(EXEEXT) timeattack$(EXEEXT) \ + $(am__EXEEXT_1) @USE_TLS_TRUE@am__append_1 = tls_test subdir = scripts DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ @@ -176,6 +177,10 @@ settings_test_DEPENDENCIES = \ am_thread_analysis_OBJECTS = thread_analysis.$(OBJEXT) thread_analysis_OBJECTS = $(am_thread_analysis_OBJECTS) thread_analysis_LDADD = $(LDADD) +am_timeattack_OBJECTS = timeattack.$(OBJEXT) +timeattack_OBJECTS = $(am_timeattack_OBJECTS) +timeattack_DEPENDENCIES = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la am__tls_test_SOURCES_DIST = tls_test.c @USE_TLS_TRUE@am_tls_test_OBJECTS = tls_test.$(OBJEXT) tls_test_OBJECTS = $(am_tls_test_OBJECTS) @@ -221,14 +226,16 @@ SOURCES = aes-test.c $(bin2array_SOURCES) $(bin2sql_SOURCES) \ $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \ $(malloc_speed_SOURCES) $(oid2der_SOURCES) \ $(pubkey_speed_SOURCES) settings-test.c \ - $(thread_analysis_SOURCES) $(tls_test_SOURCES) + $(thread_analysis_SOURCES) $(timeattack_SOURCES) \ + $(tls_test_SOURCES) DIST_SOURCES = aes-test.c $(bin2array_SOURCES) $(bin2sql_SOURCES) \ $(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(dnssec_SOURCES) \ $(fetch_SOURCES) $(hash_burn_SOURCES) $(id2sql_SOURCES) \ $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \ $(malloc_speed_SOURCES) $(oid2der_SOURCES) \ $(pubkey_speed_SOURCES) settings-test.c \ - $(thread_analysis_SOURCES) $(am__tls_test_SOURCES_DIST) + $(thread_analysis_SOURCES) $(timeattack_SOURCES) \ + $(am__tls_test_SOURCES_DIST) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -502,6 +509,7 @@ hash_burn_SOURCES = hash_burn.c malloc_speed_SOURCES = malloc_speed.c fetch_SOURCES = fetch.c dnssec_SOURCES = dnssec.c +timeattack_SOURCES = timeattack.c id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la @@ -515,6 +523,7 @@ fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la aes_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la settings_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +timeattack_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la all: all-am .SUFFIXES: @@ -623,6 +632,10 @@ thread_analysis$(EXEEXT): $(thread_analysis_OBJECTS) $(thread_analysis_DEPENDENC @rm -f thread_analysis$(EXEEXT) $(AM_V_CCLD)$(LINK) $(thread_analysis_OBJECTS) $(thread_analysis_LDADD) $(LIBS) +timeattack$(EXEEXT): $(timeattack_OBJECTS) $(timeattack_DEPENDENCIES) $(EXTRA_timeattack_DEPENDENCIES) + @rm -f timeattack$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(timeattack_OBJECTS) $(timeattack_LDADD) $(LIBS) + tls_test$(EXEEXT): $(tls_test_OBJECTS) $(tls_test_DEPENDENCIES) $(EXTRA_tls_test_DEPENDENCIES) @rm -f tls_test$(EXEEXT) $(AM_V_CCLD)$(LINK) $(tls_test_OBJECTS) $(tls_test_LDADD) $(LIBS) @@ -649,6 +662,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_speed.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/settings-test.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/thread_analysis.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/timeattack.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_test.Po@am__quote@ .c.o: diff --git a/scripts/crypt_burn.c b/scripts/crypt_burn.c index 1768d769b..3bd36d2dc 100644 --- a/scripts/crypt_burn.c +++ b/scripts/crypt_burn.c @@ -16,34 +16,190 @@ #include #include -int main(int argc, char *argv[]) +static int burn_crypter(const proposal_token_t *token, u_int limit, u_int len) { - const proposal_token_t *token; - aead_t *aead; + chunk_t iv, key, data; crypter_t *crypter; - char buffer[1024], assoc[8], iv[32]; - size_t bs; - int i = 0, limit = 0; + int i = 0; + bool ok; + + crypter = lib->crypto->create_crypter(lib->crypto, token->algorithm, + token->keysize / 8); + if (!crypter) + { + fprintf(stderr, "%N-%zu not supported\n", + encryption_algorithm_names, token->algorithm, token->keysize); + return FALSE; + } + + iv = chunk_alloc(crypter->get_iv_size(crypter)); + memset(iv.ptr, 0xFF, iv.len); + data = chunk_alloc(round_up(len, crypter->get_block_size(crypter))); + memset(data.ptr, 0xDD, data.len); + key = chunk_alloc(crypter->get_key_size(crypter)); + memset(key.ptr, 0xAA, key.len); + + ok = crypter->set_key(crypter, key); + while (ok) + { + if (!crypter->encrypt(crypter, data, iv, NULL)) + { + fprintf(stderr, "encryption failed!\n"); + ok = FALSE; + break; + } + if (!crypter->decrypt(crypter, data, iv, NULL)) + { + fprintf(stderr, "decryption failed!\n"); + ok = FALSE; + break; + } + if (limit && ++i == limit) + { + break; + } + } + crypter->destroy(crypter); + + free(iv.ptr); + free(data.ptr); + free(key.ptr); + + return ok; +} + +static bool burn_aead(const proposal_token_t *token, u_int limit, u_int len) +{ + chunk_t iv, key, data, dataicv, assoc; + aead_t *aead; + int i = 0; + bool ok; + + aead = lib->crypto->create_aead(lib->crypto, token->algorithm, + token->keysize / 8, 0); + if (!aead) + { + fprintf(stderr, "%N-%zu not supported\n", + encryption_algorithm_names, token->algorithm, token->keysize); + return FALSE; + } + + iv = chunk_alloc(aead->get_iv_size(aead)); + memset(iv.ptr, 0xFF, iv.len); + dataicv = chunk_alloc(round_up(len, aead->get_block_size(aead)) + + aead->get_icv_size(aead)); + data = chunk_create(dataicv.ptr, dataicv.len - aead->get_icv_size(aead)); + memset(data.ptr, 0xDD, data.len); + assoc = chunk_alloc(13); + memset(assoc.ptr, 0xCC, assoc.len); + key = chunk_alloc(aead->get_key_size(aead)); + memset(key.ptr, 0xAA, key.len); + + ok = aead->set_key(aead, key); + while (ok) + { + if (!aead->encrypt(aead, data, assoc, iv, NULL)) + { + fprintf(stderr, "aead encryption failed!\n"); + ok = FALSE; + break; + } + if (!aead->decrypt(aead, dataicv, assoc, iv, NULL)) + { + fprintf(stderr, "aead integrity check failed!\n"); + ok = FALSE; + break; + } + if (limit && ++i == limit) + { + break; + } + } + aead->destroy(aead); + + free(iv.ptr); + free(data.ptr); + free(key.ptr); + free(assoc.ptr); + + return ok; +} + +static int burn_signer(const proposal_token_t *token, u_int limit, u_int len) +{ + chunk_t key, data, sig; + signer_t *signer; + int i = 0; + bool ok; + + signer = lib->crypto->create_signer(lib->crypto, token->algorithm); + if (!signer) + { + fprintf(stderr, "%N not supported\n", + integrity_algorithm_names, token->algorithm); + return FALSE; + } + + data = chunk_alloc(len); + memset(data.ptr, 0xDD, data.len); + key = chunk_alloc(signer->get_key_size(signer)); + memset(key.ptr, 0xAA, key.len); + sig = chunk_alloc(signer->get_block_size(signer)); + + ok = signer->set_key(signer, key); + while (ok) + { + if (!signer->get_signature(signer, data, sig.ptr)) + { + fprintf(stderr, "creating signature failed!\n"); + ok = FALSE; + break; + } + if (!signer->verify_signature(signer, data, sig)) + { + fprintf(stderr, "verifying signature failed!\n"); + ok = FALSE; + break; + } + if (limit && ++i == limit) + { + break; + } + } + signer->destroy(signer); + free(data.ptr); + free(key.ptr); + free(sig.ptr); + + return ok; +} + +int main(int argc, char *argv[]) +{ + const proposal_token_t *token; + u_int limit = 0, len = 1024; + bool ok; library_init(NULL, "crypt_burn"); - lib->plugins->load(lib->plugins, PLUGINS); + lib->plugins->load(lib->plugins, getenv("PLUGINS") ?: PLUGINS); atexit(library_deinit); - printf("loaded: %s\n", PLUGINS); - - memset(buffer, 0x12, sizeof(buffer)); - memset(assoc, 0x34, sizeof(assoc)); - memset(iv, 0x56, sizeof(iv)); + fprintf(stderr, "loaded: %s\n", lib->plugins->loaded_plugins(lib->plugins)); if (argc < 2) { - fprintf(stderr, "usage: %s !\n", argv[0]); + fprintf(stderr, "usage: %s [buflen=%u] [rounds=%u]\n", + argv[0], len, limit); return 1; } if (argc > 2) { - limit = atoi(argv[2]); + len = atoi(argv[2]); + } + if (argc > 3) + { + limit = atoi(argv[3]); } token = lib->proposal->get_token(lib->proposal, argv[1]); @@ -52,76 +208,26 @@ int main(int argc, char *argv[]) fprintf(stderr, "algorithm '%s' unknown!\n", argv[1]); return 1; } - if (token->type != ENCRYPTION_ALGORITHM) - { - fprintf(stderr, "'%s' is not an encryption/aead algorithm!\n", argv[1]); - return 1; - } - if (encryption_algorithm_is_aead(token->algorithm)) + switch (token->type) { - aead = lib->crypto->create_aead(lib->crypto, - token->algorithm, token->keysize / 8, 0); - if (!aead) - { - fprintf(stderr, "aead '%s' not supported!\n", argv[1]); - return 1; - } - while (TRUE) - { - if (!aead->encrypt(aead, - chunk_create(buffer, sizeof(buffer) - aead->get_icv_size(aead)), - chunk_from_thing(assoc), - chunk_create(iv, aead->get_iv_size(aead)), NULL)) + case ENCRYPTION_ALGORITHM: + if (encryption_algorithm_is_aead(token->algorithm)) { - fprintf(stderr, "aead encryption failed!\n"); - return 1; + ok = burn_aead(token, limit, len); } - if (!aead->decrypt(aead, chunk_create(buffer, sizeof(buffer)), - chunk_from_thing(assoc), - chunk_create(iv, aead->get_iv_size(aead)), NULL)) + else { - fprintf(stderr, "aead integrity check failed!\n"); - return 1; + ok = burn_crypter(token, limit, len); } - if (limit && ++i == limit) - { - break; - } - } - aead->destroy(aead); - } - else - { - crypter = lib->crypto->create_crypter(lib->crypto, - token->algorithm, token->keysize / 8); - if (!crypter) - { - fprintf(stderr, "crypter '%s' not supported!\n", argv[1]); - return 1; - } - bs = crypter->get_block_size(crypter); - - while (TRUE) - { - if (!crypter->encrypt(crypter, - chunk_create(buffer, sizeof(buffer) / bs * bs), - chunk_create(iv, crypter->get_iv_size(crypter)), NULL)) - { - continue; - } - if (!crypter->decrypt(crypter, - chunk_create(buffer, sizeof(buffer) / bs * bs), - chunk_create(iv, crypter->get_iv_size(crypter)), NULL)) - { - continue; - } - if (limit && ++i == limit) - { - break; - } - } - crypter->destroy(crypter); + break; + case INTEGRITY_ALGORITHM: + ok = burn_signer(token, limit, len); + break; + default: + fprintf(stderr, "'%s' is not a crypter/aead algorithm!\n", argv[1]); + ok = FALSE; + break; } - return 0; + return !ok; } diff --git a/scripts/timeattack.c b/scripts/timeattack.c new file mode 100644 index 000000000..ef00e8c4e --- /dev/null +++ b/scripts/timeattack.c @@ -0,0 +1,418 @@ +#include +#include + +#include + +typedef bool (*attackfn_t)(void *subj, u_char *data, size_t len); + +static void start_timing(struct timespec *start) +{ + clock_gettime(CLOCK_PROCESS_CPUTIME_ID, start); +} + +static u_int64_t end_timing(struct timespec *start) +{ + struct timespec end; + + clock_gettime(CLOCK_THREAD_CPUTIME_ID, &end); + return (end.tv_nsec - start->tv_nsec) + + (end.tv_sec - start->tv_sec) * 1000000000; +} + +static int intcmp(const void *a, const void *b) +{ + return *(u_int64_t*)a - *(u_int64_t*)b; +} + +static u_int64_t median(u_int64_t *m, int count) +{ + qsort(m, count, sizeof(u_int64_t), intcmp); + return m[count / 2]; +} + +static bool timeattack(attackfn_t attackfn, void *subj, size_t dlen, + u_int iterations, u_int distance) +{ + struct timespec start; + u_char test[dlen]; + u_int64_t mini, maxi, t[256], m[256][10]; + float fastdist = 0, slowdist = 0; + int i, j, k, l, byte, limit, retry = 0; + int fastest = 0, slowest = 0; + + memset(test, 0, dlen); + + /* do some iterations to fill caches */ + for (i = 0; i < iterations; i++) + { + attackfn(subj, test, dlen); + } + + for (byte = 0; byte < dlen;) + { + memset(t, 0, sizeof(t)); + memset(m, 0, sizeof(m)); + + limit = iterations * (retry + 1); + + /* measure timing for all patterns in next byte */ + for (k = 0; k < 10; k++) + { + for (j = 0; j < 256; j++) + { + for (l = 0; l < 100; l++) + { + test[byte] = j; + start_timing(&start); + for (i = 0; i < limit; i++) + { + attackfn(subj, test, dlen); + } + m[j][k] += end_timing(&start); + } + } + } + + for (j = 0; j < 256; j++) + { + t[j] = median(m[j], countof(m[j])); + } + + /* find fastest/slowest runs */ + mini = ~0; + maxi = 0; + for (j = 0; j < 256; j++) + { + if (t[j] < mini) + { + mini = min(t[j], mini); + fastest = j; + } + if (t[j] > maxi) + { + maxi = max(t[j], maxi); + slowest = j; + } + } + /* calculate distance to next result */ + mini = ~0; + maxi = 0; + for (j = 0; j < 256; j++) + { + if (fastest != j && t[j] < mini) + { + mini = min(t[j], mini); + fastdist = (float)(t[j] - t[fastest]) / distance; + } + if (slowest != j && t[j] > maxi) + { + maxi = max(t[j], maxi); + slowdist = (float)(t[slowest] - t[j]) / distance; + } + } + if (fastdist > 1.0f) + { + fprintf(stderr, "byte %02d: %02x (fastest, dist %02.2f)\n", + byte, fastest, fastdist); + test[byte] = fastest; + retry = 0; + byte++; + } + else if (slowdist > 1.0f) + { + fprintf(stderr, "byte %02d: %02x (slowest, dist %02.2f)\n", + byte, slowest, slowdist); + test[byte] = slowest; + retry = 0; + byte++; + } + else + { + if (retry++ > 5 && byte > 0) + { + fprintf(stderr, "distance fastest %02.2f (%02x), " + "slowest %02.2f (%02x), stepping back\n", + fastdist, fastest, slowdist, slowest); + test[byte--] = 0; + } + else if (retry < 10) + { + fprintf(stderr, "distance fastest %02.2f (%02x), " + "slowest %02.2f (%02x), retrying (%d)\n", + fastdist, fastest, slowdist, slowest, retry); + } + else + { + printf("attack failed, giving up\n"); + return FALSE; + } + } + } + if (attackfn(subj, test, dlen)) + { + printf("attack successful with %b\n", test, dlen); + return TRUE; + } + printf("attack failed with %b\n", test, dlen); + return FALSE; +} + +CALLBACK(attack_memeq1, bool, + u_char *subj, u_char *data, size_t len) +{ + return memeq(data, subj, len); +} + +CALLBACK(attack_memeq2, bool, + u_char *subj, u_char *data, size_t len) +{ + return memeq(subj, data, len); +} + +CALLBACK(attack_memeq3, bool, + u_char *subj, u_char *data, size_t len) +{ + int i; + + for (i = 0; i < len; i++) + { + if (subj[i] != data[i]) + { + return FALSE; + } + } + return TRUE; +} + +CALLBACK(attack_memeq4, bool, + u_char *subj, u_char *data, size_t len) +{ + int i, m = 0; + + for (i = 0; i < len; i++) + { + m |= subj[i] != data[i]; + } + return !m; +} + +CALLBACK(attack_memeq5, bool, + u_char *subj, u_char *data, size_t len) +{ + return memeq_const(subj, data, len); +} + +static bool attack_memeq(char *name, u_int iterations, u_int distance) +{ + struct { + char *name; + attackfn_t fn; + } attacks[] = { + { "memeq1", attack_memeq1 }, + { "memeq2", attack_memeq2 }, + { "memeq3", attack_memeq3 }, + { "memeq4", attack_memeq4 }, + { "memeq5", attack_memeq5 }, + }; + u_char exp[16]; + int i; + + srandom(time(NULL)); + for (i = 0; i < sizeof(exp); i++) + { + exp[i] = random(); + } + fprintf(stderr, "attacking %b\n", exp, sizeof(exp)); + + for (i = 0; i < countof(attacks); i++) + { + if (streq(name, attacks[i].name)) + { + return timeattack(attacks[i].fn, exp, sizeof(exp), + iterations, distance); + } + } + return FALSE; +} + +CALLBACK(attack_chunk1, bool, + u_char *subj, u_char *data, size_t len) +{ + return chunk_equals(chunk_create(subj, len), chunk_create(data, len)); +} + +CALLBACK(attack_chunk2, bool, + u_char *subj, u_char *data, size_t len) +{ + return chunk_equals_const(chunk_create(subj, len), chunk_create(data, len)); +} + +static bool attack_chunk(char *name, u_int iterations, u_int distance) +{ + struct { + char *name; + attackfn_t fn; + } attacks[] = { + { "chunk1", attack_chunk1 }, + { "chunk2", attack_chunk2 }, + }; + u_char exp[16]; + int i; + + srandom(time(NULL)); + for (i = 0; i < sizeof(exp); i++) + { + exp[i] = random(); + } + fprintf(stderr, "attacking %b\n", exp, sizeof(exp)); + + for (i = 0; i < countof(attacks); i++) + { + if (streq(name, attacks[i].name)) + { + return timeattack(attacks[i].fn, exp, sizeof(exp), + iterations, distance); + } + } + return FALSE; +} + +CALLBACK(attack_aead, bool, + aead_t *aead, u_char *data, size_t len) +{ + u_char iv[aead->get_iv_size(aead)]; + + memset(iv, 0, sizeof(iv)); + return aead->decrypt(aead, chunk_create(data, len), chunk_empty, + chunk_from_thing(iv), NULL); +} + +static bool attack_aeads(encryption_algorithm_t alg, size_t key_size, + u_int iterations, u_int distance) +{ + u_char buf[64]; + aead_t *aead; + bool res; + + aead = lib->crypto->create_aead(lib->crypto, alg, key_size, 0); + if (!aead) + { + fprintf(stderr, "creating AEAD %N failed\n", + encryption_algorithm_names, alg); + return FALSE; + } + memset(buf, 0xe3, sizeof(buf)); + if (!aead->set_key(aead, chunk_create(buf, aead->get_key_size(aead)))) + { + aead->destroy(aead); + return FALSE; + } + memset(buf, 0, aead->get_iv_size(aead)); + if (!aead->encrypt(aead, chunk_create(buf, 0), chunk_empty, + chunk_create(buf, aead->get_iv_size(aead)), NULL)) + { + aead->destroy(aead); + return FALSE; + } + fprintf(stderr, "attacking %b\n", buf, aead->get_icv_size(aead)); + + res = timeattack(attack_aead, aead, aead->get_icv_size(aead), + iterations, distance); + aead->destroy(aead); + return res; +} + +CALLBACK(attack_signer, bool, + signer_t *signer, u_char *data, size_t len) +{ + return signer->verify_signature(signer, chunk_empty, chunk_create(data, len)); +} + +static bool attack_signers(integrity_algorithm_t alg, + u_int iterations, u_int distance) +{ + u_char buf[64]; + signer_t *signer; + bool res; + + signer = lib->crypto->create_signer(lib->crypto, alg); + if (!signer) + { + fprintf(stderr, "creating signer %N failed\n", + integrity_algorithm_names, alg); + return FALSE; + } + memset(buf, 0xe3, sizeof(buf)); + if (!signer->set_key(signer, chunk_create(buf, signer->get_key_size(signer)))) + { + signer->destroy(signer); + return FALSE; + } + if (!signer->get_signature(signer, chunk_empty, buf)) + { + signer->destroy(signer); + return FALSE; + } + fprintf(stderr, "attacking %b\n", buf, signer->get_block_size(signer)); + + res = timeattack(attack_signer, signer, signer->get_block_size(signer), + iterations, distance); + signer->destroy(signer); + return res; +} + +static bool attack_transform(char *name, u_int iterations, u_int distance) +{ + const proposal_token_t *token; + + token = lib->proposal->get_token(lib->proposal, name); + if (!token) + { + fprintf(stderr, "algorithm '%s' unknown\n", name); + return FALSE; + } + + switch (token->type) + { + case ENCRYPTION_ALGORITHM: + if (encryption_algorithm_is_aead(token->algorithm)) + { + return attack_aeads(token->algorithm, token->keysize / 8, + iterations, distance); + } + fprintf(stderr, "can't attack a crypter\n"); + return FALSE; + case INTEGRITY_ALGORITHM: + return attack_signers(token->algorithm, iterations, distance); + default: + fprintf(stderr, "can't attack a %N\n", transform_type_names, token->type); + return FALSE; + } +} + +int main(int argc, char *argv[]) +{ + library_init(NULL, "timeattack"); + atexit(library_deinit); + lib->plugins->load(lib->plugins, getenv("PLUGINS") ?: PLUGINS); + + if (argc < 3) + { + fprintf(stderr, "usage: %s \n", argv[0]); + fprintf(stderr, " : memeq[1-5] / chunk[1-2] / aead / signer\n"); + fprintf(stderr, " : number of invocations * 1000\n"); + fprintf(stderr, " : time difference in ns for a hit\n"); + fprintf(stderr, " example: %s memeq1 100 500\n", argv[0]); + fprintf(stderr, " example: %s aes128gcm16 100 4000\n", argv[0]); + return 1; + } + if (strpfx(argv[1], "memeq")) + { + return !attack_memeq(argv[1], atoi(argv[2]), atoi(argv[3])); + } + if (strpfx(argv[1], "chunk")) + { + return !attack_chunk(argv[1], atoi(argv[2]), atoi(argv[3])); + } + return !attack_transform(argv[1], atoi(argv[2]), atoi(argv[3])); +} diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c index 32cec36ec..80551f853 100644 --- a/src/charon-nm/charon-nm.c +++ b/src/charon-nm/charon-nm.c @@ -160,6 +160,9 @@ int main(int argc, char *argv[]) /* logging for library during initialization, as we have no bus yet */ dbg = dbg_syslog; + /* LD causes a crash probably due to Glib */ + setenv("LEAK_DETECTIVE_DISABLE", "1", 1); + /* initialize library */ if (!library_init(NULL, "charon-nm")) { diff --git a/src/charon-tkm/src/tkm/tkm_id_manager.c b/src/charon-tkm/src/tkm/tkm_id_manager.c index e6d571b83..d8ff6753f 100644 --- a/src/charon-tkm/src/tkm/tkm_id_manager.c +++ b/src/charon-tkm/src/tkm/tkm_id_manager.c @@ -19,8 +19,6 @@ #include #include -#define TKM_LIMIT 100 - ENUM_BEGIN(tkm_context_kind_names, TKM_CTX_NONCE, TKM_CTX_ESA, "NONCE_CONTEXT", "DH_CONTEXT", diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c index 734b1ec55..7a0672aa8 100644 --- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c +++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c @@ -132,7 +132,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } esa_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ESA); - if (!tkm->sad->insert(tkm->sad, reqid, esa_id, local, peer, spi_rem, + if (!tkm->sad->insert(tkm->sad, esa_id, reqid, local, peer, spi_loc, spi_rem, protocol)) { DBG1(DBG_KNL, "unable to add entry (%llu) to SAD", esa_id); @@ -164,6 +164,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, DBG1(DBG_KNL, "child SA (%llu, no PFS) creation failed", esa_id); goto failure; } + tkm->chunk_map->remove(tkm->chunk_map, nonce_loc); tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nonce_loc_id); } /* creation of subsequent child SA with PFS: nonce and dh context are set */ @@ -176,6 +177,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, DBG1(DBG_KNL, "child SA (%llu) creation failed", esa_id); goto failure; } + tkm->chunk_map->remove(tkm->chunk_map, nonce_loc); tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nonce_loc_id); } if (ike_esa_select(esa_id) != TKM_OK) @@ -217,11 +219,22 @@ METHOD(kernel_ipsec_t, del_sa, status_t, private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark) { - esa_id_type esa_id; + esa_id_type esa_id, other_esa_id; esa_id = tkm->sad->get_esa_id(tkm->sad, src, dst, spi, protocol); if (esa_id) { + other_esa_id = tkm->sad->get_other_esa_id(tkm->sad, esa_id); + if (other_esa_id) + { + DBG1(DBG_KNL, "selecting child SA (esa: %llu)", other_esa_id); + if (ike_esa_select(other_esa_id) != TKM_OK) + { + DBG1(DBG_KNL, "error selecting other child SA (esa: %llu)", + other_esa_id); + } + } + DBG1(DBG_KNL, "deleting child SA (esa: %llu, spi: %x)", esa_id, ntohl(spi)); if (ike_esa_reset(esa_id) != TKM_OK) diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.c b/src/charon-tkm/src/tkm/tkm_kernel_sad.c index 3394b58af..2556f6b8b 100644 --- a/src/charon-tkm/src/tkm/tkm_kernel_sad.c +++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.c @@ -72,9 +72,14 @@ struct sad_entry_t { host_t *dst; /** - * SPI of CHILD SA. + * Local SPI of CHILD SA. */ - u_int32_t spi; + u_int32_t spi_loc; + + /** + * Remote SPI of CHILD SA. + */ + u_int32_t spi_rem; /** * Protocol of CHILD SA (ESP/AH). @@ -97,7 +102,7 @@ static void sad_entry_destroy(sad_entry_t *entry) } /** - * Find a list entry with given src, dst, spi and proto values. + * Find a list entry with given src, dst, (remote) spi and proto values. */ static bool sad_entry_match(sad_entry_t * const entry, const host_t * const src, const host_t * const dst, const u_int32_t * const spi, @@ -110,7 +115,7 @@ static bool sad_entry_match(sad_entry_t * const entry, const host_t * const src, return src->ip_equals(entry->src, (host_t *)src) && dst->ip_equals(entry->dst, (host_t *)dst) && - entry->spi == *spi && entry->proto == *proto; + entry->spi_rem == *spi && entry->proto == *proto; } /** @@ -121,9 +126,29 @@ static bool sad_entry_match_dst(sad_entry_t * const entry, const u_int32_t * const spi, const u_int8_t * const proto) { - return entry->reqid == *reqid && - entry->spi == *spi && - entry->proto == *proto; + return entry->reqid == *reqid && + entry->spi_rem == *spi && + entry->proto == *proto; +} + +/** + * Find a list entry with given esa id. + */ +static bool sad_entry_match_esa_id(sad_entry_t * const entry, + const esa_id_type * const esa_id) +{ + return entry->esa_id == *esa_id; +} + +/** + * Find a list entry with given reqid and different esa id. + */ +static bool sad_entry_match_other_esa(sad_entry_t * const entry, + const esa_id_type * const esa_id, + const u_int32_t * const reqid) +{ + return entry->reqid == *reqid && + entry->esa_id != *esa_id; } /** @@ -140,13 +165,15 @@ static bool sad_entry_equal(sad_entry_t * const left, sad_entry_t * const right) left->reqid == right->reqid && left->src->ip_equals(left->src, right->src) && left->dst->ip_equals(left->dst, right->dst) && - left->spi == right->spi && left->proto == right->proto; + left->spi_loc == right->spi_loc && + left->spi_rem == right->spi_rem && + left->proto == right->proto; } METHOD(tkm_kernel_sad_t, insert, bool, private_tkm_kernel_sad_t * const this, const esa_id_type esa_id, const u_int32_t reqid, const host_t * const src, const host_t * const dst, - const u_int32_t spi, const u_int8_t proto) + const u_int32_t spi_loc, const u_int32_t spi_rem, const u_int8_t proto) { status_t result; sad_entry_t *new_entry; @@ -156,7 +183,8 @@ METHOD(tkm_kernel_sad_t, insert, bool, .reqid = reqid, .src = (host_t *)src, .dst = (host_t *)dst, - .spi = spi, + .spi_loc = spi_loc, + .spi_rem = spi_rem, .proto = proto, ); @@ -167,8 +195,8 @@ METHOD(tkm_kernel_sad_t, insert, bool, if (result == NOT_FOUND) { DBG3(DBG_KNL, "inserting SAD entry (esa: %llu, reqid: %u, src: %H, " - "dst: %H, spi: %x, proto: %u)", esa_id, reqid, src, dst, - ntohl(spi), proto); + "dst: %H, spi_loc: %x, spi_rem: %x,proto: %u)", esa_id, reqid, src, + dst, ntohl(spi_loc), ntohl(spi_rem), proto); new_entry->src = src->clone((host_t *)src); new_entry->dst = dst->clone((host_t *)dst); this->data->insert_last(this->data, new_entry); @@ -209,6 +237,42 @@ METHOD(tkm_kernel_sad_t, get_esa_id, esa_id_type, return id; } +METHOD(tkm_kernel_sad_t, get_other_esa_id, esa_id_type, + private_tkm_kernel_sad_t * const this, const esa_id_type esa_id) +{ + esa_id_type id = 0; + sad_entry_t *entry = NULL; + u_int32_t reqid; + status_t res; + + this->mutex->lock(this->mutex); + res = this->data->find_first(this->data, + (linked_list_match_t)sad_entry_match_esa_id, + (void**)&entry, &esa_id); + if (res == SUCCESS && entry) + { + reqid = entry->reqid; + } + else + { + DBG3(DBG_KNL, "no SAD entry found for ESA id %llu", esa_id); + this->mutex->unlock(this->mutex); + return id; + } + + res = this->data->find_first(this->data, + (linked_list_match_t)sad_entry_match_other_esa, + (void**)&entry, &esa_id, &reqid); + if (res == SUCCESS && entry) + { + id = entry->esa_id; + DBG3(DBG_KNL, "returning ESA id %llu of other SAD entry with reqid %u", + id, reqid); + } + this->mutex->unlock(this->mutex); + return id; +} + METHOD(tkm_kernel_sad_t, get_dst_host, host_t *, private_tkm_kernel_sad_t * const this, const u_int32_t reqid, const u_int32_t spi, const u_int8_t proto) @@ -289,6 +353,7 @@ tkm_kernel_sad_t *tkm_kernel_sad_create() .public = { .insert = _insert, .get_esa_id = _get_esa_id, + .get_other_esa_id = _get_other_esa_id, .get_dst_host = _get_dst_host, .remove = __remove, .destroy = _destroy, diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.h b/src/charon-tkm/src/tkm/tkm_kernel_sad.h index 38b19dd01..3a84deffc 100644 --- a/src/charon-tkm/src/tkm/tkm_kernel_sad.h +++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.h @@ -40,21 +40,22 @@ struct tkm_kernel_sad_t { * @param reqid reqid of the SA * @param src source address of CHILD SA * @param dst destination address of CHILD SA - * @param spi SPI of CHILD SA + * @param spi_loc Local SPI of CHILD SA + * @param spi_rem Remote SPI of CHILD SA * @param proto protocol of CHILD SA (ESP/AH) * @return TRUE if entry was inserted, FALSE otherwise */ bool (*insert)(tkm_kernel_sad_t * const this, const esa_id_type esa_id, const u_int32_t reqid, const host_t * const src, - const host_t * const dst, const u_int32_t spi, - const u_int8_t proto); + const host_t * const dst, const u_int32_t spi_loc, + const u_int32_t spi_rem, const u_int8_t proto); /** * Get ESA id for entry with given parameters. * * @param src source address of CHILD SA * @param dst destination address of CHILD SA - * @param spi SPI of CHILD SA + * @param spi Remote SPI of CHILD SA * @param proto protocol of CHILD SA (ESP/AH) * @return ESA id of entry if found, 0 otherwise */ @@ -62,11 +63,21 @@ struct tkm_kernel_sad_t { const host_t * const src, const host_t * const dst, const u_int32_t spi, const u_int8_t proto); + /** + * Get ESA id for entry associated with same security policy as the + * specified ESA. + * + * @param esa_id id of ESA identifying the security policy + * @return ESA id of entry if found, 0 otherwise + */ + esa_id_type (*get_other_esa_id)(tkm_kernel_sad_t * const this, + const esa_id_type esa_id); + /** * Get destination host for entry with given parameters. * * @param reqid reqid of CHILD SA - * @param spi SPI of CHILD SA + * @param spi Remote SPI of CHILD SA * @param proto protocol of CHILD SA (ESP/AH) * @return destination host of entry if found, NULL otherwise */ diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c index 80721fafe..1e1fa4f30 100644 --- a/src/charon-tkm/src/tkm/tkm_keymat.c +++ b/src/charon-tkm/src/tkm/tkm_keymat.c @@ -102,6 +102,7 @@ static void aead_create_from_keys(aead_t **in, aead_t **out, *in = *out = NULL; signer_t *signer_i, *signer_r; crypter_t *crypter_i, *crypter_r; + iv_gen_t *ivg_i, *ivg_r; signer_i = lib->crypto->create_signer(lib->crypto, int_alg); signer_r = lib->crypto->create_signer(lib->crypto, int_alg); @@ -145,15 +146,21 @@ static void aead_create_from_keys(aead_t **in, aead_t **out, return; } + ivg_i = iv_gen_create_for_alg(enc_alg); + ivg_r = iv_gen_create_for_alg(enc_alg); + if (!ivg_i || !ivg_r) + { + return; + } if (initiator) { - *in = aead_create(crypter_r, signer_r); - *out = aead_create(crypter_i, signer_i); + *in = aead_create(crypter_r, signer_r, ivg_r); + *out = aead_create(crypter_i, signer_i, ivg_i); } else { - *in = aead_create(crypter_i, signer_i); - *out = aead_create(crypter_r, signer_r); + *in = aead_create(crypter_i, signer_i, ivg_i); + *out = aead_create(crypter_r, signer_r, ivg_r); } } diff --git a/src/charon-tkm/src/tkm/tkm_listener.c b/src/charon-tkm/src/tkm/tkm_listener.c index bb1218266..f57527602 100644 --- a/src/charon-tkm/src/tkm/tkm_listener.c +++ b/src/charon-tkm/src/tkm/tkm_listener.c @@ -14,6 +14,8 @@ * for more details. */ +#include + #include #include #include @@ -209,6 +211,13 @@ METHOD(listener_t, alert, bool, { tkm_keymat_t *keymat; isa_id_type isa_id; + int is_first; + + is_first = va_arg(args, int); + if (!is_first) + { + return TRUE; + } keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa); isa_id = keymat->get_isa_id(keymat); diff --git a/src/charon-tkm/src/tkm/tkm_nonceg.c b/src/charon-tkm/src/tkm/tkm_nonceg.c index a07326798..336f16ecd 100644 --- a/src/charon-tkm/src/tkm/tkm_nonceg.c +++ b/src/charon-tkm/src/tkm/tkm_nonceg.c @@ -33,23 +33,32 @@ struct private_tkm_nonceg_t { tkm_nonceg_t public; /** - * Context id. + * Nonce chunk. */ - nc_id_type context_id; - + chunk_t nonce; }; METHOD(nonce_gen_t, get_nonce, bool, private_tkm_nonceg_t *this, size_t size, u_int8_t *buffer) { nonce_type nonce; + uint64_t nc_id; + + nc_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_NONCE); + if (!nc_id) + { + return FALSE; + } - if (ike_nc_create(this->context_id, size, &nonce) != TKM_OK) + if (ike_nc_create(nc_id, size, &nonce) != TKM_OK) { + tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nc_id); return FALSE; } memcpy(buffer, &nonce.data, size); + this->nonce = chunk_clone(chunk_create(buffer, size)); + tkm->chunk_map->insert(tkm->chunk_map, &this->nonce, nc_id); return TRUE; } @@ -57,24 +66,28 @@ METHOD(nonce_gen_t, allocate_nonce, bool, private_tkm_nonceg_t *this, size_t size, chunk_t *chunk) { *chunk = chunk_alloc(size); - if (get_nonce(this, chunk->len, chunk->ptr)) - { - tkm->chunk_map->insert(tkm->chunk_map, chunk, this->context_id); - return TRUE; - } - return FALSE; + return get_nonce(this, chunk->len, chunk->ptr); } METHOD(nonce_gen_t, destroy, void, private_tkm_nonceg_t *this) { - free(this); -} + uint64_t nc_id; -METHOD(tkm_nonceg_t, get_id, nc_id_type, - private_tkm_nonceg_t *this) -{ - return this->context_id; + nc_id = tkm->chunk_map->get_id(tkm->chunk_map, &this->nonce); + if (nc_id) + { + DBG1(DBG_IKE, "resetting stale nonce context %llu", nc_id); + + if (ike_nc_reset(nc_id) != TKM_OK) + { + DBG1(DBG_IKE, "failed to reset nonce context %llu", nc_id); + } + tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nc_id); + tkm->chunk_map->remove(tkm->chunk_map, &this->nonce); + } + chunk_free(&this->nonce); + free(this); } /* @@ -91,16 +104,8 @@ tkm_nonceg_t *tkm_nonceg_create() .allocate_nonce = _allocate_nonce, .destroy = _destroy, }, - .get_id = _get_id, }, - .context_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_NONCE), ); - if (!this->context_id) - { - free(this); - return NULL; - } - return &this->public; } diff --git a/src/charon-tkm/src/tkm/tkm_nonceg.h b/src/charon-tkm/src/tkm/tkm_nonceg.h index ceadb081f..d158551fe 100644 --- a/src/charon-tkm/src/tkm/tkm_nonceg.h +++ b/src/charon-tkm/src/tkm/tkm_nonceg.h @@ -36,14 +36,6 @@ struct tkm_nonceg_t { * Implements nonce_gen_t. */ nonce_gen_t nonce_gen; - - /** - * Get nonce context id. - * - * @return context id of this nonce generator. - */ - nc_id_type (*get_id)(tkm_nonceg_t * const this); - }; /** diff --git a/src/charon-tkm/tests/kernel_sad_tests.c b/src/charon-tkm/tests/kernel_sad_tests.c index b9ab3cb5e..2a033d237 100644 --- a/src/charon-tkm/tests/kernel_sad_tests.c +++ b/src/charon-tkm/tests/kernel_sad_tests.c @@ -34,7 +34,7 @@ START_TEST(test_insert) host_t *addr = host_create_from_string("127.0.0.1", 1024); tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); - fail_unless(sad->insert(sad, 1, 2, addr, addr, 42, 50), + fail_unless(sad->insert(sad, 1, 2, addr, addr, 27, 42, 50), "Error inserting SAD entry"); sad->destroy(sad); @@ -47,9 +47,9 @@ START_TEST(test_insert_duplicate) host_t *addr = host_create_from_string("127.0.0.1", 1024); tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); - fail_unless(sad->insert(sad, 1, 2, addr, addr, 42, 50), + fail_unless(sad->insert(sad, 1, 2, addr, addr, 27, 42, 50), "Error inserting SAD entry"); - fail_if(sad->insert(sad, 1, 2, addr, addr, 42, 50), + fail_if(sad->insert(sad, 1, 2, addr, addr, 27, 42, 50), "Expected error inserting duplicate entry"); sad->destroy(sad); @@ -61,7 +61,7 @@ START_TEST(test_get_esa_id) { host_t *addr = host_create_from_string("127.0.0.1", 1024); tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); - fail_unless(sad->insert(sad, 23, 54, addr, addr, 42, 50), + fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50), "Error inserting SAD entry"); fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23, "Error getting esa id"); @@ -81,11 +81,42 @@ START_TEST(test_get_esa_id_nonexistent) } END_TEST +START_TEST(test_get_other_esa_id) +{ + host_t *addr = host_create_from_string("127.0.0.1", 1024); + tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); + fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50), + "Error inserting SAD entry"); + fail_unless(sad->insert(sad, 24, 54, addr, addr, 27, 42, 50), + "Error inserting SAD entry"); + fail_unless(sad->get_other_esa_id(sad, 23) == 24, + "Error getting other esa id"); + sad->destroy(sad); + addr->destroy(addr); +} +END_TEST + +START_TEST(test_get_other_esa_id_nonexistent) +{ + host_t *addr = host_create_from_string("127.0.0.1", 1024); + tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); + fail_unless(sad->get_other_esa_id(sad, 1) == 0, + "Got other esa id for nonexistent SAD entry"); + fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50), + "Error inserting SAD entry"); + fail_unless(sad->get_other_esa_id(sad, 23) == 0, + "Got own esa id"); + + sad->destroy(sad); + addr->destroy(addr); +} +END_TEST + START_TEST(test_get_dst_host) { host_t *addr = host_create_from_string("127.0.0.1", 1024); tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); - fail_unless(sad->insert(sad, 23, 54, addr, addr, 42, 50), + fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50), "Error inserting SAD entry"); host_t *dst = sad->get_dst_host(sad, 54, 42, 50); @@ -108,7 +139,7 @@ START_TEST(test_remove) { host_t *addr = host_create_from_string("127.0.0.1", 1024); tkm_kernel_sad_t *sad = tkm_kernel_sad_create(); - fail_unless(sad->insert(sad, 23, 54, addr, addr, 42, 50), + fail_unless(sad->insert(sad, 23, 54, addr, addr, 27, 42, 50), "Error inserting SAD entry"); fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23, "Error getting esa id"); @@ -151,6 +182,11 @@ Suite *make_kernel_sad_tests() tcase_add_test(tc, test_get_esa_id_nonexistent); suite_add_tcase(s, tc); + tc = tcase_create("get_other_esa_id"); + tcase_add_test(tc, test_get_other_esa_id); + tcase_add_test(tc, test_get_other_esa_id_nonexistent); + suite_add_tcase(s, tc); + tc = tcase_create("get_dst_host"); tcase_add_test(tc, test_get_dst_host); tcase_add_test(tc, test_get_dst_host_nonexistent); diff --git a/src/charon-tkm/tests/keymat_tests.c b/src/charon-tkm/tests/keymat_tests.c index 889965a78..d087bee3f 100644 --- a/src/charon-tkm/tests/keymat_tests.c +++ b/src/charon-tkm/tests/keymat_tests.c @@ -46,7 +46,6 @@ START_TEST(test_derive_ike_keys) fail_if(!ng, "Unable to create nonce generator"); fail_unless(ng->nonce_gen.allocate_nonce(&ng->nonce_gen, 32, &nonce), "Unable to allocate nonce"); - ng->nonce_gen.destroy(&ng->nonce_gen); tkm_diffie_hellman_t *dh = tkm_diffie_hellman_create(MODP_4096_BIT); fail_if(!dh, "Unable to create DH"); @@ -69,6 +68,7 @@ START_TEST(test_derive_ike_keys) fail_if(aead->get_block_size(aead) != 16, "Block size mismatch %d", aead->get_block_size(aead)); + ng->nonce_gen.destroy(&ng->nonce_gen); proposal->destroy(proposal); dh->dh.destroy(&dh->dh); ike_sa_id->destroy(ike_sa_id); diff --git a/src/charon-tkm/tests/nonceg_tests.c b/src/charon-tkm/tests/nonceg_tests.c index 6f524cb22..d150891eb 100644 --- a/src/charon-tkm/tests/nonceg_tests.c +++ b/src/charon-tkm/tests/nonceg_tests.c @@ -27,7 +27,6 @@ START_TEST(test_nonceg_creation) ng = tkm_nonceg_create(); fail_if(ng == NULL, "Error creating tkm nonce generator"); - fail_if(ng->get_id(ng) == 0, "Invalid context id (0)"); ng->nonce_gen.destroy(&ng->nonce_gen); } diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8 index d2d0c2edd..f9c54f8a4 100644 --- a/src/ipsec/_ipsec.8 +++ b/src/ipsec/_ipsec.8 @@ -1,4 +1,4 @@ -.TH IPSEC 8 "2013-10-29" "5.3.0" "strongSwan" +.TH IPSEC 8 "2013-10-29" "5.3.1dr1" "strongSwan" . .SH NAME . diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c index 7938f46cc..53ded6be7 100644 --- a/src/libcharon/bus/bus.c +++ b/src/libcharon/bus/bus.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2014 Tobias Brunner + * Copyright (C) 2011-2015 Tobias Brunner * Copyright (C) 2006 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -687,6 +687,37 @@ METHOD(bus_t, child_rekey, void, this->mutex->unlock(this->mutex); } +METHOD(bus_t, children_migrate, void, + private_bus_t *this, ike_sa_id_t *new, u_int32_t unique) +{ + enumerator_t *enumerator; + ike_sa_t *ike_sa; + entry_t *entry; + bool keep; + + ike_sa = this->thread_sa->get(this->thread_sa); + + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->calling || !entry->listener->children_migrate) + { + continue; + } + entry->calling++; + keep = entry->listener->children_migrate(entry->listener, ike_sa, new, + unique); + entry->calling--; + if (!keep) + { + unregister_listener(this, entry, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + METHOD(bus_t, ike_updown, void, private_bus_t *this, ike_sa_t *ike_sa, bool up) { @@ -1038,6 +1069,7 @@ bus_t *bus_create() .ike_reestablish_post = _ike_reestablish_post, .child_updown = _child_updown, .child_rekey = _child_rekey, + .children_migrate = _children_migrate, .authorize = _authorize, .narrow = _narrow, .assign_vips = _assign_vips, diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h index 051c429f9..b6757b140 100644 --- a/src/libcharon/bus/bus.h +++ b/src/libcharon/bus/bus.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Tobias Brunner + * Copyright (C) 2012-2015 Tobias Brunner * Copyright (C) 2006-2009 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -130,7 +130,8 @@ enum alert_t { ALERT_UNIQUE_REPLACE, /** IKE_SA deleted because of "keep" unique policy, no argument */ ALERT_UNIQUE_KEEP, - /** IKE_SA kept on failed child SA establishment, no argument */ + /** IKE_SA kept on failed child SA establishment, argument is an int (!=0 if + * first child SA) */ ALERT_KEEP_ON_CHILD_SA_FAILURE, /** allocating virtual IP failed, linked_list_t of host_t requested */ ALERT_VIP_FAILURE, @@ -425,6 +426,14 @@ struct bus_t { */ void (*child_rekey)(bus_t *this, child_sa_t *old, child_sa_t *new); + /** + * CHILD_SA migration hook. + * + * @param new ID of new SA when called for the old, NULL otherwise + * @param uniue unique ID of new SA when called for the old, 0 otherwise + */ + void (*children_migrate)(bus_t *this, ike_sa_id_t *new, u_int32_t unique); + /** * Virtual IP assignment hook. * diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h index 3447d8f99..c7a8d8d1e 100644 --- a/src/libcharon/bus/listeners/listener.h +++ b/src/libcharon/bus/listeners/listener.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2014 Tobias Brunner + * Copyright (C) 2011-2015 Tobias Brunner * Copyright (C) 2009 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -187,6 +187,21 @@ struct listener_t { bool (*child_rekey)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *old, child_sa_t *new); + /** + * Hook called when CHILD_SAs get migrated from one IKE_SA to another during + * IKEv1 reauthentication. + * + * This is called twice, once for the old IKE_SA before the CHILD_SAs are + * removed, and once for the new IKE_SA just after they got added. + * + * @param ike_sa new or old IKE_SA + * @param new ID of new SA when called for the old, NULL otherwise + * @param unique unique ID of new SA when called for the old, 0 otherwise + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*children_migrate)(listener_t *this, ike_sa_t *ike_sa, + ike_sa_id_t *new, u_int32_t unique); + /** * Hook called to invoke additional authorization rules. * diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c index 0a596ffb0..3303024cd 100644 --- a/src/libcharon/encoding/message.c +++ b/src/libcharon/encoding/message.c @@ -1411,6 +1411,55 @@ static char* get_string(private_message_t *this, char *buf, int len) len -= written; } } + if (payload->get_type(payload) == PLV1_FRAGMENT) + { + fragment_payload_t *frag; + + frag = (fragment_payload_t*)payload; + if (frag->is_last(frag)) + { + written = snprintf(pos, len, "(%u/%u)", + frag->get_number(frag), frag->get_number(frag)); + } + else + { + written = snprintf(pos, len, "(%u)", frag->get_number(frag)); + } + if (written >= len || written < 0) + { + return buf; + } + pos += written; + len -= written; + } + if (payload->get_type(payload) == PLV2_FRAGMENT) + { + encrypted_fragment_payload_t *frag; + + frag = (encrypted_fragment_payload_t*)payload; + written = snprintf(pos, len, "(%u/%u)", + frag->get_fragment_number(frag), + frag->get_total_fragments(frag)); + if (written >= len || written < 0) + { + return buf; + } + pos += written; + len -= written; + } + if (payload->get_type(payload) == PL_UNKNOWN) + { + unknown_payload_t *unknown; + + unknown = (unknown_payload_t*)payload; + written = snprintf(pos, len, "(%d)", unknown->get_type(unknown)); + if (written >= len || written < 0) + { + return buf; + } + pos += written; + len -= written; + } } enumerator->destroy(enumerator); @@ -2237,9 +2286,16 @@ static status_t parse_payloads(private_message_t *this) payload->destroy(payload); return VERIFY_ERROR; } - - DBG2(DBG_ENC, "%N payload verified, adding to payload list", - payload_type_names, type); + if (payload->get_type(payload) == PL_UNKNOWN) + { + DBG2(DBG_ENC, "%N payload unknown or not allowed", + payload_type_names, type); + } + else + { + DBG2(DBG_ENC, "%N payload verified, adding to payload list", + payload_type_names, type); + } this->payloads->insert_last(this->payloads, payload); /* an encrypted (fragment) payload MUST be the last one, so STOP here. @@ -2477,7 +2533,7 @@ static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat) was_encrypted = "encrypted fragment payload"; } - if (payload_is_known(type, this->major_version) && !was_encrypted && + if (type != PL_UNKNOWN && !was_encrypted && !is_connectivity_check(this, payload) && this->exchange_type != AGGRESSIVE) { @@ -2625,7 +2681,7 @@ METHOD(message_t, parse_body, status_t, other_hash = hash_payload->get_hash(hash_payload); DBG3(DBG_ENC, "HASH received %B\nHASH expected %B", &other_hash, &hash); - if (!chunk_equals(hash, other_hash)) + if (!chunk_equals_const(hash, other_hash)) { DBG1(DBG_ENC, "received HASH payload does not match"); chunk_free(&hash); diff --git a/src/libcharon/encoding/payloads/encrypted_payload.c b/src/libcharon/encoding/payloads/encrypted_payload.c index 04372fdf0..d1a267836 100644 --- a/src/libcharon/encoding/payloads/encrypted_payload.c +++ b/src/libcharon/encoding/payloads/encrypted_payload.c @@ -502,6 +502,8 @@ METHOD(encrypted_payload_t, encrypt, status_t, generator = generator_create(); plain = generate(this, generator); assoc = append_header(this, assoc); + /* lower 32-bits are for fragment number, if used */ + mid <<= 32; status = encrypt_content("encrypted payload", this->aead, mid, plain, assoc, &this->encrypted); generator->destroy(generator); @@ -932,6 +934,9 @@ METHOD(encrypted_payload_t, frag_encrypt, status_t, } free(this->encrypted.ptr); assoc = append_header_frag(this, assoc); + /* IKEv2 message IDs are not unique if fragmentation is used, hence include + * the fragment number to make it unique */ + mid = mid << 32 | this->fragment_number; status = encrypt_content("encrypted fragment payload", this->aead, mid, this->plain, assoc, &this->encrypted); free(assoc.ptr); diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c index a1cd2f945..f7c2754e0 100644 --- a/src/libcharon/encoding/payloads/payload.c +++ b/src/libcharon/encoding/payloads/payload.c @@ -97,6 +97,7 @@ ENUM_NEXT(payload_type_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_FRAGME #endif /* ME */ ENUM_NEXT(payload_type_names, PL_HEADER, PLV1_ENCRYPTED, PLV1_FRAGMENT, "HEADER", + "UNKNOWN", "PROPOSAL_SUBSTRUCTURE", "PROPOSAL_SUBSTRUCTURE_V1", "TRANSFORM_SUBSTRUCTURE", @@ -167,6 +168,7 @@ ENUM_NEXT(payload_type_short_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_ #endif /* ME */ ENUM_NEXT(payload_type_short_names, PL_HEADER, PLV1_ENCRYPTED, PLV1_FRAGMENT, "HDR", + "UNKN", "PROP", "PROP", "TRANS", diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h index 920779bd1..72003894f 100644 --- a/src/libcharon/encoding/payloads/payload.h +++ b/src/libcharon/encoding/payloads/payload.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007 Tobias Brunner + * Copyright (C) 2007-2015 Tobias Brunner * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -263,6 +263,11 @@ enum payload_type_t { */ PL_HEADER = 256, + /** + * Used to handle unknown or invalid payload types. + */ + PL_UNKNOWN, + /** * PLV2_PROPOSAL_SUBSTRUCTURE, IKEv2 proposals in a SA payload. */ diff --git a/src/libcharon/encoding/payloads/unknown_payload.c b/src/libcharon/encoding/payloads/unknown_payload.c index 45b91fd0b..c69254fc0 100644 --- a/src/libcharon/encoding/payloads/unknown_payload.c +++ b/src/libcharon/encoding/payloads/unknown_payload.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -120,6 +121,12 @@ METHOD(payload_t, get_header_length, int, METHOD(payload_t, get_payload_type, payload_type_t, private_unknown_payload_t *this) +{ + return PL_UNKNOWN; +} + +METHOD(unknown_payload_t, get_type, payload_type_t, + private_unknown_payload_t *this) { return this->type; } @@ -181,6 +188,7 @@ unknown_payload_t *unknown_payload_create(payload_type_t type) .destroy = _destroy, }, .is_critical = _is_critical, + .get_type = _get_type, .get_data = _get_data, .destroy = _destroy, }, diff --git a/src/libcharon/encoding/payloads/unknown_payload.h b/src/libcharon/encoding/payloads/unknown_payload.h index 326b550cd..09341bcc7 100644 --- a/src/libcharon/encoding/payloads/unknown_payload.h +++ b/src/libcharon/encoding/payloads/unknown_payload.h @@ -1,4 +1,5 @@ /* + * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -41,6 +42,13 @@ struct unknown_payload_t { */ payload_t payload_interface; + /** + * Get the original payload type as sent by the peer. + * + * @return type of the original payload + */ + payload_type_t (*get_type) (unknown_payload_t *this); + /** * Get the raw data of this payload, without * the generic payload header. diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c index 5ce9471bd..6902c4847 100644 --- a/src/libcharon/network/receiver.c +++ b/src/libcharon/network/receiver.c @@ -247,7 +247,7 @@ static bool cookie_verify(private_receiver_t *this, message_t *message, { return FALSE; } - if (chunk_equals(reference, cookie)) + if (chunk_equals_const(reference, cookie)) { chunk_free(&reference); return TRUE; diff --git a/src/libcharon/plugins/eap_aka/eap_aka_server.c b/src/libcharon/plugins/eap_aka/eap_aka_server.c index eba7af874..04bfc170b 100644 --- a/src/libcharon/plugins/eap_aka/eap_aka_server.c +++ b/src/libcharon/plugins/eap_aka/eap_aka_server.c @@ -425,7 +425,7 @@ static status_t process_challenge(private_eap_aka_server_t *this, enumerator->destroy(enumerator); /* compare received RES against stored XRES */ - if (!chunk_equals(res, this->xres)) + if (!chunk_equals_const(res, this->xres)) { DBG1(DBG_IKE, "received RES does not match XRES"); return FAILED; @@ -486,7 +486,7 @@ static status_t process_reauthentication(private_eap_aka_server_t *this, this->crypto->clear_keys(this->crypto); return challenge(this, out); } - if (!chunk_equals(counter, this->counter)) + if (!chunk_equals_const(counter, this->counter)) { DBG1(DBG_IKE, "received counter does not match"); return FAILED; @@ -730,4 +730,3 @@ eap_aka_server_t *eap_aka_server_create(identification_t *server, return &this->public; } - diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c index a71dae78a..e38ee5b70 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c +++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c @@ -87,7 +87,7 @@ METHOD(simaka_card_t, get_quintuplet, status_t, { return FAILED; } - if (!memeq(mac, xmac, AKA_MAC_LEN)) + if (!memeq_const(mac, xmac, AKA_MAC_LEN)) { DBG1(DBG_IKE, "received MAC does not match XMAC"); DBG3(DBG_IKE, "MAC %b\nXMAC %b", mac, AKA_MAC_LEN, xmac, AKA_MAC_LEN); @@ -184,4 +184,3 @@ eap_aka_3gpp2_card_t *eap_aka_3gpp2_card_create(eap_aka_3gpp2_functions_t *f) return &this->public; } - diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c index 0be122158..f272e1ec8 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c +++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c @@ -158,7 +158,7 @@ METHOD(simaka_provider_t, resync, bool, { return FALSE; } - if (!memeq(macs, xmacs, AKA_MAC_LEN)) + if (!memeq_const(macs, xmacs, AKA_MAC_LEN)) { DBG1(DBG_IKE, "received MACS does not match XMACS"); DBG3(DBG_IKE, "MACS %b XMACS %b", @@ -205,4 +205,3 @@ eap_aka_3gpp2_provider_t *eap_aka_3gpp2_provider_create( return &this->public; } - diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c index b2640d104..d314e7a9e 100644 --- a/src/libcharon/plugins/eap_md5/eap_md5.c +++ b/src/libcharon/plugins/eap_md5/eap_md5.c @@ -193,7 +193,7 @@ METHOD(eap_method_t, process_server, status_t, } response = chunk_create(data.ptr + 6, data.ptr[5]); if (response.len < expected.len || - !memeq(response.ptr, expected.ptr, expected.len)) + !memeq_const(response.ptr, expected.ptr, expected.len)) { chunk_free(&expected); DBG1(DBG_IKE, "EAP-MD5 verification failed"); @@ -299,4 +299,3 @@ eap_md5_t *eap_md5_create_peer(identification_t *server, identification_t *peer) return &this->public; } - diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c index 511506869..f7f39f984 100644 --- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c @@ -812,7 +812,7 @@ static status_t process_peer_success(private_eap_mschapv2_t *this, goto error; } - if (!chunk_equals(this->auth_response, auth_string)) + if (!chunk_equals_const(this->auth_response, auth_string)) { DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed"); goto error; @@ -1087,8 +1087,8 @@ static status_t process_server_response(private_eap_mschapv2_t *this, userid->destroy(userid); chunk_clear(&nt_hash); - if (memeq(res->response.nt_response, this->nt_response.ptr, - this->nt_response.len)) + if (memeq_const(res->response.nt_response, this->nt_response.ptr, + this->nt_response.len)) { chunk_t hex; char msg[AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE)]; @@ -1267,4 +1267,3 @@ eap_mschapv2_t *eap_mschapv2_create_peer(identification_t *server, identificatio return &this->public; } - diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c index ac4ecfc86..cef19305c 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * * Copyright (C) 2012 Martin Willi * Copyright (C) 2012 revosec AG * @@ -21,6 +24,7 @@ #include #include #include +#include #include #include #include @@ -92,6 +96,62 @@ typedef enum { ACCT_CAUSE_HOST_REQUEST = 18, } radius_acct_terminate_cause_t; +/** + * Usage stats for bytes and packets + */ +typedef struct { + struct { + u_int64_t sent; + u_int64_t received; + } bytes, packets; +} usage_t; + +/** + * Add usage stats (modifies a) + */ +static inline void add_usage(usage_t *a, usage_t b) +{ + a->bytes.sent += b.bytes.sent; + a->bytes.received += b.bytes.received; + a->packets.sent += b.packets.sent; + a->packets.received += b.packets.received; +} + +/** + * Subtract usage stats (modifies a) + */ +static inline void sub_usage(usage_t *a, usage_t b) +{ + a->bytes.sent -= b.bytes.sent; + a->bytes.received -= b.bytes.received; + a->packets.sent -= b.packets.sent; + a->packets.received -= b.packets.received; +} + +/** + * Usage stats for a cached/migrated SAs + */ +typedef struct { + /** unique CHILD_SA identifier */ + u_int32_t id; + /** usage stats for this SA */ + usage_t usage; +} sa_entry_t; + +/** + * Clone an sa_entry_t + */ +static sa_entry_t *clone_sa(sa_entry_t *sa) +{ + sa_entry_t *this; + + INIT(this, + .id = sa->id, + .usage = sa->usage, + ); + return this; +} + /** * Hashtable entry with usage stats */ @@ -100,11 +160,12 @@ typedef struct { ike_sa_id_t *id; /** RADIUS accounting session ID */ char sid[24]; - /** number of sent/received octets/packets */ - struct { - u_int64_t sent; - u_int64_t received; - } bytes, packets; + /** number of sent/received octets/packets for expired SAs */ + usage_t usage; + /** list of cached SAs, sa_entry_t (sorted by their unique ID) */ + array_t *cached; + /** list of migrated SAs, sa_entry_t (sorted by their unique ID) */ + array_t *migrated; /** session creation time */ time_t created; /** terminate cause */ @@ -123,6 +184,8 @@ typedef struct { */ static void destroy_entry(entry_t *this) { + array_destroy_function(this->cached, (void*)free, NULL); + array_destroy_function(this->migrated, (void*)free, NULL); this->id->destroy(this->id); free(this); } @@ -154,30 +217,157 @@ static bool equals(ike_sa_id_t *a, ike_sa_id_t *b) return a->equals(a, b); } +/** + * Sort cached SAs + */ +static int sa_sort(const void *a, const void *b, void *user) +{ + const sa_entry_t *ra = a, *rb = b; + return ra->id - rb->id; +} + +/** + * Find a cached SA + */ +static int sa_find(const void *a, const void *b) +{ + return sa_sort(a, b, NULL); +} + +/** + * Update or create usage counters of a cached SA + */ +static void update_sa(entry_t *entry, u_int32_t id, usage_t usage) +{ + sa_entry_t *sa, lookup; + + lookup.id = id; + if (array_bsearch(entry->cached, &lookup, sa_find, &sa) == -1) + { + INIT(sa, + .id = id, + ); + array_insert_create(&entry->cached, ARRAY_TAIL, sa); + array_sort(entry->cached, sa_sort, NULL); + } + sa->usage = usage; +} + /** * Update usage counter when a CHILD_SA rekeys/goes down */ static void update_usage(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa) { - u_int64_t bytes_in, bytes_out, packets_in, packets_out; + usage_t usage; entry_t *entry; - child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out, &packets_out); - child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in, &packets_in); + child_sa->get_usestats(child_sa, TRUE, NULL, &usage.bytes.received, + &usage.packets.received); + child_sa->get_usestats(child_sa, FALSE, NULL, &usage.bytes.sent, + &usage.packets.sent); this->mutex->lock(this->mutex); entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa)); if (entry) { - entry->bytes.sent += bytes_out; - entry->bytes.received += bytes_in; - entry->packets.sent += packets_out; - entry->packets.received += packets_in; + update_sa(entry, child_sa->get_unique_id(child_sa), usage); } this->mutex->unlock(this->mutex); } +/** + * Collect usage stats for all CHILD_SAs of the given IKE_SA, optionally returns + * the total number of bytes and packets + */ +static array_t *collect_stats(ike_sa_t *ike_sa, usage_t *total) +{ + enumerator_t *enumerator; + child_sa_t *child_sa; + array_t *stats; + sa_entry_t *sa; + usage_t usage; + + if (total) + { + *total = (usage_t){}; + } + + stats = array_create(0, 0); + enumerator = ike_sa->create_child_sa_enumerator(ike_sa); + while (enumerator->enumerate(enumerator, &child_sa)) + { + INIT(sa, + .id = child_sa->get_unique_id(child_sa), + ); + array_insert(stats, ARRAY_TAIL, sa); + array_sort(stats, sa_sort, NULL); + + child_sa->get_usestats(child_sa, TRUE, NULL, &usage.bytes.received, + &usage.packets.received); + child_sa->get_usestats(child_sa, FALSE, NULL, &usage.bytes.sent, + &usage.packets.sent); + sa->usage = usage; + if (total) + { + add_usage(total, usage); + } + } + enumerator->destroy(enumerator); + return stats; +} + +/** + * Cleanup cached SAs + */ +static void cleanup_sas(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa, + entry_t *entry) +{ + enumerator_t *enumerator; + child_sa_t *child_sa; + sa_entry_t *sa, *found; + array_t *sas; + + sas = array_create(0, 0); + enumerator = ike_sa->create_child_sa_enumerator(ike_sa); + while (enumerator->enumerate(enumerator, &child_sa)) + { + INIT(sa, + .id = child_sa->get_unique_id(child_sa), + ); + array_insert(sas, ARRAY_TAIL, sa); + array_sort(sas, sa_sort, NULL); + } + enumerator->destroy(enumerator); + + enumerator = array_create_enumerator(entry->cached); + while (enumerator->enumerate(enumerator, &sa)) + { + if (array_bsearch(sas, sa, sa_find, &found) == -1) + { + /* SA is gone, add its latest stats to the total for this IKE_SA + * and remove the cache entry */ + add_usage(&entry->usage, sa->usage); + array_remove_at(entry->cached, enumerator); + free(sa); + } + } + enumerator->destroy(enumerator); + enumerator = array_create_enumerator(entry->migrated); + while (enumerator->enumerate(enumerator, &sa)) + { + if (array_bsearch(sas, sa, sa_find, &found) == -1) + { + /* SA is gone, subtract stats from the total for this IKE_SA */ + sub_usage(&entry->usage, sa->usage); + array_remove_at(entry->migrated, enumerator); + free(sa); + } + } + enumerator->destroy(enumerator); + array_destroy_function(sas, (void*)free, NULL); +} + /** * Send a RADIUS message, wait for response */ @@ -273,17 +463,15 @@ static void add_ike_sa_parameters(private_eap_radius_accounting_t *this, * Get an existing or create a new entry from the locked session table */ static entry_t* get_or_create_entry(private_eap_radius_accounting_t *this, - ike_sa_t *ike_sa) + ike_sa_id_t *id, u_int32_t unique) { - ike_sa_id_t *id; entry_t *entry; time_t now; - entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa)); + entry = this->sessions->get(this->sessions, id); if (!entry) { now = time_monotonic(NULL); - id = ike_sa->get_id(ike_sa); INIT(entry, .id = id->clone(id), @@ -294,8 +482,7 @@ static entry_t* get_or_create_entry(private_eap_radius_accounting_t *this, /* default terminate cause, if none other catched */ .cause = ACCT_CAUSE_USER_REQUEST, ); - snprintf(entry->sid, sizeof(entry->sid), "%u-%u", - this->prefix, ike_sa->get_unique_id(ike_sa)); + snprintf(entry->sid, sizeof(entry->sid), "%u-%u", this->prefix, unique); this->sessions->put(this->sessions, entry->id, entry); } return entry; @@ -330,31 +517,21 @@ void destroy_interim_data(interim_data_t *this) static job_requeue_t send_interim(interim_data_t *data) { private_eap_radius_accounting_t *this = data->this; - u_int64_t bytes_in = 0, bytes_out = 0, packets_in = 0, packets_out = 0; - u_int64_t bytes, packets; + usage_t usage; radius_message_t *message = NULL; enumerator_t *enumerator; - child_sa_t *child_sa; ike_sa_t *ike_sa; entry_t *entry; u_int32_t value; + array_t *stats; + sa_entry_t *sa, *found; ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, data->id); if (!ike_sa) { return JOB_REQUEUE_NONE; } - enumerator = ike_sa->create_child_sa_enumerator(ike_sa); - while (enumerator->enumerate(enumerator, &child_sa)) - { - child_sa->get_usestats(child_sa, FALSE, NULL, &bytes, &packets); - bytes_out += bytes; - packets_out += packets; - child_sa->get_usestats(child_sa, TRUE, NULL, &bytes, &packets); - bytes_in += bytes; - packets_in += packets; - } - enumerator->destroy(enumerator); + stats = collect_stats(ike_sa, &usage); charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); /* avoid any races by returning IKE_SA before acquiring lock */ @@ -365,10 +542,45 @@ static job_requeue_t send_interim(interim_data_t *data) { entry->interim.last = time_monotonic(NULL); - bytes_in += entry->bytes.received; - bytes_out += entry->bytes.sent; - packets_in += entry->packets.received; - packets_out += entry->packets.sent; + enumerator = array_create_enumerator(entry->cached); + while (enumerator->enumerate(enumerator, &sa)) + { + if (array_bsearch(stats, sa, sa_find, &found) != -1) + { + /* SA is still around, update stats (e.g. for IKEv1 where + * SA might get used even after rekeying) */ + sa->usage = found->usage; + } + else + { + /* SA is gone, add its last stats to the total for this IKE_SA + * and remove the cache entry */ + add_usage(&entry->usage, sa->usage); + array_remove_at(entry->cached, enumerator); + free(sa); + } + } + enumerator->destroy(enumerator); + + enumerator = array_create_enumerator(entry->migrated); + while (enumerator->enumerate(enumerator, &sa)) + { + if (array_bsearch(stats, sa, sa_find, &found) != -1) + { + /* SA is still around, but we have to compensate */ + sub_usage(&usage, sa->usage); + } + else + { + /* SA is gone, subtract stats from the total for this IKE_SA */ + sub_usage(&entry->usage, sa->usage); + array_remove_at(entry->migrated, enumerator); + free(sa); + } + } + enumerator->destroy(enumerator); + + add_usage(&usage, entry->usage); message = radius_message_create(RMC_ACCOUNTING_REQUEST); value = htonl(ACCT_STATUS_INTERIM_UPDATE); @@ -377,26 +589,26 @@ static job_requeue_t send_interim(interim_data_t *data) chunk_create(entry->sid, strlen(entry->sid))); add_ike_sa_parameters(this, message, ike_sa); - value = htonl(bytes_out); + value = htonl(usage.bytes.sent); message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value)); - value = htonl(bytes_out >> 32); + value = htonl(usage.bytes.sent >> 32); if (value) { message->add(message, RAT_ACCT_OUTPUT_GIGAWORDS, chunk_from_thing(value)); } - value = htonl(packets_out); + value = htonl(usage.packets.sent); message->add(message, RAT_ACCT_OUTPUT_PACKETS, chunk_from_thing(value)); - value = htonl(bytes_in); + value = htonl(usage.bytes.received); message->add(message, RAT_ACCT_INPUT_OCTETS, chunk_from_thing(value)); - value = htonl(bytes_in >> 32); + value = htonl(usage.bytes.received >> 32); if (value) { message->add(message, RAT_ACCT_INPUT_GIGAWORDS, chunk_from_thing(value)); } - value = htonl(packets_in); + value = htonl(usage.packets.received); message->add(message, RAT_ACCT_INPUT_PACKETS, chunk_from_thing(value)); value = htonl(entry->interim.last - entry->created); @@ -405,6 +617,7 @@ static job_requeue_t send_interim(interim_data_t *data) schedule_interim(this, entry); } this->mutex->unlock(this->mutex); + array_destroy_function(stats, (void*)free, NULL); if (message) { @@ -479,7 +692,8 @@ static void send_start(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa) this->mutex->lock(this->mutex); - entry = get_or_create_entry(this, ike_sa); + entry = get_or_create_entry(this, ike_sa->get_id(ike_sa), + ike_sa->get_unique_id(ike_sa)); entry->start_sent = TRUE; message = radius_message_create(RMC_ACCOUNTING_REQUEST); @@ -515,7 +729,9 @@ static void send_start(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa) static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa) { radius_message_t *message; + enumerator_t *enumerator; entry_t *entry; + sa_entry_t *sa; u_int32_t value; this->mutex->lock(this->mutex); @@ -528,6 +744,20 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa) destroy_entry(entry); return; } + enumerator = array_create_enumerator(entry->cached); + while (enumerator->enumerate(enumerator, &sa)) + { + add_usage(&entry->usage, sa->usage); + } + enumerator->destroy(enumerator); + + enumerator = array_create_enumerator(entry->migrated); + while (enumerator->enumerate(enumerator, &sa)) + { + sub_usage(&entry->usage, sa->usage); + } + enumerator->destroy(enumerator); + message = radius_message_create(RMC_ACCOUNTING_REQUEST); value = htonl(ACCT_STATUS_STOP); message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value)); @@ -535,26 +765,26 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa) chunk_create(entry->sid, strlen(entry->sid))); add_ike_sa_parameters(this, message, ike_sa); - value = htonl(entry->bytes.sent); + value = htonl(entry->usage.bytes.sent); message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value)); - value = htonl(entry->bytes.sent >> 32); + value = htonl(entry->usage.bytes.sent >> 32); if (value) { message->add(message, RAT_ACCT_OUTPUT_GIGAWORDS, chunk_from_thing(value)); } - value = htonl(entry->packets.sent); + value = htonl(entry->usage.packets.sent); message->add(message, RAT_ACCT_OUTPUT_PACKETS, chunk_from_thing(value)); - value = htonl(entry->bytes.received); + value = htonl(entry->usage.bytes.received); message->add(message, RAT_ACCT_INPUT_OCTETS, chunk_from_thing(value)); - value = htonl(entry->bytes.received >> 32); + value = htonl(entry->usage.bytes.received >> 32); if (value) { message->add(message, RAT_ACCT_INPUT_GIGAWORDS, chunk_from_thing(value)); } - value = htonl(entry->packets.received); + value = htonl(entry->usage.packets.received); message->add(message, RAT_ACCT_INPUT_PACKETS, chunk_from_thing(value)); value = htonl(time_monotonic(NULL) - entry->created); @@ -660,6 +890,8 @@ METHOD(listener_t, ike_rekey, bool, /* fire new interim update job, old gets invalid */ schedule_interim(this, entry); + cleanup_sas(this, new, entry); + entry = this->sessions->put(this->sessions, entry->id, entry); if (entry) { @@ -675,8 +907,64 @@ METHOD(listener_t, child_rekey, bool, private_eap_radius_accounting_t *this, ike_sa_t *ike_sa, child_sa_t *old, child_sa_t *new) { + entry_t *entry; + update_usage(this, ike_sa, old); + this->mutex->lock(this->mutex); + entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa)); + if (entry) + { + cleanup_sas(this, ike_sa, entry); + } + this->mutex->unlock(this->mutex); + return TRUE; +} + +METHOD(listener_t, children_migrate, bool, + private_eap_radius_accounting_t *this, ike_sa_t *ike_sa, ike_sa_id_t *new, + u_int32_t unique) +{ + enumerator_t *enumerator; + sa_entry_t *sa, *sa_new, *cached; + entry_t *entry_old, *entry_new; + array_t *stats; + if (!new) + { + return TRUE; + } + stats = collect_stats(ike_sa, NULL); + this->mutex->lock(this->mutex); + entry_old = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa)); + if (entry_old) + { + entry_new = get_or_create_entry(this, new, unique); + enumerator = array_create_enumerator(stats); + while (enumerator->enumerate(enumerator, &sa)) + { + /* if the SA was already rekeyed/cached we cache it too on the new + * SA to track it properly until it's finally gone */ + if (array_bsearch(entry_old->cached, sa, sa_find, &cached) != -1) + { + sa_new = clone_sa(sa); + array_insert_create(&entry_new->cached, ARRAY_TAIL, sa_new); + array_sort(entry_new->cached, sa_sort, NULL); + } + /* if the SA was used, we store it to compensate on the new SA */ + if (sa->usage.bytes.sent || sa->usage.bytes.received || + sa->usage.packets.sent || sa->usage.packets.received) + { + sa_new = clone_sa(sa); + array_insert_create(&entry_new->migrated, ARRAY_TAIL, sa_new); + array_sort(entry_new->migrated, sa_sort, NULL); + /* store/update latest stats on old SA to report in Stop */ + update_sa(entry_old, sa->id, sa->usage); + } + } + enumerator->destroy(enumerator); + } + this->mutex->unlock(this->mutex); + array_destroy_function(stats, (void*)free, NULL); return TRUE; } @@ -717,6 +1005,7 @@ eap_radius_accounting_t *eap_radius_accounting_create() .message = _message_hook, .child_updown = _child_updown, .child_rekey = _child_rekey, + .children_migrate = _children_migrate, }, .destroy = _destroy, }, @@ -759,7 +1048,8 @@ void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, u_int32_t interval) DBG1(DBG_CFG, "scheduling RADIUS Interim-Updates every %us", interval); singleton->mutex->lock(singleton->mutex); - entry = get_or_create_entry(singleton, ike_sa); + entry = get_or_create_entry(singleton, ike_sa->get_id(ike_sa), + ike_sa->get_unique_id(ike_sa)); entry->interim.interval = interval; singleton->mutex->unlock(singleton->mutex); } diff --git a/src/libcharon/plugins/eap_sim/eap_sim_peer.c b/src/libcharon/plugins/eap_sim/eap_sim_peer.c index ff96e9279..2637b4314 100644 --- a/src/libcharon/plugins/eap_sim/eap_sim_peer.c +++ b/src/libcharon/plugins/eap_sim/eap_sim_peer.c @@ -310,7 +310,7 @@ static status_t process_challenge(private_eap_sim_peer_t *this, /* excepting two or three RAND, each 16 bytes. We require two valid * and different RANDs */ if ((rands.len != 2 * SIM_RAND_LEN && rands.len != 3 * SIM_RAND_LEN) || - memeq(rands.ptr, rands.ptr + SIM_RAND_LEN, SIM_RAND_LEN)) + memeq_const(rands.ptr, rands.ptr + SIM_RAND_LEN, SIM_RAND_LEN)) { DBG1(DBG_IKE, "no valid AT_RAND received"); if (!create_client_error(this, SIM_INSUFFICIENT_CHALLENGES, out)) @@ -734,4 +734,3 @@ eap_sim_peer_t *eap_sim_peer_create(identification_t *server, return &this->public; } - diff --git a/src/libcharon/plugins/eap_sim/eap_sim_server.c b/src/libcharon/plugins/eap_sim/eap_sim_server.c index f22266bda..5aa54db3e 100644 --- a/src/libcharon/plugins/eap_sim/eap_sim_server.c +++ b/src/libcharon/plugins/eap_sim/eap_sim_server.c @@ -262,7 +262,7 @@ static status_t process_reauthentication(private_eap_sim_server_t *this, this->crypto->clear_keys(this->crypto); return initiate(this, out); } - if (!chunk_equals(counter, this->counter)) + if (!chunk_equals_const(counter, this->counter)) { DBG1(DBG_IKE, "received counter does not match"); return FAILED; @@ -644,4 +644,3 @@ eap_sim_server_t *eap_sim_server_create(identification_t *server, return &this->public; } - diff --git a/src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c b/src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c index bd47e5085..0a6aec083 100644 --- a/src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c +++ b/src/libcharon/plugins/eap_sim_file/eap_sim_file_card.c @@ -52,7 +52,7 @@ METHOD(simaka_card_t, get_triplet, bool, c_rand, SIM_RAND_LEN, c_sres, SIM_SRES_LEN, c_kc, SIM_KC_LEN); if (id->matches(id, cand)) { - if (memeq(c_rand, rand, SIM_RAND_LEN)) + if (memeq_const(c_rand, rand, SIM_RAND_LEN)) { DBG2(DBG_CFG, " => triplet matches"); memcpy(sres, c_sres, SIM_SRES_LEN); @@ -105,4 +105,3 @@ eap_sim_file_card_t *eap_sim_file_card_create(eap_sim_file_triplets_t *triplets) return &this->public; } - diff --git a/src/libcharon/plugins/ha/ha_cache.c b/src/libcharon/plugins/ha/ha_cache.c index 6c1b3471d..0650f7fd9 100644 --- a/src/libcharon/plugins/ha/ha_cache.c +++ b/src/libcharon/plugins/ha/ha_cache.c @@ -42,6 +42,11 @@ struct private_ha_cache_t { */ ha_socket_t *socket; + /** + * Tunnel securing sync messages + */ + ha_tunnel_t *tunnel; + /** * Total number of segments */ @@ -259,6 +264,10 @@ static void rekey_segment(private_ha_cache_t *this, u_int segment) charon->ike_sa_manager, TRUE); while (enumerator->enumerate(enumerator, &ike_sa)) { + if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa)) + { + continue; + } if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && this->kernel->get_segment(this->kernel, ike_sa->get_other_host(ike_sa)) == segment) @@ -365,7 +374,7 @@ METHOD(ha_cache_t, destroy, void, * See header */ ha_cache_t *ha_cache_create(ha_kernel_t *kernel, ha_socket_t *socket, - bool sync, u_int count) + ha_tunnel_t *tunnel, bool sync, u_int count) { private_ha_cache_t *this; @@ -379,6 +388,7 @@ ha_cache_t *ha_cache_create(ha_kernel_t *kernel, ha_socket_t *socket, .count = count, .kernel = kernel, .socket = socket, + .tunnel = tunnel, .cache = hashtable_create(hashtable_hash_ptr, hashtable_equals_ptr, 8), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), ); diff --git a/src/libcharon/plugins/ha/ha_cache.h b/src/libcharon/plugins/ha/ha_cache.h index 5e3936a20..8cfcbb24c 100644 --- a/src/libcharon/plugins/ha/ha_cache.h +++ b/src/libcharon/plugins/ha/ha_cache.h @@ -69,10 +69,11 @@ struct ha_cache_t { * * @param kernel kernel helper * @param socket socket to send resync messages + * @param tunnel HA tunnel * @param resync request a resync during startup? * @param count total number of segments */ ha_cache_t *ha_cache_create(ha_kernel_t *kernel, ha_socket_t *socket, - bool resync, u_int count); + ha_tunnel_t *tunnel, bool resync, u_int count); #endif /** HA_CACHE_H_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c index a58377bab..037b69bac 100644 --- a/src/libcharon/plugins/ha/ha_plugin.c +++ b/src/libcharon/plugins/ha/ha_plugin.c @@ -97,13 +97,73 @@ METHOD(plugin_t, get_name, char*, } /** - * Register listener + * Initialize plugin + */ +static bool initialize_plugin(private_ha_plugin_t *this) +{ + char *local, *remote, *secret; + u_int count; + bool fifo, monitor, resync; + + local = lib->settings->get_str(lib->settings, + "%s.plugins.ha.local", NULL, lib->ns); + remote = lib->settings->get_str(lib->settings, + "%s.plugins.ha.remote", NULL, lib->ns); + secret = lib->settings->get_str(lib->settings, + "%s.plugins.ha.secret", NULL, lib->ns); + fifo = lib->settings->get_bool(lib->settings, + "%s.plugins.ha.fifo_interface", TRUE, lib->ns); + monitor = lib->settings->get_bool(lib->settings, + "%s.plugins.ha.monitor", TRUE, lib->ns); + resync = lib->settings->get_bool(lib->settings, + "%s.plugins.ha.resync", TRUE, lib->ns); + count = min(SEGMENTS_MAX, lib->settings->get_int(lib->settings, + "%s.plugins.ha.segment_count", 1, lib->ns)); + if (!local || !remote) + { + DBG1(DBG_CFG, "HA config misses local/remote address"); + return FALSE; + } + + if (secret) + { + this->tunnel = ha_tunnel_create(local, remote, secret); + } + this->socket = ha_socket_create(local, remote); + if (!this->socket) + { + return FALSE; + } + this->kernel = ha_kernel_create(count); + this->segments = ha_segments_create(this->socket, this->kernel, this->tunnel, + count, strcmp(local, remote) > 0, monitor); + this->cache = ha_cache_create(this->kernel, this->socket, this->tunnel, + resync, count); + if (fifo) + { + this->ctl = ha_ctl_create(this->segments, this->cache); + } + this->attr = ha_attribute_create(this->kernel, this->segments); + this->dispatcher = ha_dispatcher_create(this->socket, this->segments, + this->cache, this->kernel, this->attr); + this->ike = ha_ike_create(this->socket, this->tunnel, this->cache); + this->child = ha_child_create(this->socket, this->tunnel, this->segments, + this->kernel); + return TRUE; +} + +/** + * Initialize plugin and register listener */ static bool plugin_cb(private_ha_plugin_t *this, plugin_feature_t *feature, bool reg, void *cb_data) { if (reg) { + if (!initialize_plugin(this)) + { + return FALSE; + } charon->bus->add_listener(charon->bus, &this->segments->listener); charon->bus->add_listener(charon->bus, &this->ike->listener); charon->bus->add_listener(charon->bus, &this->child->listener); @@ -127,6 +187,7 @@ METHOD(plugin_t, get_features, int, static plugin_feature_t f[] = { PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL), PLUGIN_PROVIDE(CUSTOM, "ha"), + PLUGIN_SDEPEND(CUSTOM, "kernel-ipsec"), }; *features = f; return countof(f); @@ -136,14 +197,14 @@ METHOD(plugin_t, destroy, void, private_ha_plugin_t *this) { DESTROY_IF(this->ctl); - this->ike->destroy(this->ike); - this->child->destroy(this->child); - this->dispatcher->destroy(this->dispatcher); - this->attr->destroy(this->attr); - this->cache->destroy(this->cache); - this->segments->destroy(this->segments); - this->kernel->destroy(this->kernel); - this->socket->destroy(this->socket); + DESTROY_IF(this->ike); + DESTROY_IF(this->child); + DESTROY_IF(this->dispatcher); + DESTROY_IF(this->attr); + DESTROY_IF(this->cache); + DESTROY_IF(this->segments); + DESTROY_IF(this->kernel); + DESTROY_IF(this->socket); DESTROY_IF(this->tunnel); free(this); } @@ -154,29 +215,6 @@ METHOD(plugin_t, destroy, void, plugin_t *ha_plugin_create() { private_ha_plugin_t *this; - char *local, *remote, *secret; - u_int count; - bool fifo, monitor, resync; - - local = lib->settings->get_str(lib->settings, - "%s.plugins.ha.local", NULL, lib->ns); - remote = lib->settings->get_str(lib->settings, - "%s.plugins.ha.remote", NULL, lib->ns); - secret = lib->settings->get_str(lib->settings, - "%s.plugins.ha.secret", NULL, lib->ns); - fifo = lib->settings->get_bool(lib->settings, - "%s.plugins.ha.fifo_interface", TRUE, lib->ns); - monitor = lib->settings->get_bool(lib->settings, - "%s.plugins.ha.monitor", TRUE, lib->ns); - resync = lib->settings->get_bool(lib->settings, - "%s.plugins.ha.resync", TRUE, lib->ns); - count = min(SEGMENTS_MAX, lib->settings->get_int(lib->settings, - "%s.plugins.ha.segment_count", 1, lib->ns)); - if (!local || !remote) - { - DBG1(DBG_CFG, "HA config misses local/remote address"); - return NULL; - } if (!lib->caps->keep(lib->caps, CAP_CHOWN)) { /* required to chown(2) control socket, ha_kernel also needs it at @@ -195,31 +233,5 @@ plugin_t *ha_plugin_create() }, ); - if (secret) - { - this->tunnel = ha_tunnel_create(local, remote, secret); - } - this->socket = ha_socket_create(local, remote); - if (!this->socket) - { - DESTROY_IF(this->tunnel); - free(this); - return NULL; - } - this->kernel = ha_kernel_create(count); - this->segments = ha_segments_create(this->socket, this->kernel, this->tunnel, - count, strcmp(local, remote) > 0, monitor); - this->cache = ha_cache_create(this->kernel, this->socket, resync, count); - if (fifo) - { - this->ctl = ha_ctl_create(this->segments, this->cache); - } - this->attr = ha_attribute_create(this->kernel, this->segments); - this->dispatcher = ha_dispatcher_create(this->socket, this->segments, - this->cache, this->kernel, this->attr); - this->ike = ha_ike_create(this->socket, this->tunnel, this->cache); - this->child = ha_child_create(this->socket, this->tunnel, this->segments, - this->kernel); - return &this->public.plugin; } diff --git a/src/libcharon/plugins/vici/libvici.h b/src/libcharon/plugins/vici/libvici.h index 641370efd..3ca9de424 100644 --- a/src/libcharon/plugins/vici/libvici.h +++ b/src/libcharon/plugins/vici/libvici.h @@ -2,15 +2,26 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. + * libvici.h is MIT-licensed to simplify reuse, but please note that libvici.c + * is not, as it depends on the GPLv2 licensed libstrongswan. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. */ /** diff --git a/src/libcharon/plugins/vici/python/Makefile.am b/src/libcharon/plugins/vici/python/Makefile.am index f51737870..5936f2a5e 100644 --- a/src/libcharon/plugins/vici/python/Makefile.am +++ b/src/libcharon/plugins/vici/python/Makefile.am @@ -8,25 +8,27 @@ EXTRA_DIST = LICENSE MANIFEST.in \ vici/protocol.py \ vici/session.py -setup.py: $(srcdir)/setup.py.in +$(srcdir)/setup.py: $(srcdir)/setup.py.in $(AM_V_GEN) sed \ -e "s:@EGG_VERSION@:$(PACKAGE_VERSION):" \ $(srcdir)/setup.py.in > $@ all-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg -dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg: $(EXTRA_DIST) setup.py +dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg: $(EXTRA_DIST) $(srcdir)/setup.py (cd $(srcdir); $(PYTHON) setup.py bdist_egg \ -b $(shell readlink -f $(builddir))/build \ -d $(shell readlink -f $(builddir))/dist) -clean-local: setup.py - $(PYTHON) setup.py clean -a - rm -rf vici.egg-info dist setup.py +clean-local: + (cd $(srcdir); [ ! -f setup.py ] || $(PYTHON) setup.py clean -a) + rm -rf $(srcdir)/setup.py $(srcdir)/vici.egg-info $(builddir)/dist +if PYTHON_EGGS_INSTALL install-exec-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg $(EASY_INSTALL) $(PYTHONEGGINSTALLDIR) \ dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg +endif if USE_PY_TEST TESTS = $(PY_TEST) diff --git a/src/libcharon/plugins/vici/python/Makefile.in b/src/libcharon/plugins/vici/python/Makefile.in index 3a5e5ea72..eb4bab6ca 100644 --- a/src/libcharon/plugins/vici/python/Makefile.in +++ b/src/libcharon/plugins/vici/python/Makefile.in @@ -579,6 +579,7 @@ distclean-generic: maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." +@PYTHON_EGGS_INSTALL_FALSE@install-exec-local: clean: clean-am clean-am: clean-generic clean-libtool clean-local mostlyclean-am @@ -661,25 +662,25 @@ uninstall-am: tags-am uninstall uninstall-am -setup.py: $(srcdir)/setup.py.in +$(srcdir)/setup.py: $(srcdir)/setup.py.in $(AM_V_GEN) sed \ -e "s:@EGG_VERSION@:$(PACKAGE_VERSION):" \ $(srcdir)/setup.py.in > $@ all-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg -dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg: $(EXTRA_DIST) setup.py +dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg: $(EXTRA_DIST) $(srcdir)/setup.py (cd $(srcdir); $(PYTHON) setup.py bdist_egg \ -b $(shell readlink -f $(builddir))/build \ -d $(shell readlink -f $(builddir))/dist) -clean-local: setup.py - $(PYTHON) setup.py clean -a - rm -rf vici.egg-info dist setup.py +clean-local: + (cd $(srcdir); [ ! -f setup.py ] || $(PYTHON) setup.py clean -a) + rm -rf $(srcdir)/setup.py $(srcdir)/vici.egg-info $(builddir)/dist -install-exec-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg - $(EASY_INSTALL) $(PYTHONEGGINSTALLDIR) \ - dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg +@PYTHON_EGGS_INSTALL_TRUE@install-exec-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg +@PYTHON_EGGS_INSTALL_TRUE@ $(EASY_INSTALL) $(PYTHONEGGINSTALLDIR) \ +@PYTHON_EGGS_INSTALL_TRUE@ dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/src/libcharon/plugins/vici/ruby/Makefile.am b/src/libcharon/plugins/vici/ruby/Makefile.am index 3e12f86cc..e2d340431 100644 --- a/src/libcharon/plugins/vici/ruby/Makefile.am +++ b/src/libcharon/plugins/vici/ruby/Makefile.am @@ -15,10 +15,12 @@ all-local: vici-$(PACKAGE_VERSION).gem clean-local: rm -f vici.gemspec vici-$(PACKAGE_VERSION).gem +if RUBY_GEMS_INSTALL install-data-local: vici-$(PACKAGE_VERSION).gem - $(GEM) install --install-dir $(DESTDIR)$(RUBYGEMDIR) \ + $(GEM) install --no-user-install --install-dir $(DESTDIR)$(RUBYGEMDIR) \ vici-$(PACKAGE_VERSION).gem uninstall-local: $(GEM) uninstall --install-dir $(DESTDIR)$(RUBYGEMDIR) \ --version $(PACKAGE_VERSION) vici +endif diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in index f37c09ea2..bf81e5395 100644 --- a/src/libcharon/plugins/vici/ruby/Makefile.in +++ b/src/libcharon/plugins/vici/ruby/Makefile.in @@ -453,6 +453,8 @@ distclean-generic: maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." +@RUBY_GEMS_INSTALL_FALSE@uninstall-local: +@RUBY_GEMS_INSTALL_FALSE@install-data-local: clean: clean-am clean-am: clean-generic clean-libtool clean-local mostlyclean-am @@ -550,13 +552,13 @@ all-local: vici-$(PACKAGE_VERSION).gem clean-local: rm -f vici.gemspec vici-$(PACKAGE_VERSION).gem -install-data-local: vici-$(PACKAGE_VERSION).gem - $(GEM) install --install-dir $(DESTDIR)$(RUBYGEMDIR) \ - vici-$(PACKAGE_VERSION).gem +@RUBY_GEMS_INSTALL_TRUE@install-data-local: vici-$(PACKAGE_VERSION).gem +@RUBY_GEMS_INSTALL_TRUE@ $(GEM) install --no-user-install --install-dir $(DESTDIR)$(RUBYGEMDIR) \ +@RUBY_GEMS_INSTALL_TRUE@ vici-$(PACKAGE_VERSION).gem -uninstall-local: - $(GEM) uninstall --install-dir $(DESTDIR)$(RUBYGEMDIR) \ - --version $(PACKAGE_VERSION) vici +@RUBY_GEMS_INSTALL_TRUE@uninstall-local: +@RUBY_GEMS_INSTALL_TRUE@ $(GEM) uninstall --install-dir $(DESTDIR)$(RUBYGEMDIR) \ +@RUBY_GEMS_INSTALL_TRUE@ --version $(PACKAGE_VERSION) vici # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 649161020..d23259912 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -13,6 +13,28 @@ * for more details. */ +/* + * Copyright (C) 2014 Timo Teräs + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + #define _GNU_SOURCE #include "vici_config.h" @@ -1460,6 +1482,21 @@ CALLBACK(peer_sn, bool, return FALSE; } + if (!auth.cfg->get(auth.cfg, AUTH_RULE_IDENTITY)) + { + identification_t *id; + certificate_t *cert; + + cert = auth.cfg->get(auth.cfg, AUTH_RULE_SUBJECT_CERT); + if (cert) + { + id = cert->get_subject(cert); + DBG1(DBG_CFG, " id not specified, defaulting to cert id '%Y'", + id); + auth.cfg->add(auth.cfg, AUTH_RULE_IDENTITY, id->clone(id)); + } + } + if (strcasepfx(name, "local")) { peer->local->insert_last(peer->local, auth.cfg); diff --git a/src/libcharon/plugins/vici/vici_dispatcher.c b/src/libcharon/plugins/vici/vici_dispatcher.c index 6db36fbe0..31292d6b3 100644 --- a/src/libcharon/plugins/vici/vici_dispatcher.c +++ b/src/libcharon/plugins/vici/vici_dispatcher.c @@ -13,6 +13,28 @@ * for more details. */ +/* + * Copyright (C) 2014 Timo Teräs + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + #include "vici_dispatcher.h" #include "vici_socket.h" @@ -446,6 +468,24 @@ METHOD(vici_dispatcher_t, manage_event, void, this->mutex->unlock(this->mutex); } +METHOD(vici_dispatcher_t, has_event_listeners, bool, + private_vici_dispatcher_t *this, char *name) +{ + bool retval = FALSE; + + this->mutex->lock(this->mutex); + if (this->events->get(this->events, name)) + { + /* the entry might be getting destroyed, but returning + * false positive is not a problem as a later raise_event + * will check things again. */ + retval = TRUE; + } + this->mutex->unlock(this->mutex); + + return retval; +} + METHOD(vici_dispatcher_t, raise_event, void, private_vici_dispatcher_t *this, char *name, u_int id, vici_message_t *message) @@ -504,6 +544,7 @@ vici_dispatcher_t *vici_dispatcher_create(char *uri) .public = { .manage_command = _manage_command, .manage_event = _manage_event, + .has_event_listeners = _has_event_listeners, .raise_event = _raise_event, .destroy = _destroy, }, diff --git a/src/libcharon/plugins/vici/vici_dispatcher.h b/src/libcharon/plugins/vici/vici_dispatcher.h index 2297a80bd..e48cf3bd1 100644 --- a/src/libcharon/plugins/vici/vici_dispatcher.h +++ b/src/libcharon/plugins/vici/vici_dispatcher.h @@ -13,6 +13,28 @@ * for more details. */ +/* + * Copyright (C) 2014 Timo Teräs + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + /** * @defgroup vici_dispatcher vici_dispatcher * @{ @ingroup vici @@ -95,6 +117,17 @@ struct vici_dispatcher_t { */ void (*manage_event)(vici_dispatcher_t *this, char *name, bool reg); + /** + * Check if an event has listeners. + * + * This can be used to check if a vici message needs to be generated or not, + * as in some cases the generation can be a heavy operation. + * + * @param name event name to check + * @return TRUE if event has listeners + */ + bool (*has_event_listeners)(vici_dispatcher_t *this, char *name); + /** * Raise an event to a specific or all clients registered to that event. * diff --git a/src/libcharon/plugins/vici/vici_plugin.c b/src/libcharon/plugins/vici/vici_plugin.c index af8bd283b..7ae58a317 100644 --- a/src/libcharon/plugins/vici/vici_plugin.c +++ b/src/libcharon/plugins/vici/vici_plugin.c @@ -13,6 +13,28 @@ * for more details. */ +/* + * Copyright (C) 2014 Timo Teräs + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + #include "vici_plugin.h" #include "vici_dispatcher.h" #include "vici_query.h" @@ -106,12 +128,14 @@ static bool register_vici(private_vici_plugin_t *this, charon->attributes->add_provider(charon->attributes, &this->attrs->provider); charon->bus->add_logger(charon->bus, &this->logger->logger); + charon->bus->add_listener(charon->bus, &this->query->listener); return TRUE; } return FALSE; } else { + charon->bus->remove_listener(charon->bus, &this->query->listener); charon->bus->remove_logger(charon->bus, &this->logger->logger); charon->attributes->remove_provider(charon->attributes, &this->attrs->provider); diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c index 3e0d73cdf..d94d760b9 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -13,6 +13,28 @@ * for more details. */ +/* + * Copyright (C) 2014 Timo Teräs + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + #include "vici_query.h" #include "vici_builder.h" @@ -1008,6 +1030,8 @@ static void manage_commands(private_vici_query_t *this, bool reg) this->dispatcher->manage_event(this->dispatcher, "list-policy", reg); this->dispatcher->manage_event(this->dispatcher, "list-conn", reg); this->dispatcher->manage_event(this->dispatcher, "list-cert", reg); + this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg); + this->dispatcher->manage_event(this->dispatcher, "child-updown", reg); manage_command(this, "list-sas", list_sas, reg); manage_command(this, "list-policies", list_policies, reg); manage_command(this, "list-conns", list_conns, reg); @@ -1016,6 +1040,63 @@ static void manage_commands(private_vici_query_t *this, bool reg) manage_command(this, "stats", stats, reg); } +METHOD(listener_t, ike_updown, bool, + private_vici_query_t *this, ike_sa_t *ike_sa, bool up) +{ + vici_builder_t *b; + time_t now; + + if (!this->dispatcher->has_event_listeners(this->dispatcher, "ike-updown")) + { + return TRUE; + } + + now = time_monotonic(NULL); + + b = vici_builder_create(); + b->begin_section(b, ike_sa->get_name(ike_sa)); + list_ike(this, b, ike_sa, now); + b->begin_section(b, "child-sas"); + b->end_section(b); + b->end_section(b); + + this->dispatcher->raise_event(this->dispatcher, + "ike-updown", 0, b->finalize(b)); + + return TRUE; +} + +METHOD(listener_t, child_updown, bool, + private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up) +{ + vici_builder_t *b; + time_t now; + + if (!this->dispatcher->has_event_listeners(this->dispatcher, "child-updown")) + { + return TRUE; + } + + now = time_monotonic(NULL); + b = vici_builder_create(); + + b->begin_section(b, ike_sa->get_name(ike_sa)); + list_ike(this, b, ike_sa, now); + b->begin_section(b, "child-sas"); + + b->begin_section(b, child_sa->get_name(child_sa)); + list_child(this, b, child_sa, now); + b->end_section(b); + + b->end_section(b); + b->end_section(b); + + this->dispatcher->raise_event(this->dispatcher, + "child-updown", 0, b->finalize(b)); + + return TRUE; +} + METHOD(vici_query_t, destroy, void, private_vici_query_t *this) { @@ -1032,6 +1113,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher) INIT(this, .public = { + .listener = { + .ike_updown = _ike_updown, + .child_updown = _child_updown, + }, .destroy = _destroy, }, .dispatcher = dispatcher, diff --git a/src/libcharon/plugins/vici/vici_query.h b/src/libcharon/plugins/vici/vici_query.h index da72b1411..0149e8d4f 100644 --- a/src/libcharon/plugins/vici/vici_query.h +++ b/src/libcharon/plugins/vici/vici_query.h @@ -13,11 +13,34 @@ * for more details. */ +/* + * Copyright (C) 2014 Timo Teräs + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + /** * @defgroup vici_query vici_query * @{ @ingroup vici */ +#include #include "vici_dispatcher.h" #ifndef VICI_QUERY_H_ @@ -30,6 +53,11 @@ typedef struct vici_query_t vici_query_t; */ struct vici_query_t { + /** + * Implements listener_t. + */ + listener_t listener; + /** * Destroy a vici_query_t. */ diff --git a/src/libcharon/plugins/vici/vici_socket.c b/src/libcharon/plugins/vici/vici_socket.c index 916772871..67fd7e8e3 100644 --- a/src/libcharon/plugins/vici/vici_socket.c +++ b/src/libcharon/plugins/vici/vici_socket.c @@ -118,6 +118,8 @@ typedef struct { array_t *queue; /** do we have job processing input queue? */ bool has_processor; + /** is this client disconnecting */ + bool disconnecting; /** client connection identifier */ u_int id; /** any users reading over this connection? */ @@ -187,6 +189,10 @@ static entry_t* find_entry(private_vici_socket_t *this, stream_t *stream, continue; } } + if (entry->disconnecting) + { + continue; + } candidate = TRUE; if ((reader && entry->readers) || @@ -304,7 +310,7 @@ static void disconnect(private_vici_socket_t *this, u_int id) * Write queued output data */ static bool do_write(private_vici_socket_t *this, entry_t *entry, - stream_t *stream) + stream_t *stream, char *errmsg, size_t errlen) { msg_buf_t *out; ssize_t len; @@ -326,7 +332,8 @@ static bool do_write(private_vici_socket_t *this, entry_t *entry, { return TRUE; } - DBG1(DBG_CFG, "vici header write error: %s", strerror(errno)); + snprintf(errmsg, errlen, "vici header write error: %s", + strerror(errno)); return FALSE; } out->hdrlen += len; @@ -339,7 +346,7 @@ static bool do_write(private_vici_socket_t *this, entry_t *entry, out->buf.len - out->done, FALSE); if (len == 0) { - DBG1(DBG_CFG, "premature vici disconnect"); + snprintf(errmsg, errlen, "premature vici disconnect"); return FALSE; } if (len < 0) @@ -348,7 +355,7 @@ static bool do_write(private_vici_socket_t *this, entry_t *entry, { return TRUE; } - DBG1(DBG_CFG, "vici write error: %s", strerror(errno)); + snprintf(errmsg, errlen, "vici write error: %s", strerror(errno)); return FALSE; } out->done += len; @@ -369,13 +376,14 @@ static bool do_write(private_vici_socket_t *this, entry_t *entry, CALLBACK(on_write, bool, private_vici_socket_t *this, stream_t *stream) { + char errmsg[256] = ""; entry_t *entry; bool ret = FALSE; entry = find_entry(this, stream, 0, FALSE, TRUE); if (entry) { - ret = do_write(this, entry, stream); + ret = do_write(this, entry, stream, errmsg, sizeof(errmsg)); if (ret) { /* unregister if we have no more messages to send */ @@ -383,9 +391,15 @@ CALLBACK(on_write, bool, } else { + entry->disconnecting = TRUE; disconnect(entry->this, entry->id); } put_entry(this, entry, FALSE, TRUE); + + if (!ret && errmsg[0]) + { + DBG1(DBG_CFG, errmsg); + } } return ret; @@ -395,7 +409,7 @@ CALLBACK(on_write, bool, * Read in available header with data, non-blocking cumulating to buffer */ static bool do_read(private_vici_socket_t *this, entry_t *entry, - stream_t *stream) + stream_t *stream, char *errmsg, size_t errlen) { u_int32_t msglen; ssize_t len; @@ -415,7 +429,8 @@ static bool do_read(private_vici_socket_t *this, entry_t *entry, { return TRUE; } - DBG1(DBG_CFG, "vici header read error: %s", strerror(errno)); + snprintf(errmsg, errlen, "vici header read error: %s", + strerror(errno)); return FALSE; } entry->in.hdrlen += len; @@ -424,8 +439,8 @@ static bool do_read(private_vici_socket_t *this, entry_t *entry, msglen = untoh32(entry->in.hdr); if (msglen > VICI_MESSAGE_SIZE_MAX) { - DBG1(DBG_CFG, "vici message length %u exceeds %u bytes limit, " - "ignored", msglen, VICI_MESSAGE_SIZE_MAX); + snprintf(errmsg, errlen, "vici message length %u exceeds %u " + "bytes limit, ignored", msglen, VICI_MESSAGE_SIZE_MAX); return FALSE; } /* header complete, continue with data */ @@ -440,7 +455,7 @@ static bool do_read(private_vici_socket_t *this, entry_t *entry, entry->in.buf.len - entry->in.done, FALSE); if (len == 0) { - DBG1(DBG_CFG, "premature vici disconnect"); + snprintf(errmsg, errlen, "premature vici disconnect"); return FALSE; } if (len < 0) @@ -449,7 +464,7 @@ static bool do_read(private_vici_socket_t *this, entry_t *entry, { return TRUE; } - DBG1(DBG_CFG, "vici read error: %s", strerror(errno)); + snprintf(errmsg, errlen, "vici read error: %s", strerror(errno)); return FALSE; } entry->in.done += len; @@ -502,6 +517,7 @@ CALLBACK(process_queue, job_requeue_t, CALLBACK(on_read, bool, private_vici_socket_t *this, stream_t *stream) { + char errmsg[256] = ""; entry_selector_t *sel; entry_t *entry; bool ret = FALSE; @@ -509,9 +525,10 @@ CALLBACK(on_read, bool, entry = find_entry(this, stream, 0, TRUE, FALSE); if (entry) { - ret = do_read(this, entry, stream); + ret = do_read(this, entry, stream, errmsg, sizeof(errmsg)); if (!ret) { + entry->disconnecting = TRUE; disconnect(this, entry->id); } else if (entry->in.hdrlen == sizeof(entry->in.hdr) && @@ -534,6 +551,11 @@ CALLBACK(on_read, bool, } } put_entry(this, entry, TRUE, FALSE); + + if (!ret && errmsg[0]) + { + DBG1(DBG_CFG, errmsg); + } } return ret; diff --git a/src/libcharon/plugins/xauth_generic/xauth_generic.c b/src/libcharon/plugins/xauth_generic/xauth_generic.c index c37da0cb0..e65d1a1fe 100644 --- a/src/libcharon/plugins/xauth_generic/xauth_generic.c +++ b/src/libcharon/plugins/xauth_generic/xauth_generic.c @@ -180,7 +180,7 @@ METHOD(xauth_method_t, process_server, status_t, SHARED_EAP, this->server, this->peer); while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) { - if (chunk_equals(shared->get_key(shared), pass)) + if (chunk_equals_const(shared->get_key(shared), pass)) { status = SUCCESS; break; diff --git a/src/libcharon/processing/jobs/adopt_children_job.c b/src/libcharon/processing/jobs/adopt_children_job.c index c8a9c17de..b4f135a57 100644 --- a/src/libcharon/processing/jobs/adopt_children_job.c +++ b/src/libcharon/processing/jobs/adopt_children_job.c @@ -21,6 +21,7 @@ #include #include #include +#include typedef struct private_adopt_children_job_t private_adopt_children_job_t; @@ -64,11 +65,13 @@ METHOD(job_t, execute, job_requeue_t, ike_sa_id_t *id; ike_sa_t *ike_sa; child_sa_t *child_sa; + u_int32_t unique; ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, this->id); if (ike_sa) { /* get what we need from new SA */ + unique = ike_sa->get_unique_id(ike_sa); me = ike_sa->get_my_host(ike_sa); me = me->clone(me); other = ike_sa->get_other_host(ike_sa); @@ -106,6 +109,7 @@ METHOD(job_t, execute, job_requeue_t, other_id->equals(other_id, ike_sa->get_other_id(ike_sa)) && cfg->equals(cfg, ike_sa->get_peer_cfg(ike_sa))) { + charon->bus->children_migrate(charon->bus, this->id, unique); subenum = ike_sa->create_child_sa_enumerator(ike_sa); while (subenum->enumerate(subenum, &child_sa)) { @@ -130,10 +134,19 @@ METHOD(job_t, execute, job_requeue_t, "adopting %d children and %d virtual IPs", children->get_count(children), vips->get_count(vips)); } - ike_sa->set_state(ike_sa, IKE_DELETING); - charon->bus->ike_updown(charon->bus, ike_sa, FALSE); - charon->ike_sa_manager->checkin_and_destroy( + if (ike_sa->get_state(ike_sa) == IKE_PASSIVE) + { + charon->ike_sa_manager->checkin_and_destroy( + charon->ike_sa_manager, ike_sa); + } + else + { + lib->scheduler->schedule_job(lib->scheduler, (job_t*) + delete_ike_sa_job_create(ike_sa->get_id(ike_sa), + TRUE), 10); + charon->ike_sa_manager->checkin( charon->ike_sa_manager, ike_sa); + } } else { @@ -176,6 +189,7 @@ METHOD(job_t, execute, job_requeue_t, } charon->bus->assign_vips(charon->bus, ike_sa, TRUE); } + charon->bus->children_migrate(charon->bus, NULL, 0); charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); } } diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index 13fc74ff7..938f7848f 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -1737,7 +1737,8 @@ static void adopt_children_and_vips(ike_sa_t *old, ike_sa_t *new) host_t *vip; int chcount = 0, vipcount = 0; - + charon->bus->children_migrate(charon->bus, new->get_id(new), + new->get_unique_id(new)); enumerator = old->create_child_sa_enumerator(old); while (enumerator->enumerate(enumerator, &child_sa)) { @@ -1760,6 +1761,7 @@ static void adopt_children_and_vips(ike_sa_t *old, ike_sa_t *new) /* ...trigger the analogous event on the new SA */ charon->bus->set_sa(charon->bus, new); charon->bus->assign_vips(charon->bus, new, TRUE); + charon->bus->children_migrate(charon->bus, NULL, 0); charon->bus->set_sa(charon->bus, old); if (chcount || vipcount) diff --git a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c index bb187f07c..5debeeb37 100644 --- a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c +++ b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c @@ -124,7 +124,7 @@ METHOD(authenticator_t, process, status_t, return FAILED; } free(dh.ptr); - if (chunk_equals(hash, hash_payload->get_hash(hash_payload))) + if (chunk_equals_const(hash, hash_payload->get_hash(hash_payload))) { free(hash.ptr); if (!this->hybrid) diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c index cb22bf606..ed547c4c2 100644 --- a/src/libcharon/sa/ikev1/task_manager_v1.c +++ b/src/libcharon/sa/ikev1/task_manager_v1.c @@ -1475,6 +1475,8 @@ METHOD(task_manager_t, queue_ike_reauth, void, } enumerator->destroy(enumerator); + charon->bus->children_migrate(charon->bus, new->get_id(new), + new->get_unique_id(new)); enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa); while (enumerator->enumerate(enumerator, &child_sa)) { @@ -1482,6 +1484,9 @@ METHOD(task_manager_t, queue_ike_reauth, void, new->add_child_sa(new, child_sa); } enumerator->destroy(enumerator); + charon->bus->set_sa(charon->bus, new); + charon->bus->children_migrate(charon->bus, NULL, 0); + charon->bus->set_sa(charon->bus, this->ike_sa); if (!new->get_child_count(new)) { /* check if a Quick Mode task is queued (UNITY_LOAD_BALANCE case) */ diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c index ebef31930..f1442096c 100644 --- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c @@ -464,7 +464,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message, return FALSE; } recv_auth_data = auth_payload->get_data(auth_payload); - if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data)) + if (!auth_data.len || !chunk_equals_const(auth_data, recv_auth_data)) { DBG1(DBG_IKE, "verification of AUTH payload with%s EAP MSK failed", this->msk.ptr ? "" : "out"); diff --git a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c index c6a4b6ba4..535581068 100644 --- a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c @@ -123,7 +123,7 @@ METHOD(authenticator_t, process, status_t, { continue; } - if (auth_data.len && chunk_equals(auth_data, recv_auth_data)) + if (auth_data.len && chunk_equals_const(auth_data, recv_auth_data)) { DBG1(DBG_IKE, "authentication of '%Y' with %N successful", other_id, auth_method_names, AUTH_PSK); diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c index f70f5cfed..6fedc8eb5 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.c +++ b/src/libcharon/sa/ikev2/keymat_v2.c @@ -193,6 +193,7 @@ static bool derive_ike_traditional(private_keymat_v2_t *this, u_int16_t enc_alg, { crypter_t *crypter_i = NULL, *crypter_r = NULL; signer_t *signer_i, *signer_r; + iv_gen_t *ivg_i, *ivg_r; size_t key_size; chunk_t key = chunk_empty; @@ -264,15 +265,21 @@ static bool derive_ike_traditional(private_keymat_v2_t *this, u_int16_t enc_alg, goto failure; } + ivg_i = iv_gen_create_for_alg(enc_alg); + ivg_r = iv_gen_create_for_alg(enc_alg); + if (!ivg_i || !ivg_r) + { + goto failure; + } if (this->initiator) { - this->aead_in = aead_create(crypter_r, signer_r); - this->aead_out = aead_create(crypter_i, signer_i); + this->aead_in = aead_create(crypter_r, signer_r, ivg_r); + this->aead_out = aead_create(crypter_i, signer_i, ivg_i); } else { - this->aead_in = aead_create(crypter_i, signer_i); - this->aead_out = aead_create(crypter_r, signer_r); + this->aead_in = aead_create(crypter_i, signer_i, ivg_i); + this->aead_out = aead_create(crypter_r, signer_r, ivg_r); } signer_i = signer_r = NULL; crypter_i = crypter_r = NULL; diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index 298167703..4676867df 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -1184,15 +1184,17 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg) enumerator = msg->create_payload_enumerator(msg); while (enumerator->enumerate(enumerator, &payload)) { - unknown = (unknown_payload_t*)payload; - type = payload->get_type(payload); - if (!payload_is_known(type, msg->get_major_version(msg)) && - unknown->is_critical(unknown)) + if (payload->get_type(payload) == PL_UNKNOWN) { - DBG1(DBG_ENC, "payload type %N is not supported, " - "but its critical!", payload_type_names, type); - status = NOT_SUPPORTED; - break; + unknown = (unknown_payload_t*)payload; + if (unknown->is_critical(unknown)) + { + type = unknown->get_type(unknown); + DBG1(DBG_ENC, "payload type %N is not supported, " + "but its critical!", payload_type_names, type); + status = NOT_SUPPORTED; + break; + } } } enumerator->destroy(enumerator); diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index 6d9132a68..e0f930c3c 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -64,6 +64,11 @@ struct private_child_create_t { */ chunk_t other_nonce; + /** + * nonce generator + */ + nonce_gen_t *nonceg; + /** * config to create the CHILD_SA from */ @@ -214,25 +219,21 @@ static status_t get_nonce(message_t *message, chunk_t *nonce) /** * generate a new nonce to include in a CREATE_CHILD_SA message */ -static status_t generate_nonce(private_child_create_t *this) +static bool generate_nonce(private_child_create_t *this) { - nonce_gen_t *nonceg; - - nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat); - if (!nonceg) + this->nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat); + if (!this->nonceg) { DBG1(DBG_IKE, "no nonce generator found to create nonce"); - return FAILED; + return FALSE; } - if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &this->my_nonce)) + if (!this->nonceg->allocate_nonce(this->nonceg, NONCE_SIZE, + &this->my_nonce)) { DBG1(DBG_IKE, "nonce allocation failed"); - nonceg->destroy(nonceg); - return FAILED; + return FALSE; } - nonceg->destroy(nonceg); - - return SUCCESS; + return TRUE; } /** @@ -933,9 +934,10 @@ METHOD(task_t, build_i, status_t, case IKE_SA_INIT: return get_nonce(message, &this->my_nonce); case CREATE_CHILD_SA: - if (generate_nonce(this) != SUCCESS) + if (!generate_nonce(this)) { - message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty); + message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, + chunk_empty); return SUCCESS; } if (!this->retry) @@ -1092,7 +1094,10 @@ METHOD(task_t, process_r, status_t, static void handle_child_sa_failure(private_child_create_t *this, message_t *message) { - if (message->get_exchange_type(message) == IKE_AUTH && + bool is_first; + + is_first = message->get_exchange_type(message) == IKE_AUTH; + if (is_first && lib->settings->get_bool(lib->settings, "%s.close_ike_on_child_failure", FALSE, lib->ns)) { @@ -1106,7 +1111,8 @@ static void handle_child_sa_failure(private_child_create_t *this, else { DBG1(DBG_IKE, "failed to establish CHILD_SA, keeping IKE_SA"); - charon->bus->alert(charon->bus, ALERT_KEEP_ON_CHILD_SA_FAILURE); + charon->bus->alert(charon->bus, ALERT_KEEP_ON_CHILD_SA_FAILURE, + is_first); } } @@ -1190,7 +1196,7 @@ METHOD(task_t, build_r, status_t, case IKE_SA_INIT: return get_nonce(message, &this->my_nonce); case CREATE_CHILD_SA: - if (generate_nonce(this) != SUCCESS ) + if (!generate_nonce(this)) { message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty); @@ -1575,6 +1581,7 @@ METHOD(task_t, migrate, void, } DESTROY_IF(this->child_sa); DESTROY_IF(this->proposal); + DESTROY_IF(this->nonceg); DESTROY_IF(this->dh); this->dh_failed = FALSE; if (this->proposals) @@ -1627,6 +1634,7 @@ METHOD(task_t, destroy, void, } DESTROY_IF(this->config); + DESTROY_IF(this->nonceg); free(this); } @@ -1678,6 +1686,5 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, this->public.task.process = _process_r; this->initiator = FALSE; } - return &this->public; } diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c index 0d5700ef2..1ff643d62 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_init.c +++ b/src/libcharon/sa/ikev2/tasks/ike_init.c @@ -89,6 +89,11 @@ struct private_ike_init_t { */ chunk_t other_nonce; + /** + * nonce generator + */ + nonce_gen_t *nonceg; + /** * Negotiated proposal used for IKE_SA */ @@ -115,6 +120,25 @@ struct private_ike_init_t { bool signature_authentication; }; +/** + * Allocate our own nonce value + */ +static bool generate_nonce(private_ike_init_t *this) +{ + if (!this->nonceg) + { + DBG1(DBG_IKE, "no nonce generator found to create nonce"); + return FALSE; + } + if (!this->nonceg->allocate_nonce(this->nonceg, NONCE_SIZE, + &this->my_nonce)) + { + DBG1(DBG_IKE, "nonce allocation failed"); + return FALSE; + } + return TRUE; +} + /** * Notify the peer about the hash algorithms we support or expect, * as per RFC 7427 @@ -428,21 +452,10 @@ METHOD(task_t, build_i, status_t, /* generate nonce only when we are trying the first time */ if (this->my_nonce.ptr == NULL) { - nonce_gen_t *nonceg; - - nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat); - if (!nonceg) + if (!generate_nonce(this)) { - DBG1(DBG_IKE, "no nonce generator found to create nonce"); return FAILED; } - if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &this->my_nonce)) - { - DBG1(DBG_IKE, "nonce allocation failed"); - nonceg->destroy(nonceg); - return FAILED; - } - nonceg->destroy(nonceg); } if (this->cookie.ptr) @@ -471,25 +484,14 @@ METHOD(task_t, build_i, status_t, METHOD(task_t, process_r, status_t, private_ike_init_t *this, message_t *message) { - nonce_gen_t *nonceg; - this->config = this->ike_sa->get_ike_cfg(this->ike_sa); DBG0(DBG_IKE, "%H is initiating an IKE_SA", message->get_source(message)); this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING); - nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat); - if (!nonceg) + if (!generate_nonce(this)) { - DBG1(DBG_IKE, "no nonce generator found to create nonce"); return FAILED; } - if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &this->my_nonce)) - { - DBG1(DBG_IKE, "nonce allocation failed"); - nonceg->destroy(nonceg); - return FAILED; - } - nonceg->destroy(nonceg); #ifdef ME { @@ -756,6 +758,7 @@ METHOD(task_t, destroy, void, { DESTROY_IF(this->dh); DESTROY_IF(this->proposal); + DESTROY_IF(this->nonceg); chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); chunk_free(&this->cookie); @@ -800,6 +803,7 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa) .signature_authentication = lib->settings->get_bool(lib->settings, "%s.signature_authentication", TRUE, lib->ns), ); + this->nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat); if (initiator) { @@ -811,6 +815,5 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa) this->public.task.build = _build_r; this->public.task.process = _process_r; } - return &this->public; } diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c index 6295d7960..11b0bb281 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c +++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c @@ -537,7 +537,7 @@ METHOD(task_t, process_i, status_t, cookie2 = this->cookie2; this->cookie2 = chunk_empty; process_payloads(this, message); - if (!chunk_equals(cookie2, this->cookie2)) + if (!chunk_equals_const(cookie2, this->cookie2)) { chunk_free(&cookie2); DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA"); diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.c b/src/libcharon/sa/ikev2/tasks/ike_vendor.c index d536af218..cb3c270dc 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_vendor.c +++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.c @@ -76,6 +76,16 @@ static vid_data_t vids[] = { "CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc." }, { "FRAGMENTATION", 0, 16, "\x40\x48\xb7\xd5\x6e\xbc\xe8\x85\x25\xe7\xde\x7f\x00\xd6\xc2\xd3"}, + { "MS NT5 ISAKMPOAKLEY v7", 0, 20, + "\x1e\x2b\x51\x69\x05\x99\x1c\x7d\x7c\x96\xfc\xbf\xb5\x87\xe4\x61\x00\x00\x00\x07"}, + { "MS NT5 ISAKMPOAKLEY v8", 0, 20, + "\x1e\x2b\x51\x69\x05\x99\x1c\x7d\x7c\x96\xfc\xbf\xb5\x87\xe4\x61\x00\x00\x00\x08"}, + { "MS NT5 ISAKMPOAKLEY v9", 0, 20, + "\x1e\x2b\x51\x69\x05\x99\x1c\x7d\x7c\x96\xfc\xbf\xb5\x87\xe4\x61\x00\x00\x00\x09"}, + { "MS-Negotiation Discovery Capable", 0, 16, + "\xfb\x1d\xe3\xcd\xf3\x41\xb7\xea\x16\xb7\xe5\xbe\x08\x55\xf1\x20"}, + { "Vid-Initial-Contact", 0, 16, + "\x26\x24\x4d\x38\xed\xdb\x61\xb3\x17\x2a\x36\xe3\xd0\xcf\xb8\x19"}, }; METHOD(task_t, build, status_t, diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 03e44e510..f22e07d95 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1822,7 +1822,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, struct xfrm_replay_state *replay = NULL; struct xfrm_replay_state_esn *replay_esn = NULL; struct xfrm_lifetime_cur *lifetime = NULL; - u_int32_t replay_esn_len; + u_int32_t replay_esn_len = 0; status_t status = FAILED; /* if IPComp is used, we first update the IPComp SA */ diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c index a431e49b7..1515b01cc 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c @@ -1550,6 +1550,26 @@ static void rt_entry_destroy(rt_entry_t *this) free(this); } +/** + * Check if the route received with RTM_NEWROUTE is usable based on its type. + */ +static bool route_usable(struct nlmsghdr *hdr) +{ + struct rtmsg *msg; + + msg = NLMSG_DATA(hdr); + switch (msg->rtm_type) + { + case RTN_BLACKHOLE: + case RTN_UNREACHABLE: + case RTN_PROHIBIT: + case RTN_THROW: + return FALSE; + default: + return TRUE; + } +} + /** * Parse route received with RTM_NEWROUTE. The given rt_entry_t object will be * reused if not NULL. @@ -1700,6 +1720,10 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest, rt_entry_t *other; uintptr_t table; + if (!route_usable(current)) + { + continue; + } route = parse_route(current, route); table = (uintptr_t)route->table; diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c index a9adfe091..b0e3103d3 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c @@ -82,6 +82,11 @@ struct private_netlink_socket_t { */ u_int retries; + /** + * Buffer size for received Netlink messages + */ + u_int buflen; + /** * Use parallel netlink queries */ @@ -161,7 +166,7 @@ static bool write_msg(private_netlink_socket_t *this, struct nlmsghdr *msg) * Read a single Netlink message from socket, return 0 on error, -1 on timeout */ static ssize_t read_msg(private_netlink_socket_t *this, - char buf[4096], size_t buflen, bool block) + char *buf, size_t buflen, bool block) { ssize_t len; @@ -236,20 +241,17 @@ static bool queue(private_netlink_socket_t *this, struct nlmsghdr *buf) static bool read_and_queue(private_netlink_socket_t *this, bool block) { struct nlmsghdr *hdr; - union { - struct nlmsghdr hdr; - char bytes[4096]; - } buf; + char buf[this->buflen]; ssize_t len; - len = read_msg(this, buf.bytes, sizeof(buf.bytes), block); + len = read_msg(this, buf, sizeof(buf), block); if (len == -1) { return TRUE; } if (len) { - hdr = &buf.hdr; + hdr = (struct nlmsghdr*)buf; while (NLMSG_OK(hdr, len)) { if (!queue(this, hdr)) @@ -568,6 +570,8 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names, .entries = hashtable_create(hashtable_hash_ptr, hashtable_equals_ptr, 4), .protocol = protocol, .names = names, + .buflen = lib->settings->get_int(lib->settings, + "%s.plugins.kernel-netlink.buflen", 4096, lib->ns), .timeout = lib->settings->get_int(lib->settings, "%s.plugins.kernel-netlink.timeout", 0, lib->ns), .retries = lib->settings->get_int(lib->settings, diff --git a/src/libhydra/plugins/kernel_netlink/tests.c b/src/libhydra/plugins/kernel_netlink/tests.c index 136b34d29..52985b438 100644 --- a/src/libhydra/plugins/kernel_netlink/tests.c +++ b/src/libhydra/plugins/kernel_netlink/tests.c @@ -33,9 +33,7 @@ static bool test_runner_init(bool init) { if (init) { - dbg_default_set_level(0); lib->processor->set_threads(lib->processor, 8); - dbg_default_set_level(1); } else { diff --git a/src/libimcv/ietf/ietf_attr_attr_request.c b/src/libimcv/ietf/ietf_attr_attr_request.c index 3862a0aa8..08658e2f7 100644 --- a/src/libimcv/ietf/ietf_attr_attr_request.c +++ b/src/libimcv/ietf/ietf_attr_attr_request.c @@ -138,8 +138,21 @@ METHOD(pa_tnc_attr_t, build, void, METHOD(ietf_attr_attr_request_t, add, void, private_ietf_attr_attr_request_t *this, pen_t vendor_id, u_int32_t type) { + enum_name_t *pa_attr_names; pen_type_t *entry; + pa_attr_names = imcv_pa_tnc_attributes->get_names(imcv_pa_tnc_attributes, + vendor_id); + if (pa_attr_names) + { + DBG2(DBG_TNC, " 0x%06x/0x%08x '%N/%N'", vendor_id, type, + pen_names, vendor_id, pa_attr_names, type); + } + else + { + DBG2(DBG_TNC, " 0x%06x/0x%08x '%N'", vendor_id, type, + pen_names, vendor_id); + } entry = malloc_thing(pen_type_t); entry->vendor_id = vendor_id; entry->type = type; @@ -150,7 +163,6 @@ METHOD(pa_tnc_attr_t, process, status_t, private_ietf_attr_attr_request_t *this, u_int32_t *offset) { bio_reader_t *reader; - enum_name_t *pa_attr_names; pen_t vendor_id; u_int32_t type; u_int8_t reserved; @@ -176,19 +188,6 @@ METHOD(pa_tnc_attr_t, process, status_t, reader->read_uint8 (reader, &reserved); reader->read_uint24(reader, &vendor_id); reader->read_uint32(reader, &type); - - pa_attr_names = imcv_pa_tnc_attributes->get_names(imcv_pa_tnc_attributes, - vendor_id); - if (pa_attr_names) - { - DBG2(DBG_TNC, " 0x%06x/0x%08x '%N/%N'", vendor_id, type, - pen_names, vendor_id, pa_attr_names, type); - } - else - { - DBG2(DBG_TNC, " 0x%06x/0x%08x '%N'", vendor_id, type, - pen_names, vendor_id); - } add(this, vendor_id, type); } reader->destroy(reader); diff --git a/src/libimcv/ietf/ietf_attr_fwd_enabled.h b/src/libimcv/ietf/ietf_attr_fwd_enabled.h index c4b6c1547..3d554369b 100644 --- a/src/libimcv/ietf/ietf_attr_fwd_enabled.h +++ b/src/libimcv/ietf/ietf_attr_fwd_enabled.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-14 Andreas Steffen + * Copyright (C) 2012-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it diff --git a/src/libimcv/ietf/ietf_attr_numeric_version.h b/src/libimcv/ietf/ietf_attr_numeric_version.h index 34393c673..8808d48ed 100644 --- a/src/libimcv/ietf/ietf_attr_numeric_version.h +++ b/src/libimcv/ietf/ietf_attr_numeric_version.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-14 Andreas Steffen + * Copyright (C) 2012-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it diff --git a/src/libimcv/ietf/ietf_attr_op_status.h b/src/libimcv/ietf/ietf_attr_op_status.h index f19185f0a..ceb13fe75 100644 --- a/src/libimcv/ietf/ietf_attr_op_status.h +++ b/src/libimcv/ietf/ietf_attr_op_status.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-14 Andreas Steffen + * Copyright (C) 2012-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it diff --git a/src/libimcv/imc/imc_os_info.c b/src/libimcv/imc/imc_os_info.c index b01a14c01..47697f1a3 100644 --- a/src/libimcv/imc/imc_os_info.c +++ b/src/libimcv/imc/imc_os_info.c @@ -586,9 +586,9 @@ imc_os_info_t *imc_os_info_create(void) /* As an option OS name and OS version can be configured manually */ name.ptr = lib->settings->get_str(lib->settings, - "%s.imcv.imc_os_info.name", NULL, lib->ns); + "%s.imcv.os_info.name", NULL, lib->ns); version.ptr = lib->settings->get_str(lib->settings, - "%s.imcv.imc_os_info.version", NULL, lib->ns); + "%s.imcv.os_info.version", NULL, lib->ns); if (name.ptr && version.ptr) { name.len = strlen(name.ptr); diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c index 9f7e4e8f4..b730f8c41 100644 --- a/src/libimcv/imv/imv_policy_manager.c +++ b/src/libimcv/imv/imv_policy_manager.c @@ -255,7 +255,8 @@ static bool policy_stop(database_t *db, int session_id) enumerator_t *e; int rec, policy, final_rec, id_type; chunk_t id_value; - char *result, *ip_address = NULL; + char *result, *format, *ip_address = NULL; + char command[512]; bool success = TRUE; /* store all workitem results for this session in the results table */ @@ -334,6 +335,25 @@ static bool policy_stop(database_t *db, int session_id) fprintf(stderr, "recommendation for access requestor %s is %N\n", ip_address ? ip_address : "0.0.0.0", TNC_IMV_Action_Recommendation_names, final_rec); + + if (final_rec == TNC_IMV_ACTION_RECOMMENDATION_ALLOW) + { + format = lib->settings->get_str(lib->settings, + "imv_policy_manager.command_allow", NULL); + } + else + { + format = lib->settings->get_str(lib->settings, + "imv_policy_manager.command_block", NULL); + } + if (format && ip_address) + { + /* the IP address can occur at most twice in the command string */ + snprintf(command, sizeof(command), format, ip_address, ip_address); + success = system(command) == 0; + fprintf(stderr, "%s system command: %s\n", + success ? "successful" : "failed", command); + } free(ip_address); return success; diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.c b/src/libimcv/pa_tnc/pa_tnc_msg.c index d9b441707..ea4dee950 100644 --- a/src/libimcv/pa_tnc/pa_tnc_msg.c +++ b/src/libimcv/pa_tnc/pa_tnc_msg.c @@ -226,7 +226,14 @@ METHOD(pa_tnc_msg_t, process, status_t, reader, FALSE, &offset, this->encoding, &error); if (!attr) { - goto err; + if (error) + { + goto err; + } + else + { + continue; + } } attr_value = attr->get_value(attr); attr_type = attr->get_type(attr); diff --git a/src/libimcv/plugins/imc_os/imc_os.c b/src/libimcv/plugins/imc_os/imc_os.c index 86d2e09ca..4fe8856e6 100644 --- a/src/libimcv/plugins/imc_os/imc_os.c +++ b/src/libimcv/plugins/imc_os/imc_os.c @@ -345,9 +345,13 @@ static void add_installed_packages(imc_state_t *state, imc_msg_t *msg) enumerator_t *enumerator; chunk_t name, version; + enumerator = os->create_package_enumerator(os); + if (!enumerator) + { + return; + } attr = ietf_attr_installed_packages_create(); - enumerator = os->create_package_enumerator(os); while (enumerator->enumerate(enumerator, &name, &version)) { DBG2(DBG_IMC, "package '%.*s' (%.*s)", diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c index fbeb6618e..c3e053d9b 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c @@ -181,7 +181,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, DBG1(DBG_IMV, "verifying AIK with keyid %#B", &keyid); keyid_hex = chunk_to_hex(keyid, NULL, FALSE); if (session->get_device_id(session, &device_id) && - chunk_equals(keyid_hex, device_id)) + chunk_equals_const(keyid_hex, device_id)) { trusted = session->get_device_trust(session); } @@ -290,7 +290,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, /* check hashes from database against measurements */ e = pts_db->create_file_hash_enumerator(pts_db, - pts->get_platform_id(pts), + pts->get_platform_id(pts), algo, is_dir, arg_int); if (!e) { @@ -446,7 +446,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, return FALSE; } - if (!chunk_equals(pcr_comp, pcr_composite)) + if (!chunk_equals_const(pcr_comp, pcr_composite)) { DBG1(DBG_IMV, "received PCR Composite does not match " "constructed one"); @@ -564,4 +564,3 @@ quote_error: } return TRUE; } - diff --git a/src/libimcv/pts/components/ita/ita_comp_ima.c b/src/libimcv/pts/components/ita/ita_comp_ima.c index 3f92b04b1..448ca9ffb 100644 --- a/src/libimcv/pts/components/ita/ita_comp_ima.c +++ b/src/libimcv/pts/components/ita/ita_comp_ima.c @@ -307,7 +307,7 @@ static bool check_boot_aggregate(pts_pcr_t *pcrs, chunk_t measurement, } if (pcr_ok) { - success = chunk_equals(boot_aggregate, measurement); + success = chunk_equals_const(boot_aggregate, measurement); DBG1(DBG_PTS, "boot aggregate value is %scorrect", success ? "":"in"); return success; @@ -693,7 +693,7 @@ METHOD(pts_component_t, verify, status_t, status = FAILED; break; } - if (chunk_equals(measurement, hash)) + if (chunk_equals_const(measurement, hash)) { status = SUCCESS; break; @@ -748,7 +748,7 @@ METHOD(pts_component_t, verify, status_t, has_pcr_info = evidence->get_pcr_info(evidence, &pcr_before, &pcr_after); if (has_pcr_info) { - if (!chunk_equals(pcr_before, pcrs->get(pcrs, pcr))) + if (!chunk_equals_const(pcr_before, pcrs->get(pcrs, pcr))) { DBG1(DBG_PTS, "PCR %2u: pcr_before is not equal to register value", pcr); @@ -876,7 +876,7 @@ METHOD(pts_component_t, destroy, void, DESTROY_IF(this->bios_list); DESTROY_IF(this->ima_list); this->name->destroy(this->name); - + free(this); } } @@ -911,4 +911,3 @@ pts_component_t *pts_ita_comp_ima_create(uint32_t depth, return &this->public; } - diff --git a/src/libimcv/pts/components/ita/ita_comp_tboot.c b/src/libimcv/pts/components/ita/ita_comp_tboot.c index ce318ec84..3d990f6f2 100644 --- a/src/libimcv/pts/components/ita/ita_comp_tboot.c +++ b/src/libimcv/pts/components/ita/ita_comp_tboot.c @@ -249,7 +249,7 @@ METHOD(pts_component_t, verify, status_t, has_pcr_info = evidence->get_pcr_info(evidence, &pcr_before, &pcr_after); if (has_pcr_info) { - if (!chunk_equals(pcr_before, pcrs->get(pcrs, extended_pcr))) + if (!chunk_equals_const(pcr_before, pcrs->get(pcrs, extended_pcr))) { DBG1(DBG_PTS, "PCR %2u: pcr_before is not equal to register value", extended_pcr); @@ -354,4 +354,3 @@ pts_component_t *pts_ita_comp_tboot_create(u_int32_t depth, return &this->public; } - diff --git a/src/libimcv/pts/components/ita/ita_comp_tgrub.c b/src/libimcv/pts/components/ita/ita_comp_tgrub.c index 097e4c89c..e9555726a 100644 --- a/src/libimcv/pts/components/ita/ita_comp_tgrub.c +++ b/src/libimcv/pts/components/ita/ita_comp_tgrub.c @@ -141,7 +141,7 @@ METHOD(pts_component_t, verify, status_t, has_pcr_info = evidence->get_pcr_info(evidence, &pcr_before, &pcr_after); if (has_pcr_info) { - if (!chunk_equals(pcr_before, pcrs->get(pcrs, extended_pcr))) + if (!chunk_equals_const(pcr_before, pcrs->get(pcrs, extended_pcr))) { DBG1(DBG_PTS, "PCR %2u: pcr_before is not equal to pcr value"); } diff --git a/src/libimcv/pts/pts_database.c b/src/libimcv/pts/pts_database.c index d7b85c138..1a4c4212d 100644 --- a/src/libimcv/pts/pts_database.c +++ b/src/libimcv/pts/pts_database.c @@ -187,7 +187,7 @@ METHOD(pts_database_t, add_file_measurement, status_t, } if (e->enumerate(e, &hash_id, &hash_value)) { - if (!chunk_equals(measurement, hash_value)) + if (!chunk_equals_const(measurement, hash_value)) { /* update hash measurement value */ if (this->db->execute(this->db, &hash_id, @@ -289,7 +289,7 @@ METHOD(pts_database_t, check_comp_measurement, status_t, while (e->enumerate(e, &hash)) { - if (chunk_equals(hash, measurement)) + if (chunk_equals_const(hash, measurement)) { status = SUCCESS; break; diff --git a/src/libimcv/pts/pts_file_meas.c b/src/libimcv/pts/pts_file_meas.c index 478892aea..966d54ba2 100644 --- a/src/libimcv/pts/pts_file_meas.c +++ b/src/libimcv/pts/pts_file_meas.c @@ -133,7 +133,7 @@ METHOD(pts_file_meas_t, check, bool, { while (e->enumerate(e, &hash)) { - if (chunk_equals(entry->measurement, hash)) + if (chunk_equals_const(entry->measurement, hash)) { status = SUCCESS; break; @@ -223,7 +223,7 @@ METHOD(pts_file_meas_t, verify, bool, } } - /* no PTS measurement returned for this filename */ + /* no PTS measurement returned for this filename */ if (!found) { success = FALSE; @@ -234,7 +234,7 @@ METHOD(pts_file_meas_t, verify, bool, if (found && !match) { - if (chunk_equals(measurement, entry->measurement)) + if (chunk_equals_const(measurement, entry->measurement)) { match = TRUE; DBG2(DBG_PTS, " %#B for '%s' is ok", @@ -252,7 +252,7 @@ METHOD(pts_file_meas_t, verify, bool, &entry->measurement, entry->filename); enumerator->destroy(enumerator); } - + return success; } diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c index 5e58f66da..a2307e048 100644 --- a/src/libipsec/esp_context.c +++ b/src/libipsec/esp_context.c @@ -244,6 +244,7 @@ static bool create_traditional(private_esp_context_t *this, int enc_alg, { crypter_t *crypter = NULL; signer_t *signer = NULL; + iv_gen_t *ivg; crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_key.len); if (!crypter) @@ -272,7 +273,13 @@ static bool create_traditional(private_esp_context_t *this, int enc_alg, "failed"); goto failed; } - this->aead = aead_create(crypter, signer); + ivg = iv_gen_create_for_alg(enc_alg); + if (!ivg) + { + DBG1(DBG_ESP, "failed to create ESP context: creating iv gen failed"); + goto failed; + } + this->aead = aead_create(crypter, signer, ivg); return TRUE; failed: diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c index 07ffa9e4f..9d461f2c1 100644 --- a/src/libipsec/ipsec_sa_mgr.c +++ b/src/libipsec/ipsec_sa_mgr.c @@ -482,7 +482,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t, entry = create_entry(sa_new); schedule_expiration(this, entry); - this->sas->insert_last(this->sas, entry); + this->sas->insert_first(this->sas, entry); this->mutex->unlock(this->mutex); return SUCCESS; diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.c b/src/libpttls/sasl/sasl_plain/sasl_plain.c index 019c1b011..b2d30e680 100644 --- a/src/libpttls/sasl/sasl_plain/sasl_plain.c +++ b/src/libpttls/sasl/sasl_plain/sasl_plain.c @@ -86,7 +86,7 @@ METHOD(sasl_mechanism_t, process_server, status_t, DBG1(DBG_CFG, "no shared secret found for '%Y'", this->client); return FAILED; } - if (!chunk_equals(shared->get_key(shared), password)) + if (!chunk_equals_const(shared->get_key(shared), password)) { DBG1(DBG_CFG, "shared secret for '%Y' does not match", this->client); shared->destroy(shared); diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c index 3905a06c7..e6abfe2c2 100644 --- a/src/libradius/radius_message.c +++ b/src/libradius/radius_message.c @@ -536,7 +536,7 @@ METHOD(radius_message_t, verify, bool, /* verify Response-Authenticator */ if (!hasher->get_hash(hasher, msg, NULL) || !hasher->get_hash(hasher, secret, buf) || - !memeq(buf, res_auth, HASH_SIZE_MD5)) + !memeq_const(buf, res_auth, HASH_SIZE_MD5)) { DBG1(DBG_CFG, "RADIUS Response-Authenticator verification failed"); return FALSE; diff --git a/src/libradius/radius_socket.c b/src/libradius/radius_socket.c index fe9cf3c01..ad5daa54b 100644 --- a/src/libradius/radius_socket.c +++ b/src/libradius/radius_socket.c @@ -125,9 +125,65 @@ static bool check_connection(private_radius_socket_t *this, return TRUE; } +/** + * Receive the response to the message with the given ID + */ +static status_t receive_response(int fd, int timeout, u_int8_t id, + radius_message_t **response) +{ + radius_message_t *msg; + char buf[4096]; + int res; + struct pollfd pfd = { + .fd = fd, + .events = POLLIN, + }; + + while (TRUE) + { + res = poll(&pfd, 1, timeout); + if (res < 0) + { + DBG1(DBG_CFG, "waiting for RADIUS message failed: %s", + strerror(errno)); + return FAILED; + } + if (res == 0) + { /* timeout */ + return OUT_OF_RES; + } + res = recv(fd, buf, sizeof(buf), MSG_DONTWAIT); + if (res <= 0) + { + DBG1(DBG_CFG, "receiving RADIUS message failed: %s", + strerror(errno)); + return FAILED; + } + msg = radius_message_parse(chunk_create(buf, res)); + if (!msg) + { + DBG1(DBG_CFG, "received invalid RADIUS message, ignored"); + return FAILED; + } + if (id != msg->get_identifier(msg)) + { + /* we haven't received the response to our current request, but + * perhaps one for an earlier request for which we didn't wait + * long enough */ + DBG1(DBG_CFG, "received RADIUS message with unexpected ID %d " + "[%d expected], ignored", msg->get_identifier(msg), id); + msg->destroy(msg); + continue; + } + *response = msg; + return SUCCESS; + } +} + METHOD(radius_socket_t, request, radius_message_t*, private_radius_socket_t *this, radius_message_t *request) { + radius_message_t *response; chunk_t data; int i, *fd, retransmit = 0; u_int16_t port; @@ -165,14 +221,6 @@ METHOD(radius_socket_t, request, radius_message_t*, /* timeout after 2, 3, 4, 5 seconds */ for (i = 2; i <= 5; i++) { - radius_message_t *response; - char buf[4096]; - int res; - struct pollfd pfd = { - .fd = *fd, - .events = POLLIN, - }; - if (retransmit) { DBG1(DBG_CFG, "retransmitting RADIUS %N (attempt %d)", @@ -184,37 +232,23 @@ METHOD(radius_socket_t, request, radius_message_t*, DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno)); return NULL; } - res = poll(&pfd, 1, i * 1000); - if (res < 0) - { - DBG1(DBG_CFG, "waiting for RADIUS message failed: %s", - strerror(errno)); - return NULL; - } - if (res == 0) - { /* timeout */ - retransmit++; - continue; - } - res = recv(*fd, buf, sizeof(buf), MSG_DONTWAIT); - if (res <= 0) + switch (receive_response(*fd, i*1000, request->get_identifier(request), + &response)) { - DBG1(DBG_CFG, "receiving RADIUS message failed: %s", - strerror(errno)); - return NULL; + case SUCCESS: + break; + case OUT_OF_RES: + retransmit++; + continue; + default: + return NULL; } - response = radius_message_parse(chunk_create(buf, res)); - if (response) + if (response->verify(response, request->get_authenticator(request), + this->secret, this->hasher, this->signer)) { - if (response->verify(response, - request->get_authenticator(request), this->secret, - this->hasher, this->signer)) - { - return response; - } - response->destroy(response); + return response; } - DBG1(DBG_CFG, "received invalid RADIUS message, ignored"); + response->destroy(response); return NULL; } DBG1(DBG_CFG, "RADIUS %N timed out after %d retransmits", diff --git a/src/libsimaka/Makefile.am b/src/libsimaka/Makefile.am index 6878133f3..9997ece08 100644 --- a/src/libsimaka/Makefile.am +++ b/src/libsimaka/Makefile.am @@ -11,6 +11,10 @@ ipseclib_LTLIBRARIES = libsimaka.la libsimaka_la_LIBADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la +if USE_WINDOWS + libsimaka_la_LIBADD += -lws2_32 +endif + libsimaka_la_SOURCES = simaka_message.h simaka_message.c \ simaka_crypto.h simaka_crypto.c simaka_manager.h simaka_manager.c \ simaka_card.h simaka_provider.h simaka_hooks.h diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in index 79962d3bd..637137cb0 100644 --- a/src/libsimaka/Makefile.in +++ b/src/libsimaka/Makefile.in @@ -78,6 +78,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ +@USE_WINDOWS_TRUE@am__append_1 = -lws2_32 subdir = src/libsimaka DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp @@ -127,8 +128,10 @@ am__uninstall_files_from_dir = { \ } am__installdirs = "$(DESTDIR)$(ipseclibdir)" LTLIBRARIES = $(ipseclib_LTLIBRARIES) +am__DEPENDENCIES_1 = libsimaka_la_DEPENDENCIES = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(am__DEPENDENCIES_1) am_libsimaka_la_OBJECTS = simaka_message.lo simaka_crypto.lo \ simaka_manager.lo libsimaka_la_OBJECTS = $(am_libsimaka_la_OBJECTS) @@ -431,9 +434,9 @@ AM_LDFLAGS = \ -no-undefined ipseclib_LTLIBRARIES = libsimaka.la -libsimaka_la_LIBADD = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la - +libsimaka_la_LIBADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(am__append_1) libsimaka_la_SOURCES = simaka_message.h simaka_message.c \ simaka_crypto.h simaka_crypto.c simaka_manager.h simaka_manager.c \ simaka_card.h simaka_provider.h simaka_hooks.h diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk index 2a8894b0e..d019d96e1 100644 --- a/src/libstrongswan/Android.mk +++ b/src/libstrongswan/Android.mk @@ -14,7 +14,7 @@ crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \ crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \ crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \ crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \ -crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \ +crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \ crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \ credentials/credential_factory.c credentials/builder.c \ credentials/cred_encoding.c credentials/keys/private_key.c \ @@ -36,10 +36,13 @@ pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \ processing/watcher.c resolver/resolver_manager.c resolver/rr_set.c \ selectors/traffic_selector.c settings/settings.c settings/settings_types.c \ -settings/settings_parser.c settings/settings_lexer.c \ +settings/settings_parser.c settings/settings_lexer.c utils/cpu_feature.c \ utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \ utils/lexparser.c utils/optionsfrom.c utils/capabilities.c utils/backtrace.c \ -utils/parser_helper.c utils/test.c utils/process.c utils/utils/strerror.c +utils/parser_helper.c utils/test.c utils/process.c utils/utils/strerror.c \ +utils/utils/atomics.c utils/utils/string.c utils/utils/memory.c \ +utils/utils/tty.c utils/utils/path.c utils/utils/status.c utils/utils/time.c \ +utils/utils/align.c libstrongswan_la_SOURCES += \ threading/thread.c \ diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index fbc752687..b3636cfb8 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -12,7 +12,7 @@ crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \ crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \ crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \ crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \ -crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \ +crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \ crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \ credentials/credential_factory.c credentials/builder.c \ credentials/cred_encoding.c credentials/keys/private_key.c \ @@ -34,10 +34,13 @@ pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \ processing/watcher.c resolver/resolver_manager.c resolver/rr_set.c \ selectors/traffic_selector.c settings/settings.c settings/settings_types.c \ -settings/settings_parser.y settings/settings_lexer.l \ +settings/settings_parser.y settings/settings_lexer.l utils/cpu_feature.c \ utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \ utils/lexparser.c utils/optionsfrom.c utils/capabilities.c utils/backtrace.c \ -utils/parser_helper.c utils/test.c utils/process.c utils/utils/strerror.c +utils/parser_helper.c utils/test.c utils/process.c utils/utils/strerror.c \ +utils/utils/atomics.c utils/utils/string.c utils/utils/memory.c \ +utils/utils/tty.c utils/utils/path.c utils/utils/status.c utils/utils/time.c \ +utils/utils/align.c if !USE_WINDOWS libstrongswan_la_SOURCES += \ @@ -103,10 +106,13 @@ threading/mutex.h threading/condvar.h threading/spinlock.h threading/semaphore.h threading/rwlock.h threading/rwlock_condvar.h threading/lock_profiler.h \ utils/utils.h utils/chunk.h utils/debug.h utils/enum.h utils/identification.h \ utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \ -utils/leak_detective.h utils/printf_hook/printf_hook.h \ +utils/cpu_feature.h utils/leak_detective.h utils/printf_hook/printf_hook.h \ utils/printf_hook/printf_hook_vstr.h utils/printf_hook/printf_hook_builtin.h \ utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/process.h \ -utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h +utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h \ +utils/utils/atomics.h utils/utils/types.h utils/utils/byteorder.h \ +utils/utils/string.h utils/utils/memory.h utils/utils/tty.h utils/utils/path.h \ +utils/utils/status.h utils/utils/object.h utils/utils/time.h utils/utils/align.h endif library.lo : $(top_builddir)/config.status @@ -296,6 +302,13 @@ if MONOLITHIC endif endif +if USE_AESNI + SUBDIRS += plugins/aesni +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/aesni/libstrongswan-aesni.la +endif +endif + if USE_RANDOM SUBDIRS += plugins/random if MONOLITHIC diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index 99b18a757..5b20f6ea6 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -135,85 +135,87 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_37 = plugins/gmp/libstrongswan-gmp.la @USE_RDRAND_TRUE@am__append_38 = plugins/rdrand @MONOLITHIC_TRUE@@USE_RDRAND_TRUE@am__append_39 = plugins/rdrand/libstrongswan-rdrand.la -@USE_RANDOM_TRUE@am__append_40 = plugins/random -@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_41 = plugins/random/libstrongswan-random.la -@USE_NONCE_TRUE@am__append_42 = plugins/nonce -@MONOLITHIC_TRUE@@USE_NONCE_TRUE@am__append_43 = plugins/nonce/libstrongswan-nonce.la -@USE_HMAC_TRUE@am__append_44 = plugins/hmac -@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_45 = plugins/hmac/libstrongswan-hmac.la -@USE_CMAC_TRUE@am__append_46 = plugins/cmac -@MONOLITHIC_TRUE@@USE_CMAC_TRUE@am__append_47 = plugins/cmac/libstrongswan-cmac.la -@USE_XCBC_TRUE@am__append_48 = plugins/xcbc -@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_49 = plugins/xcbc/libstrongswan-xcbc.la -@USE_X509_TRUE@am__append_50 = plugins/x509 -@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_51 = plugins/x509/libstrongswan-x509.la -@USE_REVOCATION_TRUE@am__append_52 = plugins/revocation -@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_53 = plugins/revocation/libstrongswan-revocation.la -@USE_CONSTRAINTS_TRUE@am__append_54 = plugins/constraints -@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_55 = plugins/constraints/libstrongswan-constraints.la -@USE_ACERT_TRUE@am__append_56 = plugins/acert -@MONOLITHIC_TRUE@@USE_ACERT_TRUE@am__append_57 = plugins/acert/libstrongswan-acert.la -@USE_PUBKEY_TRUE@am__append_58 = plugins/pubkey -@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_59 = plugins/pubkey/libstrongswan-pubkey.la -@USE_PKCS1_TRUE@am__append_60 = plugins/pkcs1 -@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_61 = plugins/pkcs1/libstrongswan-pkcs1.la -@USE_PKCS7_TRUE@am__append_62 = plugins/pkcs7 -@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_63 = plugins/pkcs7/libstrongswan-pkcs7.la -@USE_PKCS8_TRUE@am__append_64 = plugins/pkcs8 -@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_65 = plugins/pkcs8/libstrongswan-pkcs8.la -@USE_PKCS12_TRUE@am__append_66 = plugins/pkcs12 -@MONOLITHIC_TRUE@@USE_PKCS12_TRUE@am__append_67 = plugins/pkcs12/libstrongswan-pkcs12.la -@USE_PGP_TRUE@am__append_68 = plugins/pgp -@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_69 = plugins/pgp/libstrongswan-pgp.la -@USE_DNSKEY_TRUE@am__append_70 = plugins/dnskey -@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_71 = plugins/dnskey/libstrongswan-dnskey.la -@USE_SSHKEY_TRUE@am__append_72 = plugins/sshkey -@MONOLITHIC_TRUE@@USE_SSHKEY_TRUE@am__append_73 = plugins/sshkey/libstrongswan-sshkey.la -@USE_PEM_TRUE@am__append_74 = plugins/pem -@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_75 = plugins/pem/libstrongswan-pem.la -@USE_CURL_TRUE@am__append_76 = plugins/curl -@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_77 = plugins/curl/libstrongswan-curl.la -@USE_FILES_TRUE@am__append_78 = plugins/files -@MONOLITHIC_TRUE@@USE_FILES_TRUE@am__append_79 = plugins/files/libstrongswan-files.la -@USE_WINHTTP_TRUE@am__append_80 = plugins/winhttp -@MONOLITHIC_TRUE@@USE_WINHTTP_TRUE@am__append_81 = plugins/winhttp/libstrongswan-winhttp.la -@USE_UNBOUND_TRUE@am__append_82 = plugins/unbound -@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_83 = plugins/unbound/libstrongswan-unbound.la -@USE_SOUP_TRUE@am__append_84 = plugins/soup -@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_85 = plugins/soup/libstrongswan-soup.la -@USE_LDAP_TRUE@am__append_86 = plugins/ldap -@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_87 = plugins/ldap/libstrongswan-ldap.la -@USE_MYSQL_TRUE@am__append_88 = plugins/mysql -@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_89 = plugins/mysql/libstrongswan-mysql.la -@USE_SQLITE_TRUE@am__append_90 = plugins/sqlite -@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_91 = plugins/sqlite/libstrongswan-sqlite.la -@USE_PADLOCK_TRUE@am__append_92 = plugins/padlock -@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_93 = plugins/padlock/libstrongswan-padlock.la -@USE_OPENSSL_TRUE@am__append_94 = plugins/openssl -@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_95 = plugins/openssl/libstrongswan-openssl.la -@USE_GCRYPT_TRUE@am__append_96 = plugins/gcrypt -@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_97 = plugins/gcrypt/libstrongswan-gcrypt.la -@USE_FIPS_PRF_TRUE@am__append_98 = plugins/fips_prf -@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_99 = plugins/fips_prf/libstrongswan-fips-prf.la -@USE_AGENT_TRUE@am__append_100 = plugins/agent -@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_101 = plugins/agent/libstrongswan-agent.la -@USE_KEYCHAIN_TRUE@am__append_102 = plugins/keychain -@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_103 = plugins/keychain/libstrongswan-keychain.la -@USE_PKCS11_TRUE@am__append_104 = plugins/pkcs11 -@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_105 = plugins/pkcs11/libstrongswan-pkcs11.la -@USE_CTR_TRUE@am__append_106 = plugins/ctr -@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_107 = plugins/ctr/libstrongswan-ctr.la -@USE_CCM_TRUE@am__append_108 = plugins/ccm -@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_109 = plugins/ccm/libstrongswan-ccm.la -@USE_GCM_TRUE@am__append_110 = plugins/gcm -@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_111 = plugins/gcm/libstrongswan-gcm.la -@USE_NTRU_TRUE@am__append_112 = plugins/ntru -@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_113 = plugins/ntru/libstrongswan-ntru.la -@USE_BLISS_TRUE@am__append_114 = plugins/bliss -@MONOLITHIC_TRUE@@USE_BLISS_TRUE@am__append_115 = plugins/bliss/libstrongswan-bliss.la -@USE_TEST_VECTORS_TRUE@am__append_116 = plugins/test_vectors -@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_117 = plugins/test_vectors/libstrongswan-test-vectors.la -@USE_BLISS_TRUE@am__append_118 = plugins/bliss/tests +@USE_AESNI_TRUE@am__append_40 = plugins/aesni +@MONOLITHIC_TRUE@@USE_AESNI_TRUE@am__append_41 = plugins/aesni/libstrongswan-aesni.la +@USE_RANDOM_TRUE@am__append_42 = plugins/random +@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_43 = plugins/random/libstrongswan-random.la +@USE_NONCE_TRUE@am__append_44 = plugins/nonce +@MONOLITHIC_TRUE@@USE_NONCE_TRUE@am__append_45 = plugins/nonce/libstrongswan-nonce.la +@USE_HMAC_TRUE@am__append_46 = plugins/hmac +@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_47 = plugins/hmac/libstrongswan-hmac.la +@USE_CMAC_TRUE@am__append_48 = plugins/cmac +@MONOLITHIC_TRUE@@USE_CMAC_TRUE@am__append_49 = plugins/cmac/libstrongswan-cmac.la +@USE_XCBC_TRUE@am__append_50 = plugins/xcbc +@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_51 = plugins/xcbc/libstrongswan-xcbc.la +@USE_X509_TRUE@am__append_52 = plugins/x509 +@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_53 = plugins/x509/libstrongswan-x509.la +@USE_REVOCATION_TRUE@am__append_54 = plugins/revocation +@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_55 = plugins/revocation/libstrongswan-revocation.la +@USE_CONSTRAINTS_TRUE@am__append_56 = plugins/constraints +@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_57 = plugins/constraints/libstrongswan-constraints.la +@USE_ACERT_TRUE@am__append_58 = plugins/acert +@MONOLITHIC_TRUE@@USE_ACERT_TRUE@am__append_59 = plugins/acert/libstrongswan-acert.la +@USE_PUBKEY_TRUE@am__append_60 = plugins/pubkey +@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_61 = plugins/pubkey/libstrongswan-pubkey.la +@USE_PKCS1_TRUE@am__append_62 = plugins/pkcs1 +@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_63 = plugins/pkcs1/libstrongswan-pkcs1.la +@USE_PKCS7_TRUE@am__append_64 = plugins/pkcs7 +@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_65 = plugins/pkcs7/libstrongswan-pkcs7.la +@USE_PKCS8_TRUE@am__append_66 = plugins/pkcs8 +@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_67 = plugins/pkcs8/libstrongswan-pkcs8.la +@USE_PKCS12_TRUE@am__append_68 = plugins/pkcs12 +@MONOLITHIC_TRUE@@USE_PKCS12_TRUE@am__append_69 = plugins/pkcs12/libstrongswan-pkcs12.la +@USE_PGP_TRUE@am__append_70 = plugins/pgp +@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_71 = plugins/pgp/libstrongswan-pgp.la +@USE_DNSKEY_TRUE@am__append_72 = plugins/dnskey +@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_73 = plugins/dnskey/libstrongswan-dnskey.la +@USE_SSHKEY_TRUE@am__append_74 = plugins/sshkey +@MONOLITHIC_TRUE@@USE_SSHKEY_TRUE@am__append_75 = plugins/sshkey/libstrongswan-sshkey.la +@USE_PEM_TRUE@am__append_76 = plugins/pem +@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_77 = plugins/pem/libstrongswan-pem.la +@USE_CURL_TRUE@am__append_78 = plugins/curl +@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_79 = plugins/curl/libstrongswan-curl.la +@USE_FILES_TRUE@am__append_80 = plugins/files +@MONOLITHIC_TRUE@@USE_FILES_TRUE@am__append_81 = plugins/files/libstrongswan-files.la +@USE_WINHTTP_TRUE@am__append_82 = plugins/winhttp +@MONOLITHIC_TRUE@@USE_WINHTTP_TRUE@am__append_83 = plugins/winhttp/libstrongswan-winhttp.la +@USE_UNBOUND_TRUE@am__append_84 = plugins/unbound +@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_85 = plugins/unbound/libstrongswan-unbound.la +@USE_SOUP_TRUE@am__append_86 = plugins/soup +@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_87 = plugins/soup/libstrongswan-soup.la +@USE_LDAP_TRUE@am__append_88 = plugins/ldap +@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_89 = plugins/ldap/libstrongswan-ldap.la +@USE_MYSQL_TRUE@am__append_90 = plugins/mysql +@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_91 = plugins/mysql/libstrongswan-mysql.la +@USE_SQLITE_TRUE@am__append_92 = plugins/sqlite +@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_93 = plugins/sqlite/libstrongswan-sqlite.la +@USE_PADLOCK_TRUE@am__append_94 = plugins/padlock +@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_95 = plugins/padlock/libstrongswan-padlock.la +@USE_OPENSSL_TRUE@am__append_96 = plugins/openssl +@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_97 = plugins/openssl/libstrongswan-openssl.la +@USE_GCRYPT_TRUE@am__append_98 = plugins/gcrypt +@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_99 = plugins/gcrypt/libstrongswan-gcrypt.la +@USE_FIPS_PRF_TRUE@am__append_100 = plugins/fips_prf +@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_101 = plugins/fips_prf/libstrongswan-fips-prf.la +@USE_AGENT_TRUE@am__append_102 = plugins/agent +@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_103 = plugins/agent/libstrongswan-agent.la +@USE_KEYCHAIN_TRUE@am__append_104 = plugins/keychain +@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_105 = plugins/keychain/libstrongswan-keychain.la +@USE_PKCS11_TRUE@am__append_106 = plugins/pkcs11 +@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_107 = plugins/pkcs11/libstrongswan-pkcs11.la +@USE_CTR_TRUE@am__append_108 = plugins/ctr +@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_109 = plugins/ctr/libstrongswan-ctr.la +@USE_CCM_TRUE@am__append_110 = plugins/ccm +@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_111 = plugins/ccm/libstrongswan-ccm.la +@USE_GCM_TRUE@am__append_112 = plugins/gcm +@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_113 = plugins/gcm/libstrongswan-gcm.la +@USE_NTRU_TRUE@am__append_114 = plugins/ntru +@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_115 = plugins/ntru/libstrongswan-ntru.la +@USE_BLISS_TRUE@am__append_116 = plugins/bliss +@MONOLITHIC_TRUE@@USE_BLISS_TRUE@am__append_117 = plugins/bliss/libstrongswan-bliss.la +@USE_TEST_VECTORS_TRUE@am__append_118 = plugins/test_vectors +@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_119 = plugins/test_vectors/libstrongswan-test-vectors.la +@USE_BLISS_TRUE@am__append_120 = plugins/bliss/tests subdir = src/libstrongswan DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ settings/settings_parser.h settings/settings_parser.c \ @@ -292,7 +294,8 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__append_95) $(am__append_97) $(am__append_99) \ $(am__append_101) $(am__append_103) $(am__append_105) \ $(am__append_107) $(am__append_109) $(am__append_111) \ - $(am__append_113) $(am__append_115) $(am__append_117) + $(am__append_113) $(am__append_115) $(am__append_117) \ + $(am__append_119) am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \ bio/bio_writer.c collections/blocking_queue.c \ @@ -306,7 +309,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ crypto/prf_plus.c crypto/signers/signer.c \ crypto/signers/mac_signer.c crypto/crypto_factory.c \ crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \ - crypto/transform.c crypto/iv/iv_gen_rand.c \ + crypto/transform.c crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c \ crypto/iv/iv_gen_seq.c crypto/mgf1/mgf1.c \ crypto/mgf1/mgf1_bitspender.c credentials/credential_factory.c \ credentials/builder.c credentials/cred_encoding.c \ @@ -338,12 +341,16 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ resolver/rr_set.c selectors/traffic_selector.c \ settings/settings.c settings/settings_types.c \ settings/settings_parser.y settings/settings_lexer.l \ - utils/utils.c utils/chunk.c utils/debug.c utils/enum.c \ - utils/identification.c utils/lexparser.c utils/optionsfrom.c \ - utils/capabilities.c utils/backtrace.c utils/parser_helper.c \ - utils/test.c utils/process.c utils/utils/strerror.c \ - threading/thread.c threading/thread_value.c threading/mutex.c \ - threading/rwlock.c threading/spinlock.c threading/semaphore.c \ + utils/cpu_feature.c utils/utils.c utils/chunk.c utils/debug.c \ + utils/enum.c utils/identification.c utils/lexparser.c \ + utils/optionsfrom.c utils/capabilities.c utils/backtrace.c \ + utils/parser_helper.c utils/test.c utils/process.c \ + utils/utils/strerror.c utils/utils/atomics.c \ + utils/utils/string.c utils/utils/memory.c utils/utils/tty.c \ + utils/utils/path.c utils/utils/status.c utils/utils/time.c \ + utils/utils/align.c threading/thread.c \ + threading/thread_value.c threading/mutex.c threading/rwlock.c \ + threading/spinlock.c threading/semaphore.c \ networking/streams/stream_unix.c \ networking/streams/stream_service_unix.c \ threading/windows/thread.c threading/windows/thread_value.c \ @@ -386,9 +393,9 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \ crypto/prf_plus.lo crypto/signers/signer.lo \ crypto/signers/mac_signer.lo crypto/crypto_factory.lo \ crypto/crypto_tester.lo crypto/diffie_hellman.lo \ - crypto/aead.lo crypto/transform.lo crypto/iv/iv_gen_rand.lo \ - crypto/iv/iv_gen_seq.lo crypto/mgf1/mgf1.lo \ - crypto/mgf1/mgf1_bitspender.lo \ + crypto/aead.lo crypto/transform.lo crypto/iv/iv_gen.lo \ + crypto/iv/iv_gen_rand.lo crypto/iv/iv_gen_seq.lo \ + crypto/mgf1/mgf1.lo crypto/mgf1/mgf1_bitspender.lo \ credentials/credential_factory.lo credentials/builder.lo \ credentials/cred_encoding.lo credentials/keys/private_key.lo \ credentials/keys/public_key.lo credentials/keys/shared_key.lo \ @@ -418,13 +425,17 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \ resolver/rr_set.lo selectors/traffic_selector.lo \ settings/settings.lo settings/settings_types.lo \ settings/settings_parser.lo settings/settings_lexer.lo \ - utils/utils.lo utils/chunk.lo utils/debug.lo utils/enum.lo \ - utils/identification.lo utils/lexparser.lo \ - utils/optionsfrom.lo utils/capabilities.lo utils/backtrace.lo \ - utils/parser_helper.lo utils/test.lo utils/process.lo \ - utils/utils/strerror.lo $(am__objects_1) $(am__objects_2) \ - $(am__objects_3) $(am__objects_4) $(am__objects_5) \ - $(am__objects_6) $(am__objects_7) + utils/cpu_feature.lo utils/utils.lo utils/chunk.lo \ + utils/debug.lo utils/enum.lo utils/identification.lo \ + utils/lexparser.lo utils/optionsfrom.lo utils/capabilities.lo \ + utils/backtrace.lo utils/parser_helper.lo utils/test.lo \ + utils/process.lo utils/utils/strerror.lo \ + utils/utils/atomics.lo utils/utils/string.lo \ + utils/utils/memory.lo utils/utils/tty.lo utils/utils/path.lo \ + utils/utils/status.lo utils/utils/time.lo utils/utils/align.lo \ + $(am__objects_1) $(am__objects_2) $(am__objects_3) \ + $(am__objects_4) $(am__objects_5) $(am__objects_6) \ + $(am__objects_7) libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -554,13 +565,17 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \ threading/rwlock_condvar.h threading/lock_profiler.h \ utils/utils.h utils/chunk.h utils/debug.h utils/enum.h \ utils/identification.h utils/lexparser.h utils/optionsfrom.h \ - utils/capabilities.h utils/backtrace.h utils/leak_detective.h \ - utils/printf_hook/printf_hook.h \ + utils/capabilities.h utils/backtrace.h utils/cpu_feature.h \ + utils/leak_detective.h utils/printf_hook/printf_hook.h \ utils/printf_hook/printf_hook_vstr.h \ utils/printf_hook/printf_hook_builtin.h utils/parser_helper.h \ utils/test.h utils/integrity_checker.h utils/process.h \ utils/utils/strerror.h utils/compat/windows.h \ - utils/compat/apple.h + utils/compat/apple.h utils/utils/atomics.h utils/utils/types.h \ + utils/utils/byteorder.h utils/utils/string.h \ + utils/utils/memory.h utils/utils/tty.h utils/utils/path.h \ + utils/utils/status.h utils/utils/object.h utils/utils/time.h \ + utils/utils/align.h HEADERS = $(nobase_strongswan_include_HEADERS) $(noinst_HEADERS) RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive @@ -592,8 +607,8 @@ CTAGS = ctags DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \ plugins/blowfish plugins/rc2 plugins/md4 plugins/md5 \ plugins/sha1 plugins/sha2 plugins/gmp plugins/rdrand \ - plugins/random plugins/nonce plugins/hmac plugins/cmac \ - plugins/xcbc plugins/x509 plugins/revocation \ + plugins/aesni plugins/random plugins/nonce plugins/hmac \ + plugins/cmac plugins/xcbc plugins/x509 plugins/revocation \ plugins/constraints plugins/acert plugins/pubkey plugins/pkcs1 \ plugins/pkcs7 plugins/pkcs8 plugins/pkcs12 plugins/pgp \ plugins/dnskey plugins/sshkey plugins/pem plugins/curl \ @@ -867,7 +882,7 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \ crypto/prf_plus.c crypto/signers/signer.c \ crypto/signers/mac_signer.c crypto/crypto_factory.c \ crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \ - crypto/transform.c crypto/iv/iv_gen_rand.c \ + crypto/transform.c crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c \ crypto/iv/iv_gen_seq.c crypto/mgf1/mgf1.c \ crypto/mgf1/mgf1_bitspender.c credentials/credential_factory.c \ credentials/builder.c credentials/cred_encoding.c \ @@ -899,13 +914,16 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \ resolver/rr_set.c selectors/traffic_selector.c \ settings/settings.c settings/settings_types.c \ settings/settings_parser.y settings/settings_lexer.l \ - utils/utils.c utils/chunk.c utils/debug.c utils/enum.c \ - utils/identification.c utils/lexparser.c utils/optionsfrom.c \ - utils/capabilities.c utils/backtrace.c utils/parser_helper.c \ - utils/test.c utils/process.c utils/utils/strerror.c \ - $(am__append_1) $(am__append_3) $(am__append_8) \ - $(am__append_11) $(am__append_12) $(am__append_14) \ - $(am__append_16) + utils/cpu_feature.c utils/utils.c utils/chunk.c utils/debug.c \ + utils/enum.c utils/identification.c utils/lexparser.c \ + utils/optionsfrom.c utils/capabilities.c utils/backtrace.c \ + utils/parser_helper.c utils/test.c utils/process.c \ + utils/utils/strerror.c utils/utils/atomics.c \ + utils/utils/string.c utils/utils/memory.c utils/utils/tty.c \ + utils/utils/path.c utils/utils/status.c utils/utils/time.c \ + utils/utils/align.c $(am__append_1) $(am__append_3) \ + $(am__append_8) $(am__append_11) $(am__append_12) \ + $(am__append_14) $(am__append_16) # private header files noinst_HEADERS = \ @@ -958,10 +976,13 @@ settings/settings_types.h @USE_DEV_HEADERS_TRUE@threading/rwlock.h threading/rwlock_condvar.h threading/lock_profiler.h \ @USE_DEV_HEADERS_TRUE@utils/utils.h utils/chunk.h utils/debug.h utils/enum.h utils/identification.h \ @USE_DEV_HEADERS_TRUE@utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \ -@USE_DEV_HEADERS_TRUE@utils/leak_detective.h utils/printf_hook/printf_hook.h \ +@USE_DEV_HEADERS_TRUE@utils/cpu_feature.h utils/leak_detective.h utils/printf_hook/printf_hook.h \ @USE_DEV_HEADERS_TRUE@utils/printf_hook/printf_hook_vstr.h utils/printf_hook/printf_hook_builtin.h \ @USE_DEV_HEADERS_TRUE@utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/process.h \ -@USE_DEV_HEADERS_TRUE@utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h +@USE_DEV_HEADERS_TRUE@utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h \ +@USE_DEV_HEADERS_TRUE@utils/utils/atomics.h utils/utils/types.h utils/utils/byteorder.h \ +@USE_DEV_HEADERS_TRUE@utils/utils/string.h utils/utils/memory.h utils/utils/tty.h utils/utils/path.h \ +@USE_DEV_HEADERS_TRUE@utils/utils/status.h utils/utils/object.h utils/utils/time.h utils/utils/align.h libstrongswan_la_LIBADD = $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB) \ $(BFDLIB) $(UNWINDLIB) $(am__append_2) $(am__append_4) \ @@ -982,7 +1003,8 @@ libstrongswan_la_LIBADD = $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB) \ $(am__append_95) $(am__append_97) $(am__append_99) \ $(am__append_101) $(am__append_103) $(am__append_105) \ $(am__append_107) $(am__append_109) $(am__append_111) \ - $(am__append_113) $(am__append_115) $(am__append_117) + $(am__append_113) $(am__append_115) $(am__append_117) \ + $(am__append_119) AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \ -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \ -DPLUGINDIR=\"${plugindir}\" \ @@ -1033,8 +1055,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c @MONOLITHIC_FALSE@ $(am__append_102) $(am__append_104) \ @MONOLITHIC_FALSE@ $(am__append_106) $(am__append_108) \ @MONOLITHIC_FALSE@ $(am__append_110) $(am__append_112) \ -@MONOLITHIC_FALSE@ $(am__append_114) $(am__append_116) tests \ -@MONOLITHIC_FALSE@ $(am__append_118) +@MONOLITHIC_FALSE@ $(am__append_114) $(am__append_116) \ +@MONOLITHIC_FALSE@ $(am__append_118) tests $(am__append_120) # build plugins with their own Makefile ####################################### @@ -1062,8 +1084,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c @MONOLITHIC_TRUE@ $(am__append_102) $(am__append_104) \ @MONOLITHIC_TRUE@ $(am__append_106) $(am__append_108) \ @MONOLITHIC_TRUE@ $(am__append_110) $(am__append_112) \ -@MONOLITHIC_TRUE@ $(am__append_114) $(am__append_116) . tests \ -@MONOLITHIC_TRUE@ $(am__append_118) +@MONOLITHIC_TRUE@ $(am__append_114) $(am__append_116) \ +@MONOLITHIC_TRUE@ $(am__append_118) . tests $(am__append_120) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -1251,6 +1273,8 @@ crypto/iv/$(am__dirstamp): crypto/iv/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) crypto/iv/$(DEPDIR) @: > crypto/iv/$(DEPDIR)/$(am__dirstamp) +crypto/iv/iv_gen.lo: crypto/iv/$(am__dirstamp) \ + crypto/iv/$(DEPDIR)/$(am__dirstamp) crypto/iv/iv_gen_rand.lo: crypto/iv/$(am__dirstamp) \ crypto/iv/$(DEPDIR)/$(am__dirstamp) crypto/iv/iv_gen_seq.lo: crypto/iv/$(am__dirstamp) \ @@ -1486,6 +1510,8 @@ utils/$(am__dirstamp): utils/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) utils/$(DEPDIR) @: > utils/$(DEPDIR)/$(am__dirstamp) +utils/cpu_feature.lo: utils/$(am__dirstamp) \ + utils/$(DEPDIR)/$(am__dirstamp) utils/utils.lo: utils/$(am__dirstamp) utils/$(DEPDIR)/$(am__dirstamp) utils/chunk.lo: utils/$(am__dirstamp) utils/$(DEPDIR)/$(am__dirstamp) utils/debug.lo: utils/$(am__dirstamp) utils/$(DEPDIR)/$(am__dirstamp) @@ -1513,6 +1539,22 @@ utils/utils/$(DEPDIR)/$(am__dirstamp): @: > utils/utils/$(DEPDIR)/$(am__dirstamp) utils/utils/strerror.lo: utils/utils/$(am__dirstamp) \ utils/utils/$(DEPDIR)/$(am__dirstamp) +utils/utils/atomics.lo: utils/utils/$(am__dirstamp) \ + utils/utils/$(DEPDIR)/$(am__dirstamp) +utils/utils/string.lo: utils/utils/$(am__dirstamp) \ + utils/utils/$(DEPDIR)/$(am__dirstamp) +utils/utils/memory.lo: utils/utils/$(am__dirstamp) \ + utils/utils/$(DEPDIR)/$(am__dirstamp) +utils/utils/tty.lo: utils/utils/$(am__dirstamp) \ + utils/utils/$(DEPDIR)/$(am__dirstamp) +utils/utils/path.lo: utils/utils/$(am__dirstamp) \ + utils/utils/$(DEPDIR)/$(am__dirstamp) +utils/utils/status.lo: utils/utils/$(am__dirstamp) \ + utils/utils/$(DEPDIR)/$(am__dirstamp) +utils/utils/time.lo: utils/utils/$(am__dirstamp) \ + utils/utils/$(DEPDIR)/$(am__dirstamp) +utils/utils/align.lo: utils/utils/$(am__dirstamp) \ + utils/utils/$(DEPDIR)/$(am__dirstamp) threading/$(am__dirstamp): @$(MKDIR_P) threading @: > threading/$(am__dirstamp) @@ -1702,6 +1744,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@crypto/crypters/$(DEPDIR)/crypter.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/hashers/$(DEPDIR)/hash_algorithm_set.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/hashers/$(DEPDIR)/hasher.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen_rand.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen_seq.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/mgf1/$(DEPDIR)/mgf1.Plo@am__quote@ @@ -1760,6 +1803,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/backtrace.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/capabilities.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/chunk.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/cpu_feature.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/debug.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/enum.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/identification.Plo@am__quote@ @@ -1775,7 +1819,15 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@utils/printf_hook/$(DEPDIR)/printf_hook_builtin.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/printf_hook/$(DEPDIR)/printf_hook_glibc.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/printf_hook/$(DEPDIR)/printf_hook_vstr.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@utils/utils/$(DEPDIR)/align.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@utils/utils/$(DEPDIR)/atomics.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@utils/utils/$(DEPDIR)/memory.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@utils/utils/$(DEPDIR)/path.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@utils/utils/$(DEPDIR)/status.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/utils/$(DEPDIR)/strerror.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@utils/utils/$(DEPDIR)/string.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@utils/utils/$(DEPDIR)/time.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@utils/utils/$(DEPDIR)/tty.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index dca12bd54..37b89c61b 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -913,6 +913,10 @@ static const asn1Object_t timeObjects[] = { { 0, "end opt", ASN1_EOC, ASN1_END }, /* 3 */ { 0, "exit", ASN1_EOC, ASN1_EXIT } }; +#ifdef TIME_UTC +/* used by C11 timespec_get(), */ +# undef TIME_UTC +#endif #define TIME_UTC 0 #define TIME_GENERALIZED 2 diff --git a/src/libstrongswan/crypto/aead.c b/src/libstrongswan/crypto/aead.c index afcc11fbe..d50bd4d22 100644 --- a/src/libstrongswan/crypto/aead.c +++ b/src/libstrongswan/crypto/aead.c @@ -172,7 +172,7 @@ METHOD(aead_t, destroy, void, /** * See header */ -aead_t *aead_create(crypter_t *crypter, signer_t *signer) +aead_t *aead_create(crypter_t *crypter, signer_t *signer, iv_gen_t *iv_gen) { private_aead_t *this; @@ -190,7 +190,7 @@ aead_t *aead_create(crypter_t *crypter, signer_t *signer) }, .crypter = crypter, .signer = signer, - .iv_gen = iv_gen_rand_create(), + .iv_gen = iv_gen, ); return &this->public; diff --git a/src/libstrongswan/crypto/aead.h b/src/libstrongswan/crypto/aead.h index 43f71b65e..9d1b8df55 100644 --- a/src/libstrongswan/crypto/aead.h +++ b/src/libstrongswan/crypto/aead.h @@ -135,8 +135,9 @@ struct aead_t { * * @param crypter encryption transform for this aead * @param signer integrity transform for this aead + * @param iv_gen suitable IV generator for encryption algorithm * @return aead transform */ -aead_t *aead_create(crypter_t *crypter, signer_t *signer); +aead_t *aead_create(crypter_t *crypter, signer_t *signer, iv_gen_t *iv_gen); #endif /** AEAD_H_ @}*/ diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c index 96fbc0d87..b0b86372c 100644 --- a/src/libstrongswan/crypto/crypto_factory.c +++ b/src/libstrongswan/crypto/crypto_factory.c @@ -377,6 +377,12 @@ METHOD(crypto_factory_t, create_dh, diffie_hellman_t*, { if (entry->algo == group) { + if (this->test_on_create && group != MODP_CUSTOM && + !this->tester->test_dh(this->tester, group, + entry->create_dh, NULL, default_plugin_name)) + { + continue; + } diffie_hellman = entry->create_dh(group, g, p); if (diffie_hellman) { @@ -439,14 +445,14 @@ static void add_entry(private_crypto_factory_t *this, linked_list_t *list, } METHOD(crypto_factory_t, add_crypter, bool, - private_crypto_factory_t *this, encryption_algorithm_t algo, + private_crypto_factory_t *this, encryption_algorithm_t algo, size_t key_size, const char *plugin_name, crypter_constructor_t create) { u_int speed = 0; if (!this->test_on_add || - this->tester->test_crypter(this->tester, algo, 0, create, - this->bench ? &speed : NULL, plugin_name)) + this->tester->test_crypter(this->tester, algo, key_size, create, + this->bench ? &speed : NULL, plugin_name)) { add_entry(this, this->crypters, algo, plugin_name, speed, create); return TRUE; @@ -476,13 +482,13 @@ METHOD(crypto_factory_t, remove_crypter, void, } METHOD(crypto_factory_t, add_aead, bool, - private_crypto_factory_t *this, encryption_algorithm_t algo, + private_crypto_factory_t *this, encryption_algorithm_t algo, size_t key_size, const char *plugin_name, aead_constructor_t create) { u_int speed = 0; if (!this->test_on_add || - this->tester->test_aead(this->tester, algo, 0, 0, create, + this->tester->test_aead(this->tester, algo, key_size, 0, create, this->bench ? &speed : NULL, plugin_name)) { add_entry(this, this->aeads, algo, plugin_name, speed, create); @@ -692,8 +698,17 @@ METHOD(crypto_factory_t, add_dh, bool, private_crypto_factory_t *this, diffie_hellman_group_t group, const char *plugin_name, dh_constructor_t create) { - add_entry(this, this->dhs, group, plugin_name, 0, create); - return TRUE; + u_int speed = 0; + + if (!this->test_on_add || + this->tester->test_dh(this->tester, group, create, + this->bench ? &speed : NULL, plugin_name)) + { + add_entry(this, this->dhs, group, plugin_name, 0, create); + return TRUE; + } + this->test_failures++; + return FALSE; } METHOD(crypto_factory_t, remove_dh, void, @@ -892,16 +907,125 @@ METHOD(crypto_factory_t, add_test_vector, void, return this->tester->add_prf_vector(this->tester, vector); case RANDOM_NUMBER_GENERATOR: return this->tester->add_rng_vector(this->tester, vector); + case DIFFIE_HELLMAN_GROUP: + return this->tester->add_dh_vector(this->tester, vector); default: DBG1(DBG_LIB, "%N test vectors not supported, ignored", transform_type_names, type); } } -METHOD(crypto_factory_t, get_test_vector_failures, u_int, - private_crypto_factory_t *this) +/** + * Private enumerator for create_verify_enumerator() + */ +typedef struct { + enumerator_t public; + enumerator_t *inner; + transform_type_t type; + crypto_tester_t *tester; + rwlock_t *lock; +} verify_enumerator_t; + +METHOD(enumerator_t, verify_enumerate, bool, + verify_enumerator_t *this, u_int *alg, const char **plugin, bool *valid) { - return this->test_failures; + entry_t *entry; + + if (!this->inner->enumerate(this->inner, &entry)) + { + return FALSE; + } + switch (this->type) + { + case ENCRYPTION_ALGORITHM: + *valid = this->tester->test_crypter(this->tester, entry->algo, 0, + entry->create_crypter, NULL, entry->plugin_name); + break; + case AEAD_ALGORITHM: + *valid = this->tester->test_aead(this->tester, entry->algo, 0, 0, + entry->create_aead, NULL, entry->plugin_name); + break; + case INTEGRITY_ALGORITHM: + *valid = this->tester->test_signer(this->tester, entry->algo, + entry->create_signer, NULL, entry->plugin_name); + break; + case HASH_ALGORITHM: + *valid = this->tester->test_hasher(this->tester, entry->algo, + entry->create_hasher, NULL, entry->plugin_name); + break; + case PSEUDO_RANDOM_FUNCTION: + *valid = this->tester->test_prf(this->tester, entry->algo, + entry->create_prf, NULL, entry->plugin_name); + break; + case RANDOM_NUMBER_GENERATOR: + *valid = this->tester->test_rng(this->tester, entry->algo, + entry->create_rng, NULL, entry->plugin_name); + break; + case DIFFIE_HELLMAN_GROUP: + *valid = this->tester->test_dh(this->tester, entry->algo, + entry->create_dh, NULL, entry->plugin_name); + break; + default: + return FALSE; + } + *plugin = entry->plugin_name; + *alg = entry->algo; + return TRUE; +} + +METHOD(enumerator_t, verify_destroy, void, + verify_enumerator_t *this) +{ + this->inner->destroy(this->inner); + this->lock->unlock(this->lock); + free(this); +} + +METHOD(crypto_factory_t, create_verify_enumerator, enumerator_t*, + private_crypto_factory_t *this, transform_type_t type) +{ + verify_enumerator_t *enumerator; + enumerator_t *inner; + + this->lock->read_lock(this->lock); + switch (type) + { + case ENCRYPTION_ALGORITHM: + inner = this->crypters->create_enumerator(this->crypters); + break; + case AEAD_ALGORITHM: + inner = this->aeads->create_enumerator(this->aeads); + break; + case INTEGRITY_ALGORITHM: + inner = this->signers->create_enumerator(this->signers); + break; + case HASH_ALGORITHM: + inner = this->hashers->create_enumerator(this->hashers); + break; + case PSEUDO_RANDOM_FUNCTION: + inner = this->prfs->create_enumerator(this->prfs); + break; + case RANDOM_NUMBER_GENERATOR: + inner = this->rngs->create_enumerator(this->rngs); + break; + case DIFFIE_HELLMAN_GROUP: + inner = this->dhs->create_enumerator(this->dhs); + break; + default: + this->lock->unlock(this->lock); + return enumerator_create_empty(); + } + INIT(enumerator, + .public = { + .enumerate = (void*)_verify_enumerate, + .destroy = _verify_destroy, + }, + .inner = inner, + .type = type, + .tester = this->tester, + .lock = this->lock, + ); + return &enumerator->public; } METHOD(crypto_factory_t, destroy, void, @@ -962,7 +1086,7 @@ crypto_factory_t *crypto_factory_create() .create_rng_enumerator = _create_rng_enumerator, .create_nonce_gen_enumerator = _create_nonce_gen_enumerator, .add_test_vector = _add_test_vector, - .get_test_vector_failures = _get_test_vector_failures, + .create_verify_enumerator = _create_verify_enumerator, .destroy = _destroy, }, .crypters = linked_list_create(), @@ -985,39 +1109,3 @@ crypto_factory_t *crypto_factory_create() return &this->public; } - -/** - * Manually verify all registered algorithms against test vectors - */ -static u_int verify_registered_algorithms(crypto_factory_t *factory) -{ - private_crypto_factory_t *this = (private_crypto_factory_t*)factory; - enumerator_t *enumerator; - entry_t *entry; - u_int failures = 0; - -#define TEST_ALGORITHMS(test, ...) do { \ - enumerator = this->test##s->create_enumerator(this->test##s); \ - while (enumerator->enumerate(enumerator, &entry)) \ - { \ - if (!this->tester->test_##test(this->tester, entry->algo, ##__VA_ARGS__, \ - entry->create_##test, NULL, entry->plugin_name)) \ - { \ - failures++; \ - } \ - } \ - enumerator->destroy(enumerator); \ -} while (0) - - this->lock->read_lock(this->lock); - TEST_ALGORITHMS(crypter, 0); - TEST_ALGORITHMS(aead, 0, 0); - TEST_ALGORITHMS(signer); - TEST_ALGORITHMS(hasher); - TEST_ALGORITHMS(prf); - TEST_ALGORITHMS(rng); - this->lock->unlock(this->lock); - return failures; -} - -EXPORT_FUNCTION_FOR_TESTS(crypto, verify_registered_algorithms); diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h index 7865bcb15..e03915603 100644 --- a/src/libstrongswan/crypto/crypto_factory.h +++ b/src/libstrongswan/crypto/crypto_factory.h @@ -162,12 +162,14 @@ struct crypto_factory_t { * Register a crypter constructor. * * @param algo algorithm to constructor + * @param key size key size to peform benchmarking for * @param plugin_name plugin that registered this algorithm * @param create constructor function for that algorithm * @return TRUE if registered, FALSE if test vector failed */ bool (*add_crypter)(crypto_factory_t *this, encryption_algorithm_t algo, - const char *plugin_name, crypter_constructor_t create); + size_t key_size, const char *plugin_name, + crypter_constructor_t create); /** * Unregister a crypter constructor. @@ -187,12 +189,14 @@ struct crypto_factory_t { * Register a aead constructor. * * @param algo algorithm to constructor + * @param key size key size to peform benchmarking for * @param plugin_name plugin that registered this algorithm * @param create constructor function for that algorithm * @return TRUE if registered, FALSE if test vector failed */ bool (*add_aead)(crypto_factory_t *this, encryption_algorithm_t algo, - const char *plugin_name, aead_constructor_t create); + size_t key_size, const char *plugin_name, + aead_constructor_t create); /** * Register a signer constructor. @@ -368,14 +372,17 @@ struct crypto_factory_t { void *vector); /** - * Get the number of test vector failures encountered during add. + * Create an enumerator verifying transforms using known test vectors. * - * This counter gets incremented only if transforms get tested during - * registration. + * The resulting enumerator enumerates over an u_int with the type + * specific transform identifier, the plugin name providing the transform, + * and a boolean value indicating success/failure for the given transform. * - * @return number of failed test vectors + * @param type transform type to test + * @return enumerator over (u_int, char*, bool) */ - u_int (*get_test_vector_failures)(crypto_factory_t *this); + enumerator_t* (*create_verify_enumerator)(crypto_factory_t *this, + transform_type_t type); /** * Destroy a crypto_factory instance. diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c index 15ed17381..5607d35b9 100644 --- a/src/libstrongswan/crypto/crypto_tester.c +++ b/src/libstrongswan/crypto/crypto_tester.c @@ -67,6 +67,11 @@ struct private_crypto_tester_t { */ linked_list_t *rng; + /** + * List of Diffie-Hellman test vectors + */ + linked_list_t *dh; + /** * Is a test vector required to pass a test? */ @@ -138,11 +143,11 @@ static u_int end_timing(struct timespec *start) * Benchmark a crypter */ static u_int bench_crypter(private_crypto_tester_t *this, - encryption_algorithm_t alg, crypter_constructor_t create) + encryption_algorithm_t alg, crypter_constructor_t create, size_t key_size) { crypter_t *crypter; - crypter = create(alg, 0); + crypter = create(alg, key_size); if (crypter) { char iv[crypter->get_iv_size(crypter)]; @@ -280,8 +285,8 @@ failure: { if (failed) { - DBG1(DBG_LIB,"disable %N[%s]: no key size supported", - encryption_algorithm_names, alg, plugin_name); + DBG1(DBG_LIB,"disable %N[%s]: %zd byte key size not supported", + encryption_algorithm_names, alg, plugin_name, key_size); return FALSE; } else @@ -296,9 +301,10 @@ failure: { if (speed) { - *speed = bench_crypter(this, alg, create); - DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", - encryption_algorithm_names, alg, plugin_name, tested, *speed); + *speed = bench_crypter(this, alg, create, key_size); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points " + "(%zd bit key)", encryption_algorithm_names, alg, + plugin_name, tested, *speed, key_size * 8); } else { @@ -313,11 +319,11 @@ failure: * Benchmark an aead transform */ static u_int bench_aead(private_crypto_tester_t *this, - encryption_algorithm_t alg, aead_constructor_t create) + encryption_algorithm_t alg, aead_constructor_t create, size_t key_size) { aead_t *aead; - aead = create(alg, 0, 0); + aead = create(alg, key_size, 0); if (aead) { char iv[aead->get_iv_size(aead)]; @@ -474,8 +480,8 @@ failure: { if (failed) { - DBG1(DBG_LIB,"disable %N[%s]: no key size supported", - encryption_algorithm_names, alg, plugin_name); + DBG1(DBG_LIB,"disable %N[%s]: %zd byte key size not supported", + encryption_algorithm_names, alg, plugin_name, key_size); return FALSE; } else @@ -490,9 +496,10 @@ failure: { if (speed) { - *speed = bench_aead(this, alg, create); - DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", - encryption_algorithm_names, alg, plugin_name, tested, *speed); + *speed = bench_aead(this, alg, create, key_size); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points " + "(%zd bit key)", encryption_algorithm_names, alg, + plugin_name, tested, *speed, key_size * 8); } else { @@ -1153,6 +1160,154 @@ failure: return !failed; } +/** + * Benchmark a DH backend + */ +static u_int bench_dh(private_crypto_tester_t *this, + diffie_hellman_group_t group, dh_constructor_t create) +{ + chunk_t pub = chunk_empty, shared = chunk_empty; + diffie_hellman_t *dh; + struct timespec start; + u_int runs; + + runs = 0; + start_timing(&start); + while (end_timing(&start) < this->bench_time) + { + dh = create(group); + if (!dh) + { + return 0; + } + if (dh->get_my_public_value(dh, &pub) && + dh->set_other_public_value(dh, pub) && + dh->get_shared_secret(dh, &shared)) + { + runs++; + } + chunk_free(&pub); + chunk_free(&shared); + dh->destroy(dh); + } + return runs; +} + +METHOD(crypto_tester_t, test_dh, bool, + private_crypto_tester_t *this, diffie_hellman_group_t group, + dh_constructor_t create, u_int *speed, const char *plugin_name) +{ + enumerator_t *enumerator; + dh_test_vector_t *v; + bool failed = FALSE; + u_int tested = 0; + + enumerator = this->dh->create_enumerator(this->dh); + while (enumerator->enumerate(enumerator, &v)) + { + diffie_hellman_t *a, *b; + chunk_t apub, bpub, asec, bsec; + + if (v->group != group) + { + continue; + } + + a = create(group); + b = create(group); + if (!a || !b) + { + DESTROY_IF(a); + DESTROY_IF(b); + failed = TRUE; + tested++; + DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed", + diffie_hellman_group_names, group, plugin_name); + break; + } + + if (!a->set_private_value || !b->set_private_value) + { /* does not support testing */ + a->destroy(a); + b->destroy(b); + continue; + } + failed = TRUE; + tested++; + + apub = bpub = asec = bsec = chunk_empty; + + if (!a->set_private_value(a, chunk_create(v->priv_a, v->priv_len)) || + !b->set_private_value(b, chunk_create(v->priv_b, v->priv_len))) + { + goto failure; + } + if (!a->get_my_public_value(a, &apub) || + !chunk_equals(apub, chunk_create(v->pub_a, v->pub_len))) + { + goto failure; + } + if (!b->get_my_public_value(b, &bpub) || + !chunk_equals(bpub, chunk_create(v->pub_b, v->pub_len))) + { + goto failure; + } + if (!a->set_other_public_value(a, bpub) || + !b->set_other_public_value(b, apub)) + { + goto failure; + } + if (!a->get_shared_secret(a, &asec) || + !chunk_equals(asec, chunk_create(v->shared, v->shared_len))) + { + goto failure; + } + if (!b->get_shared_secret(b, &bsec) || + !chunk_equals(bsec, chunk_create(v->shared, v->shared_len))) + { + goto failure; + } + + failed = FALSE; +failure: + a->destroy(a); + b->destroy(b); + chunk_free(&apub); + chunk_free(&bpub); + chunk_free(&asec); + chunk_free(&bsec); + if (failed) + { + DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", + diffie_hellman_group_names, group, plugin_name, get_name(v)); + break; + } + } + enumerator->destroy(enumerator); + if (!tested) + { + DBG1(DBG_LIB, "%s %N[%s]: no test vectors found / untestable", + this->required ? "disabled" : "enabled ", + diffie_hellman_group_names, group, plugin_name); + return !this->required; + } + if (!failed) + { + if (speed) + { + *speed = bench_dh(this, group, create); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", + diffie_hellman_group_names, group, plugin_name, tested, *speed); + } + else + { + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", + diffie_hellman_group_names, group, plugin_name, tested); + } + } + return !failed; +} + METHOD(crypto_tester_t, add_crypter_vector, void, private_crypto_tester_t *this, crypter_test_vector_t *vector) { @@ -1189,6 +1344,12 @@ METHOD(crypto_tester_t, add_rng_vector, void, this->rng->insert_last(this->rng, vector); } +METHOD(crypto_tester_t, add_dh_vector, void, + private_crypto_tester_t *this, dh_test_vector_t *vector) +{ + this->dh->insert_last(this->dh, vector); +} + METHOD(crypto_tester_t, destroy, void, private_crypto_tester_t *this) { @@ -1198,6 +1359,7 @@ METHOD(crypto_tester_t, destroy, void, this->hasher->destroy(this->hasher); this->prf->destroy(this->prf); this->rng->destroy(this->rng); + this->dh->destroy(this->dh); free(this); } @@ -1216,12 +1378,14 @@ crypto_tester_t *crypto_tester_create() .test_hasher = _test_hasher, .test_prf = _test_prf, .test_rng = _test_rng, + .test_dh = _test_dh, .add_crypter_vector = _add_crypter_vector, .add_aead_vector = _add_aead_vector, .add_signer_vector = _add_signer_vector, .add_hasher_vector = _add_hasher_vector, .add_prf_vector = _add_prf_vector, .add_rng_vector = _add_rng_vector, + .add_dh_vector = _add_dh_vector, .destroy = _destroy, }, .crypter = linked_list_create(), @@ -1230,6 +1394,7 @@ crypto_tester_t *crypto_tester_create() .hasher = linked_list_create(), .prf = linked_list_create(), .rng = linked_list_create(), + .dh = linked_list_create(), .required = lib->settings->get_bool(lib->settings, "%s.crypto_test.required", FALSE, lib->ns), diff --git a/src/libstrongswan/crypto/crypto_tester.h b/src/libstrongswan/crypto/crypto_tester.h index add3b1cdf..6cc9b0d57 100644 --- a/src/libstrongswan/crypto/crypto_tester.h +++ b/src/libstrongswan/crypto/crypto_tester.h @@ -31,6 +31,7 @@ typedef struct signer_test_vector_t signer_test_vector_t; typedef struct hasher_test_vector_t hasher_test_vector_t; typedef struct prf_test_vector_t prf_test_vector_t; typedef struct rng_test_vector_t rng_test_vector_t; +typedef struct dh_test_vector_t dh_test_vector_t; struct crypter_test_vector_t { /** encryption algorithm this vector tests */ @@ -129,6 +130,27 @@ struct rng_test_vector_t { void *user; }; +struct dh_test_vector_t { + /** diffie hellman group to test */ + diffie_hellman_group_t group; + /** private value of alice */ + u_char *priv_a; + /** private value of bob */ + u_char *priv_b; + /** length of private values */ + size_t priv_len; + /** expected public value of alice */ + u_char *pub_a; + /** expected public value of bob */ + u_char *pub_b; + /** size of public values */ + size_t pub_len; + /** expected shared secret */ + u_char *shared; + /** size of shared secret */ + size_t shared_len; +}; + /** * Cryptographic primitive testing framework. */ @@ -205,6 +227,18 @@ struct crypto_tester_t { bool (*test_rng)(crypto_tester_t *this, rng_quality_t quality, rng_constructor_t create, u_int *speed, const char *plugin_name); + /** + * Test a Diffie-Hellman implementation. + * + * @param group group to test + * @param create constructor function for the DH backend + * @param speed speeed test result, NULL to omit + * @return TRUE if test passed + */ + bool (*test_dh)(crypto_tester_t *this, diffie_hellman_group_t group, + dh_constructor_t create, + u_int *speed, const char *plugin_name); + /** * Add a test vector to test a crypter. * @@ -247,6 +281,13 @@ struct crypto_tester_t { */ void (*add_rng_vector)(crypto_tester_t *this, rng_test_vector_t *vector); + /** + * Add a test vector to test a Diffie-Hellman backend. + * + * @param vector pointer to test vector + */ + void (*add_dh_vector)(crypto_tester_t *this, dh_test_vector_t *vector); + /** * Destroy a crypto_tester_t. */ diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h index 4704cd0da..abebd66ad 100644 --- a/src/libstrongswan/crypto/diffie_hellman.h +++ b/src/libstrongswan/crypto/diffie_hellman.h @@ -116,6 +116,18 @@ struct diffie_hellman_t { bool (*get_my_public_value) (diffie_hellman_t *this, chunk_t *value) __attribute__((warn_unused_result)); + /** + * Set an explicit own private value to use. + * + * Calling this method is usually not required, as the DH backend generates + * an appropriate private value itself. It is optional to implement, and + * used mostly for testing purposes. + * + * @param value private value to set + */ + bool (*set_private_value)(diffie_hellman_t *this, chunk_t value) + __attribute__((warn_unused_result)); + /** * Get the DH group used. * diff --git a/src/libstrongswan/crypto/iv/iv_gen.c b/src/libstrongswan/crypto/iv/iv_gen.c new file mode 100644 index 000000000..e18843210 --- /dev/null +++ b/src/libstrongswan/crypto/iv/iv_gen.c @@ -0,0 +1,61 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "iv_gen.h" +#include "iv_gen_rand.h" +#include "iv_gen_seq.h" + +/** + * See header. + */ +iv_gen_t* iv_gen_create_for_alg(encryption_algorithm_t alg) +{ + switch (alg) + { + case ENCR_DES: + case ENCR_3DES: + case ENCR_RC5: + case ENCR_IDEA: + case ENCR_CAST: + case ENCR_BLOWFISH: + case ENCR_3IDEA: + case ENCR_AES_CBC: + case ENCR_CAMELLIA_CBC: + case ENCR_SERPENT_CBC: + case ENCR_TWOFISH_CBC: + case ENCR_RC2_CBC: + return iv_gen_rand_create(); + case ENCR_AES_CTR: + case ENCR_AES_CCM_ICV8: + case ENCR_AES_CCM_ICV12: + case ENCR_AES_CCM_ICV16: + case ENCR_AES_GCM_ICV8: + case ENCR_AES_GCM_ICV12: + case ENCR_AES_GCM_ICV16: + case ENCR_CAMELLIA_CTR: + case ENCR_CAMELLIA_CCM_ICV8: + case ENCR_CAMELLIA_CCM_ICV12: + case ENCR_CAMELLIA_CCM_ICV16: + case ENCR_NULL_AUTH_AES_GMAC: + return iv_gen_seq_create(); + case ENCR_NULL: + case ENCR_UNDEFINED: + case ENCR_DES_ECB: + case ENCR_DES_IV32: + case ENCR_DES_IV64: + break; + } + return NULL; +} diff --git a/src/libstrongswan/crypto/iv/iv_gen.h b/src/libstrongswan/crypto/iv/iv_gen.h index f6bc6471f..81b0701ce 100644 --- a/src/libstrongswan/crypto/iv/iv_gen.h +++ b/src/libstrongswan/crypto/iv/iv_gen.h @@ -58,4 +58,12 @@ struct iv_gen_t { void (*destroy)(iv_gen_t *this); }; +/** + * Select an IV generator for a given encryption algorithm. + * + * @param alg encryption algorithm + * @return IV generator + */ +iv_gen_t* iv_gen_create_for_alg(encryption_algorithm_t alg); + #endif /** IV_GEN_H_ @}*/ diff --git a/src/libstrongswan/crypto/iv/iv_gen_seq.c b/src/libstrongswan/crypto/iv/iv_gen_seq.c index 98d0c15a6..4de13744d 100644 --- a/src/libstrongswan/crypto/iv/iv_gen_seq.c +++ b/src/libstrongswan/crypto/iv/iv_gen_seq.c @@ -15,6 +15,11 @@ #include "iv_gen_seq.h" +/** + * Magic value for the initial IV state + */ +#define SEQ_IV_INIT_STATE (~(u_int64_t)0) + typedef struct private_iv_gen_t private_iv_gen_t; /** @@ -27,6 +32,11 @@ struct private_iv_gen_t { */ iv_gen_t public; + /** + * Previously passed sequence number to enforce uniqueness + */ + u_int64_t prev; + /** * Salt to mask counter */ @@ -43,6 +53,19 @@ METHOD(iv_gen_t, get_iv, bool, { return FALSE; } + if (size < sizeof(u_int64_t)) + { + return FALSE; + } + if (this->prev != SEQ_IV_INIT_STATE && seq <= this->prev) + { + return FALSE; + } + if (seq == SEQ_IV_INIT_STATE) + { + return FALSE; + } + this->prev = seq; if (len > sizeof(u_int64_t)) { len = sizeof(u_int64_t); @@ -84,6 +107,7 @@ iv_gen_t *iv_gen_seq_create() .allocate_iv = _allocate_iv, .destroy = _destroy, }, + .prev = SEQ_IV_INIT_STATE, ); rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG); diff --git a/src/libstrongswan/crypto/iv/iv_gen_seq.h b/src/libstrongswan/crypto/iv/iv_gen_seq.h index 329dcca05..43ff4f65e 100644 --- a/src/libstrongswan/crypto/iv/iv_gen_seq.h +++ b/src/libstrongswan/crypto/iv/iv_gen_seq.h @@ -25,6 +25,9 @@ /** * Create an IV generator that generates sequential IVs (counter). * + * The passed external IV must be larger than the one passed to any previous + * call. + * * @return IV generator */ iv_gen_t *iv_gen_seq_create(); diff --git a/src/libstrongswan/crypto/signers/mac_signer.c b/src/libstrongswan/crypto/signers/mac_signer.c index 7c52aa305..1094c4473 100644 --- a/src/libstrongswan/crypto/signers/mac_signer.c +++ b/src/libstrongswan/crypto/signers/mac_signer.c @@ -85,7 +85,7 @@ METHOD(signer_t, verify_signature, bool, return FALSE; } return this->mac->get_mac(this->mac, data, mac) && - memeq(signature.ptr, mac, this->truncation); + memeq_const(signature.ptr, mac, this->truncation); } METHOD(signer_t, get_key_size, size_t, @@ -136,4 +136,3 @@ signer_t *mac_signer_create(mac_t *mac, size_t len) return &this->public; } - diff --git a/src/libstrongswan/crypto/transform.c b/src/libstrongswan/crypto/transform.c index 56252971a..7c6678b61 100644 --- a/src/libstrongswan/crypto/transform.c +++ b/src/libstrongswan/crypto/transform.c @@ -14,6 +14,8 @@ */ #include +#include +#include ENUM_BEGIN(transform_type_names, UNDEFINED_TRANSFORM_TYPE, COMPRESSION_ALGORITHM, "UNDEFINED_TRANSFORM_TYPE", @@ -34,3 +36,33 @@ ENUM(extended_sequence_numbers_names, NO_EXT_SEQ_NUMBERS, EXT_SEQ_NUMBERS, "NO_EXT_SEQ", "EXT_SEQ", ); + + +/** + * See header + */ +enum_name_t* transform_get_enum_names(transform_type_t type) +{ + switch (type) + { + case HASH_ALGORITHM: + return hash_algorithm_names; + case RANDOM_NUMBER_GENERATOR: + return rng_quality_names; + case AEAD_ALGORITHM: + case ENCRYPTION_ALGORITHM: + return encryption_algorithm_names; + case PSEUDO_RANDOM_FUNCTION: + return pseudo_random_function_names; + case INTEGRITY_ALGORITHM: + return integrity_algorithm_names; + case DIFFIE_HELLMAN_GROUP: + return diffie_hellman_group_names; + case EXTENDED_SEQUENCE_NUMBERS: + return extended_sequence_numbers_names; + case UNDEFINED_TRANSFORM_TYPE: + case COMPRESSION_ALGORITHM: + break; + } + return NULL; +} diff --git a/src/libstrongswan/crypto/transform.h b/src/libstrongswan/crypto/transform.h index a585e9784..0cb84f0f5 100644 --- a/src/libstrongswan/crypto/transform.h +++ b/src/libstrongswan/crypto/transform.h @@ -46,6 +46,14 @@ enum transform_type_t { */ extern enum_name_t *transform_type_names; +/** + * Get the enum names for a specific transform type. + * + * @param type type of transform to get enum names for + * @return enum names + */ +enum_name_t *transform_get_enum_names(transform_type_t type); + /** * Extended sequence numbers, as in IKEv2 RFC 3.3.2. */ diff --git a/src/libstrongswan/plugins/aesni/Makefile.am b/src/libstrongswan/plugins/aesni/Makefile.am new file mode 100644 index 000000000..2fe85c66c --- /dev/null +++ b/src/libstrongswan/plugins/aesni/Makefile.am @@ -0,0 +1,26 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = \ + -maes \ + -mpclmul \ + -mssse3 \ + $(PLUGIN_CFLAGS) + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-aesni.la +else +plugin_LTLIBRARIES = libstrongswan-aesni.la +endif + +libstrongswan_aesni_la_SOURCES = \ + aesni_key.h aesni_key.c \ + aesni_cbc.h aesni_cbc.c \ + aesni_ctr.h aesni_ctr.c \ + aesni_ccm.h aesni_ccm.c \ + aesni_gcm.h aesni_gcm.c \ + aesni_xcbc.h aesni_xcbc.c \ + aesni_cmac.h aesni_cmac.c \ + aesni_plugin.h aesni_plugin.c + +libstrongswan_aesni_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/aesni/Makefile.in b/src/libstrongswan/plugins/aesni/Makefile.in new file mode 100644 index 000000000..34adaa390 --- /dev/null +++ b/src/libstrongswan/plugins/aesni/Makefile.in @@ -0,0 +1,793 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libstrongswan/plugins/aesni +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_aesni_la_LIBADD = +am_libstrongswan_aesni_la_OBJECTS = aesni_key.lo aesni_cbc.lo \ + aesni_ctr.lo aesni_ccm.lo aesni_gcm.lo aesni_xcbc.lo \ + aesni_cmac.lo aesni_plugin.lo +libstrongswan_aesni_la_OBJECTS = $(am_libstrongswan_aesni_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libstrongswan_aesni_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_aesni_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_aesni_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_aesni_la_rpath = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libstrongswan_aesni_la_SOURCES) +DIST_SOURCES = $(libstrongswan_aesni_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = \ + -maes \ + -mpclmul \ + -mssse3 \ + $(PLUGIN_CFLAGS) + +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-aesni.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-aesni.la +libstrongswan_aesni_la_SOURCES = \ + aesni_key.h aesni_key.c \ + aesni_cbc.h aesni_cbc.c \ + aesni_ctr.h aesni_ctr.c \ + aesni_ccm.h aesni_ccm.c \ + aesni_gcm.h aesni_gcm.c \ + aesni_xcbc.h aesni_xcbc.c \ + aesni_cmac.h aesni_cmac.c \ + aesni_plugin.h aesni_plugin.c + +libstrongswan_aesni_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/aesni/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/aesni/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libstrongswan-aesni.la: $(libstrongswan_aesni_la_OBJECTS) $(libstrongswan_aesni_la_DEPENDENCIES) $(EXTRA_libstrongswan_aesni_la_DEPENDENCIES) + $(AM_V_CCLD)$(libstrongswan_aesni_la_LINK) $(am_libstrongswan_aesni_la_rpath) $(libstrongswan_aesni_la_OBJECTS) $(libstrongswan_aesni_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aesni_cbc.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aesni_ccm.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aesni_cmac.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aesni_ctr.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aesni_gcm.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aesni_key.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aesni_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aesni_xcbc.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-pluginLTLIBRARIES install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/aesni/aesni_cbc.c b/src/libstrongswan/plugins/aesni/aesni_cbc.c new file mode 100644 index 000000000..78ada7663 --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_cbc.c @@ -0,0 +1,671 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "aesni_cbc.h" +#include "aesni_key.h" + +/** + * Pipeline parallelism we use for CBC decryption + */ +#define CBC_DECRYPT_PARALLELISM 4 + +typedef struct private_aesni_cbc_t private_aesni_cbc_t; + +/** + * CBC en/decryption method type + */ +typedef void (*aesni_cbc_fn_t)(aesni_key_t*, u_int, u_char*, u_char*, u_char*); + +/** + * Private data of an aesni_cbc_t object. + */ +struct private_aesni_cbc_t { + + /** + * Public aesni_cbc_t interface. + */ + aesni_cbc_t public; + + /** + * Key size + */ + u_int key_size; + + /** + * Encryption key schedule + */ + aesni_key_t *ekey; + + /** + * Decryption key schedule + */ + aesni_key_t *dkey; + + /** + * Encryption method + */ + aesni_cbc_fn_t encrypt; + + /** + * Decryption method + */ + aesni_cbc_fn_t decrypt; +}; + +/** + * AES-128 CBC encryption + */ +static void encrypt_cbc128(aesni_key_t *key, u_int blocks, u_char *in, + u_char *iv, u_char *out) +{ + __m128i *ks, t, fb, *bi, *bo; + int i; + + ks = key->schedule; + bi = (__m128i*)in; + bo = (__m128i*)out; + + fb = _mm_loadu_si128((__m128i*)iv); + for (i = 0; i < blocks; i++) + { + t = _mm_loadu_si128(bi + i); + fb = _mm_xor_si128(t, fb); + fb = _mm_xor_si128(fb, ks[0]); + + fb = _mm_aesenc_si128(fb, ks[1]); + fb = _mm_aesenc_si128(fb, ks[2]); + fb = _mm_aesenc_si128(fb, ks[3]); + fb = _mm_aesenc_si128(fb, ks[4]); + fb = _mm_aesenc_si128(fb, ks[5]); + fb = _mm_aesenc_si128(fb, ks[6]); + fb = _mm_aesenc_si128(fb, ks[7]); + fb = _mm_aesenc_si128(fb, ks[8]); + fb = _mm_aesenc_si128(fb, ks[9]); + + fb = _mm_aesenclast_si128(fb, ks[10]); + _mm_storeu_si128(bo + i, fb); + } +} + +/** + * AES-128 CBC decryption + */ +static void decrypt_cbc128(aesni_key_t *key, u_int blocks, u_char *in, + u_char *iv, u_char *out) +{ + __m128i *ks, last, *bi, *bo; + __m128i t1, t2, t3, t4; + __m128i f1, f2, f3, f4; + u_int i, pblocks; + + ks = key->schedule; + bi = (__m128i*)in; + bo = (__m128i*)out; + pblocks = blocks - (blocks % CBC_DECRYPT_PARALLELISM); + + f1 = _mm_loadu_si128((__m128i*)iv); + + for (i = 0; i < pblocks; i += CBC_DECRYPT_PARALLELISM) + { + t1 = _mm_loadu_si128(bi + i + 0); + t2 = _mm_loadu_si128(bi + i + 1); + t3 = _mm_loadu_si128(bi + i + 2); + t4 = _mm_loadu_si128(bi + i + 3); + + f2 = t1; + f3 = t2; + f4 = t3; + last = t4; + + t1 = _mm_xor_si128(t1, ks[0]); + t2 = _mm_xor_si128(t2, ks[0]); + t3 = _mm_xor_si128(t3, ks[0]); + t4 = _mm_xor_si128(t4, ks[0]); + + t1 = _mm_aesdec_si128(t1, ks[1]); + t2 = _mm_aesdec_si128(t2, ks[1]); + t3 = _mm_aesdec_si128(t3, ks[1]); + t4 = _mm_aesdec_si128(t4, ks[1]); + t1 = _mm_aesdec_si128(t1, ks[2]); + t2 = _mm_aesdec_si128(t2, ks[2]); + t3 = _mm_aesdec_si128(t3, ks[2]); + t4 = _mm_aesdec_si128(t4, ks[2]); + t1 = _mm_aesdec_si128(t1, ks[3]); + t2 = _mm_aesdec_si128(t2, ks[3]); + t3 = _mm_aesdec_si128(t3, ks[3]); + t4 = _mm_aesdec_si128(t4, ks[3]); + t1 = _mm_aesdec_si128(t1, ks[4]); + t2 = _mm_aesdec_si128(t2, ks[4]); + t3 = _mm_aesdec_si128(t3, ks[4]); + t4 = _mm_aesdec_si128(t4, ks[4]); + t1 = _mm_aesdec_si128(t1, ks[5]); + t2 = _mm_aesdec_si128(t2, ks[5]); + t3 = _mm_aesdec_si128(t3, ks[5]); + t4 = _mm_aesdec_si128(t4, ks[5]); + t1 = _mm_aesdec_si128(t1, ks[6]); + t2 = _mm_aesdec_si128(t2, ks[6]); + t3 = _mm_aesdec_si128(t3, ks[6]); + t4 = _mm_aesdec_si128(t4, ks[6]); + t1 = _mm_aesdec_si128(t1, ks[7]); + t2 = _mm_aesdec_si128(t2, ks[7]); + t3 = _mm_aesdec_si128(t3, ks[7]); + t4 = _mm_aesdec_si128(t4, ks[7]); + t1 = _mm_aesdec_si128(t1, ks[8]); + t2 = _mm_aesdec_si128(t2, ks[8]); + t3 = _mm_aesdec_si128(t3, ks[8]); + t4 = _mm_aesdec_si128(t4, ks[8]); + t1 = _mm_aesdec_si128(t1, ks[9]); + t2 = _mm_aesdec_si128(t2, ks[9]); + t3 = _mm_aesdec_si128(t3, ks[9]); + t4 = _mm_aesdec_si128(t4, ks[9]); + + t1 = _mm_aesdeclast_si128(t1, ks[10]); + t2 = _mm_aesdeclast_si128(t2, ks[10]); + t3 = _mm_aesdeclast_si128(t3, ks[10]); + t4 = _mm_aesdeclast_si128(t4, ks[10]); + t1 = _mm_xor_si128(t1, f1); + t2 = _mm_xor_si128(t2, f2); + t3 = _mm_xor_si128(t3, f3); + t4 = _mm_xor_si128(t4, f4); + _mm_storeu_si128(bo + i + 0, t1); + _mm_storeu_si128(bo + i + 1, t2); + _mm_storeu_si128(bo + i + 2, t3); + _mm_storeu_si128(bo + i + 3, t4); + f1 = last; + } + + for (i = pblocks; i < blocks; i++) + { + last = _mm_loadu_si128(bi + i); + t1 = _mm_xor_si128(last, ks[0]); + + t1 = _mm_aesdec_si128(t1, ks[1]); + t1 = _mm_aesdec_si128(t1, ks[2]); + t1 = _mm_aesdec_si128(t1, ks[3]); + t1 = _mm_aesdec_si128(t1, ks[4]); + t1 = _mm_aesdec_si128(t1, ks[5]); + t1 = _mm_aesdec_si128(t1, ks[6]); + t1 = _mm_aesdec_si128(t1, ks[7]); + t1 = _mm_aesdec_si128(t1, ks[8]); + t1 = _mm_aesdec_si128(t1, ks[9]); + + t1 = _mm_aesdeclast_si128(t1, ks[10]); + t1 = _mm_xor_si128(t1, f1); + _mm_storeu_si128(bo + i, t1); + f1 = last; + } +} + +/** + * AES-192 CBC encryption + */ +static void encrypt_cbc192(aesni_key_t *key, u_int blocks, u_char *in, + u_char *iv, u_char *out) +{ + __m128i *ks, t, fb, *bi, *bo; + int i; + + ks = key->schedule; + bi = (__m128i*)in; + bo = (__m128i*)out; + + fb = _mm_loadu_si128((__m128i*)iv); + for (i = 0; i < blocks; i++) + { + t = _mm_loadu_si128(bi + i); + fb = _mm_xor_si128(t, fb); + fb = _mm_xor_si128(fb, ks[0]); + + fb = _mm_aesenc_si128(fb, ks[1]); + fb = _mm_aesenc_si128(fb, ks[2]); + fb = _mm_aesenc_si128(fb, ks[3]); + fb = _mm_aesenc_si128(fb, ks[4]); + fb = _mm_aesenc_si128(fb, ks[5]); + fb = _mm_aesenc_si128(fb, ks[6]); + fb = _mm_aesenc_si128(fb, ks[7]); + fb = _mm_aesenc_si128(fb, ks[8]); + fb = _mm_aesenc_si128(fb, ks[9]); + fb = _mm_aesenc_si128(fb, ks[10]); + fb = _mm_aesenc_si128(fb, ks[11]); + + fb = _mm_aesenclast_si128(fb, ks[12]); + _mm_storeu_si128(bo + i, fb); + } +} + +/** + * AES-192 CBC decryption + */ +static void decrypt_cbc192(aesni_key_t *key, u_int blocks, u_char *in, + u_char *iv, u_char *out) +{ + __m128i *ks, last, *bi, *bo; + __m128i t1, t2, t3, t4; + __m128i f1, f2, f3, f4; + u_int i, pblocks; + + ks = key->schedule; + bi = (__m128i*)in; + bo = (__m128i*)out; + pblocks = blocks - (blocks % CBC_DECRYPT_PARALLELISM); + + f1 = _mm_loadu_si128((__m128i*)iv); + + for (i = 0; i < pblocks; i += CBC_DECRYPT_PARALLELISM) + { + t1 = _mm_loadu_si128(bi + i + 0); + t2 = _mm_loadu_si128(bi + i + 1); + t3 = _mm_loadu_si128(bi + i + 2); + t4 = _mm_loadu_si128(bi + i + 3); + + f2 = t1; + f3 = t2; + f4 = t3; + last = t4; + + t1 = _mm_xor_si128(t1, ks[0]); + t2 = _mm_xor_si128(t2, ks[0]); + t3 = _mm_xor_si128(t3, ks[0]); + t4 = _mm_xor_si128(t4, ks[0]); + + t1 = _mm_aesdec_si128(t1, ks[1]); + t2 = _mm_aesdec_si128(t2, ks[1]); + t3 = _mm_aesdec_si128(t3, ks[1]); + t4 = _mm_aesdec_si128(t4, ks[1]); + t1 = _mm_aesdec_si128(t1, ks[2]); + t2 = _mm_aesdec_si128(t2, ks[2]); + t3 = _mm_aesdec_si128(t3, ks[2]); + t4 = _mm_aesdec_si128(t4, ks[2]); + t1 = _mm_aesdec_si128(t1, ks[3]); + t2 = _mm_aesdec_si128(t2, ks[3]); + t3 = _mm_aesdec_si128(t3, ks[3]); + t4 = _mm_aesdec_si128(t4, ks[3]); + t1 = _mm_aesdec_si128(t1, ks[4]); + t2 = _mm_aesdec_si128(t2, ks[4]); + t3 = _mm_aesdec_si128(t3, ks[4]); + t4 = _mm_aesdec_si128(t4, ks[4]); + t1 = _mm_aesdec_si128(t1, ks[5]); + t2 = _mm_aesdec_si128(t2, ks[5]); + t3 = _mm_aesdec_si128(t3, ks[5]); + t4 = _mm_aesdec_si128(t4, ks[5]); + t1 = _mm_aesdec_si128(t1, ks[6]); + t2 = _mm_aesdec_si128(t2, ks[6]); + t3 = _mm_aesdec_si128(t3, ks[6]); + t4 = _mm_aesdec_si128(t4, ks[6]); + t1 = _mm_aesdec_si128(t1, ks[7]); + t2 = _mm_aesdec_si128(t2, ks[7]); + t3 = _mm_aesdec_si128(t3, ks[7]); + t4 = _mm_aesdec_si128(t4, ks[7]); + t1 = _mm_aesdec_si128(t1, ks[8]); + t2 = _mm_aesdec_si128(t2, ks[8]); + t3 = _mm_aesdec_si128(t3, ks[8]); + t4 = _mm_aesdec_si128(t4, ks[8]); + t1 = _mm_aesdec_si128(t1, ks[9]); + t2 = _mm_aesdec_si128(t2, ks[9]); + t3 = _mm_aesdec_si128(t3, ks[9]); + t4 = _mm_aesdec_si128(t4, ks[9]); + t1 = _mm_aesdec_si128(t1, ks[10]); + t2 = _mm_aesdec_si128(t2, ks[10]); + t3 = _mm_aesdec_si128(t3, ks[10]); + t4 = _mm_aesdec_si128(t4, ks[10]); + t1 = _mm_aesdec_si128(t1, ks[11]); + t2 = _mm_aesdec_si128(t2, ks[11]); + t3 = _mm_aesdec_si128(t3, ks[11]); + t4 = _mm_aesdec_si128(t4, ks[11]); + + t1 = _mm_aesdeclast_si128(t1, ks[12]); + t2 = _mm_aesdeclast_si128(t2, ks[12]); + t3 = _mm_aesdeclast_si128(t3, ks[12]); + t4 = _mm_aesdeclast_si128(t4, ks[12]); + t1 = _mm_xor_si128(t1, f1); + t2 = _mm_xor_si128(t2, f2); + t3 = _mm_xor_si128(t3, f3); + t4 = _mm_xor_si128(t4, f4); + _mm_storeu_si128(bo + i + 0, t1); + _mm_storeu_si128(bo + i + 1, t2); + _mm_storeu_si128(bo + i + 2, t3); + _mm_storeu_si128(bo + i + 3, t4); + f1 = last; + } + + for (i = pblocks; i < blocks; i++) + { + last = _mm_loadu_si128(bi + i); + t1 = _mm_xor_si128(last, ks[0]); + + t1 = _mm_aesdec_si128(t1, ks[1]); + t1 = _mm_aesdec_si128(t1, ks[2]); + t1 = _mm_aesdec_si128(t1, ks[3]); + t1 = _mm_aesdec_si128(t1, ks[4]); + t1 = _mm_aesdec_si128(t1, ks[5]); + t1 = _mm_aesdec_si128(t1, ks[6]); + t1 = _mm_aesdec_si128(t1, ks[7]); + t1 = _mm_aesdec_si128(t1, ks[8]); + t1 = _mm_aesdec_si128(t1, ks[9]); + t1 = _mm_aesdec_si128(t1, ks[10]); + t1 = _mm_aesdec_si128(t1, ks[11]); + + t1 = _mm_aesdeclast_si128(t1, ks[12]); + t1 = _mm_xor_si128(t1, f1); + _mm_storeu_si128(bo + i, t1); + f1 = last; + } +} + +/** + * AES-256 CBC encryption + */ +static void encrypt_cbc256(aesni_key_t *key, u_int blocks, u_char *in, + u_char *iv, u_char *out) +{ + __m128i *ks, t, fb, *bi, *bo; + int i; + + ks = key->schedule; + bi = (__m128i*)in; + bo = (__m128i*)out; + + fb = _mm_loadu_si128((__m128i*)iv); + for (i = 0; i < blocks; i++) + { + t = _mm_loadu_si128(bi + i); + fb = _mm_xor_si128(t, fb); + fb = _mm_xor_si128(fb, ks[0]); + + fb = _mm_aesenc_si128(fb, ks[1]); + fb = _mm_aesenc_si128(fb, ks[2]); + fb = _mm_aesenc_si128(fb, ks[3]); + fb = _mm_aesenc_si128(fb, ks[4]); + fb = _mm_aesenc_si128(fb, ks[5]); + fb = _mm_aesenc_si128(fb, ks[6]); + fb = _mm_aesenc_si128(fb, ks[7]); + fb = _mm_aesenc_si128(fb, ks[8]); + fb = _mm_aesenc_si128(fb, ks[9]); + fb = _mm_aesenc_si128(fb, ks[10]); + fb = _mm_aesenc_si128(fb, ks[11]); + fb = _mm_aesenc_si128(fb, ks[12]); + fb = _mm_aesenc_si128(fb, ks[13]); + + fb = _mm_aesenclast_si128(fb, ks[14]); + _mm_storeu_si128(bo + i, fb); + } +} + +/** + * AES-256 CBC decryption + */ +static void decrypt_cbc256(aesni_key_t *key, u_int blocks, u_char *in, + u_char *iv, u_char *out) +{ + __m128i *ks, last, *bi, *bo; + __m128i t1, t2, t3, t4; + __m128i f1, f2, f3, f4; + u_int i, pblocks; + + ks = key->schedule; + bi = (__m128i*)in; + bo = (__m128i*)out; + pblocks = blocks - (blocks % CBC_DECRYPT_PARALLELISM); + + f1 = _mm_loadu_si128((__m128i*)iv); + + for (i = 0; i < pblocks; i += CBC_DECRYPT_PARALLELISM) + { + t1 = _mm_loadu_si128(bi + i + 0); + t2 = _mm_loadu_si128(bi + i + 1); + t3 = _mm_loadu_si128(bi + i + 2); + t4 = _mm_loadu_si128(bi + i + 3); + + f2 = t1; + f3 = t2; + f4 = t3; + last = t4; + + t1 = _mm_xor_si128(t1, ks[0]); + t2 = _mm_xor_si128(t2, ks[0]); + t3 = _mm_xor_si128(t3, ks[0]); + t4 = _mm_xor_si128(t4, ks[0]); + + t1 = _mm_aesdec_si128(t1, ks[1]); + t2 = _mm_aesdec_si128(t2, ks[1]); + t3 = _mm_aesdec_si128(t3, ks[1]); + t4 = _mm_aesdec_si128(t4, ks[1]); + t1 = _mm_aesdec_si128(t1, ks[2]); + t2 = _mm_aesdec_si128(t2, ks[2]); + t3 = _mm_aesdec_si128(t3, ks[2]); + t4 = _mm_aesdec_si128(t4, ks[2]); + t1 = _mm_aesdec_si128(t1, ks[3]); + t2 = _mm_aesdec_si128(t2, ks[3]); + t3 = _mm_aesdec_si128(t3, ks[3]); + t4 = _mm_aesdec_si128(t4, ks[3]); + t1 = _mm_aesdec_si128(t1, ks[4]); + t2 = _mm_aesdec_si128(t2, ks[4]); + t3 = _mm_aesdec_si128(t3, ks[4]); + t4 = _mm_aesdec_si128(t4, ks[4]); + t1 = _mm_aesdec_si128(t1, ks[5]); + t2 = _mm_aesdec_si128(t2, ks[5]); + t3 = _mm_aesdec_si128(t3, ks[5]); + t4 = _mm_aesdec_si128(t4, ks[5]); + t1 = _mm_aesdec_si128(t1, ks[6]); + t2 = _mm_aesdec_si128(t2, ks[6]); + t3 = _mm_aesdec_si128(t3, ks[6]); + t4 = _mm_aesdec_si128(t4, ks[6]); + t1 = _mm_aesdec_si128(t1, ks[7]); + t2 = _mm_aesdec_si128(t2, ks[7]); + t3 = _mm_aesdec_si128(t3, ks[7]); + t4 = _mm_aesdec_si128(t4, ks[7]); + t1 = _mm_aesdec_si128(t1, ks[8]); + t2 = _mm_aesdec_si128(t2, ks[8]); + t3 = _mm_aesdec_si128(t3, ks[8]); + t4 = _mm_aesdec_si128(t4, ks[8]); + t1 = _mm_aesdec_si128(t1, ks[9]); + t2 = _mm_aesdec_si128(t2, ks[9]); + t3 = _mm_aesdec_si128(t3, ks[9]); + t4 = _mm_aesdec_si128(t4, ks[9]); + t1 = _mm_aesdec_si128(t1, ks[10]); + t2 = _mm_aesdec_si128(t2, ks[10]); + t3 = _mm_aesdec_si128(t3, ks[10]); + t4 = _mm_aesdec_si128(t4, ks[10]); + t1 = _mm_aesdec_si128(t1, ks[11]); + t2 = _mm_aesdec_si128(t2, ks[11]); + t3 = _mm_aesdec_si128(t3, ks[11]); + t4 = _mm_aesdec_si128(t4, ks[11]); + t1 = _mm_aesdec_si128(t1, ks[12]); + t2 = _mm_aesdec_si128(t2, ks[12]); + t3 = _mm_aesdec_si128(t3, ks[12]); + t4 = _mm_aesdec_si128(t4, ks[12]); + t1 = _mm_aesdec_si128(t1, ks[13]); + t2 = _mm_aesdec_si128(t2, ks[13]); + t3 = _mm_aesdec_si128(t3, ks[13]); + t4 = _mm_aesdec_si128(t4, ks[13]); + + t1 = _mm_aesdeclast_si128(t1, ks[14]); + t2 = _mm_aesdeclast_si128(t2, ks[14]); + t3 = _mm_aesdeclast_si128(t3, ks[14]); + t4 = _mm_aesdeclast_si128(t4, ks[14]); + t1 = _mm_xor_si128(t1, f1); + t2 = _mm_xor_si128(t2, f2); + t3 = _mm_xor_si128(t3, f3); + t4 = _mm_xor_si128(t4, f4); + _mm_storeu_si128(bo + i + 0, t1); + _mm_storeu_si128(bo + i + 1, t2); + _mm_storeu_si128(bo + i + 2, t3); + _mm_storeu_si128(bo + i + 3, t4); + f1 = last; + } + + for (i = pblocks; i < blocks; i++) + { + last = _mm_loadu_si128(bi + i); + t1 = _mm_xor_si128(last, ks[0]); + + t1 = _mm_aesdec_si128(t1, ks[1]); + t1 = _mm_aesdec_si128(t1, ks[2]); + t1 = _mm_aesdec_si128(t1, ks[3]); + t1 = _mm_aesdec_si128(t1, ks[4]); + t1 = _mm_aesdec_si128(t1, ks[5]); + t1 = _mm_aesdec_si128(t1, ks[6]); + t1 = _mm_aesdec_si128(t1, ks[7]); + t1 = _mm_aesdec_si128(t1, ks[8]); + t1 = _mm_aesdec_si128(t1, ks[9]); + t1 = _mm_aesdec_si128(t1, ks[10]); + t1 = _mm_aesdec_si128(t1, ks[11]); + t1 = _mm_aesdec_si128(t1, ks[12]); + t1 = _mm_aesdec_si128(t1, ks[13]); + + t1 = _mm_aesdeclast_si128(t1, ks[14]); + t1 = _mm_xor_si128(t1, f1); + _mm_storeu_si128(bo + i, t1); + f1 = last; + } +} + +/** + * Do inline or allocated de/encryption using key schedule + */ +static bool crypt(aesni_cbc_fn_t fn, aesni_key_t *key, + chunk_t data, chunk_t iv, chunk_t *out) +{ + u_char *buf; + + if (!key || iv.len != AES_BLOCK_SIZE || data.len % AES_BLOCK_SIZE) + { + return FALSE; + } + if (out) + { + *out = chunk_alloc(data.len); + buf = out->ptr; + } + else + { + buf = data.ptr; + } + fn(key, data.len / AES_BLOCK_SIZE, data.ptr, iv.ptr, buf); + return TRUE; +} + +METHOD(crypter_t, encrypt, bool, + private_aesni_cbc_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted) +{ + return crypt(this->encrypt, this->ekey, data, iv, encrypted); +} + +METHOD(crypter_t, decrypt, bool, + private_aesni_cbc_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted) +{ + return crypt(this->decrypt, this->dkey, data, iv, decrypted); +} + +METHOD(crypter_t, get_block_size, size_t, + private_aesni_cbc_t *this) +{ + return AES_BLOCK_SIZE; +} + +METHOD(crypter_t, get_iv_size, size_t, + private_aesni_cbc_t *this) +{ + return AES_BLOCK_SIZE; +} + +METHOD(crypter_t, get_key_size, size_t, + private_aesni_cbc_t *this) +{ + return this->key_size; +} + +METHOD(crypter_t, set_key, bool, + private_aesni_cbc_t *this, chunk_t key) +{ + if (key.len != this->key_size) + { + return FALSE; + } + + DESTROY_IF(this->ekey); + DESTROY_IF(this->dkey); + + this->ekey = aesni_key_create(TRUE, key); + this->dkey = aesni_key_create(FALSE, key); + + return this->ekey && this->dkey; +} + +METHOD(crypter_t, destroy, void, + private_aesni_cbc_t *this) +{ + DESTROY_IF(this->ekey); + DESTROY_IF(this->dkey); + free_align(this); +} + +/** + * See header + */ +aesni_cbc_t *aesni_cbc_create(encryption_algorithm_t algo, size_t key_size) +{ + private_aesni_cbc_t *this; + + if (algo != ENCR_AES_CBC) + { + return NULL; + } + switch (key_size) + { + case 0: + key_size = 16; + break; + case 16: + case 24: + case 32: + break; + default: + return NULL; + } + + INIT_ALIGN(this, sizeof(__m128i), + .public = { + .crypter = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_block_size = _get_block_size, + .get_iv_size = _get_iv_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .key_size = key_size, + ); + + switch (key_size) + { + case 16: + this->encrypt = encrypt_cbc128; + this->decrypt = decrypt_cbc128; + break; + case 24: + this->encrypt = encrypt_cbc192; + this->decrypt = decrypt_cbc192; + break; + case 32: + this->encrypt = encrypt_cbc256; + this->decrypt = decrypt_cbc256; + break; + } + + return &this->public; +} diff --git a/src/libstrongswan/plugins/aesni/aesni_cbc.h b/src/libstrongswan/plugins/aesni/aesni_cbc.h new file mode 100644 index 000000000..c004ec611 --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_cbc.h @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup aesni_cbc aesni_cbc + * @{ @ingroup aesni + */ + +#ifndef AESNI_CBC_H_ +#define AESNI_CBC_H_ + +#include + +typedef struct aesni_cbc_t aesni_cbc_t; + +/** + * CBC mode crypter using AES-NI + */ +struct aesni_cbc_t { + + /** + * Implements crypter interface + */ + crypter_t crypter; +}; + +/** + * Create a aesni_cbc instance. + * + * @param algo encryption algorithm, AES_ENCR_CBC + * @param key_size AES key size, in bytes + * @return AES-CBC crypter, NULL if not supported + */ +aesni_cbc_t *aesni_cbc_create(encryption_algorithm_t algo, size_t key_size); + +#endif /** AESNI_CBC_H_ @}*/ diff --git a/src/libstrongswan/plugins/aesni/aesni_ccm.c b/src/libstrongswan/plugins/aesni/aesni_ccm.c new file mode 100644 index 000000000..d523bc17a --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_ccm.c @@ -0,0 +1,914 @@ +/* + * Copyright (C) 2010-2015 Martin Willi + * Copyright (C) 2010-2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "aesni_ccm.h" +#include "aesni_key.h" + +#include + +#include + +#define SALT_SIZE 3 +#define IV_SIZE 8 +#define NONCE_SIZE (SALT_SIZE + IV_SIZE) /* 11 */ +#define Q_SIZE (AES_BLOCK_SIZE - NONCE_SIZE - 1) /* 4 */ + +typedef struct private_aesni_ccm_t private_aesni_ccm_t; + +/** + * CCM en/decryption method type + */ +typedef void (*aesni_ccm_fn_t)(private_aesni_ccm_t*, size_t, u_char*, u_char*, + u_char*, size_t, u_char*, u_char*); + +/** + * Private data of an aesni_ccm_t object. + */ +struct private_aesni_ccm_t { + + /** + * Public aesni_ccm_t interface. + */ + aesni_ccm_t public; + + /** + * Encryption key schedule + */ + aesni_key_t *key; + + /** + * IV generator. + */ + iv_gen_t *iv_gen; + + /** + * Length of the integrity check value + */ + size_t icv_size; + + /** + * Length of the key in bytes + */ + size_t key_size; + + /** + * CCM encryption function + */ + aesni_ccm_fn_t encrypt; + + /** + * CCM decryption function + */ + aesni_ccm_fn_t decrypt; + + /** + * salt to add to nonce + */ + u_char salt[SALT_SIZE]; +}; + +/** + * First block with control information + */ +typedef struct __attribute__((packed)) { + BITFIELD4(u_int8_t, + /* size of p length field q, as q-1 */ + q_len: 3, + /* size of our ICV t, as (t-2)/2 */ + t_len: 3, + /* do we have associated data */ + assoc: 1, + reserved: 1, + ) flags; + /* nonce value */ + struct __attribute__((packed)) { + u_char salt[SALT_SIZE]; + u_char iv[IV_SIZE]; + } nonce; + /* length of plain text, q */ + u_char q[Q_SIZE]; +} b0_t; + +/** + * Counter block + */ +typedef struct __attribute__((packed)) { + BITFIELD3(u_int8_t, + /* size of p length field q, as q-1 */ + q_len: 3, + zero: 3, + reserved: 2, + ) flags; + /* nonce value */ + struct __attribute__((packed)) { + u_char salt[SALT_SIZE]; + u_char iv[IV_SIZE]; + } nonce; + /* counter value */ + u_char i[Q_SIZE]; +} ctr_t; + +/** + * Build the first block B0 + */ +static void build_b0(private_aesni_ccm_t *this, size_t len, size_t alen, + u_char *iv, void *out) +{ + b0_t *block = out; + + block->flags.reserved = 0; + block->flags.assoc = alen ? 1 : 0; + block->flags.t_len = (this->icv_size - 2) / 2; + block->flags.q_len = Q_SIZE - 1; + memcpy(block->nonce.salt, this->salt, SALT_SIZE); + memcpy(block->nonce.iv, iv, IV_SIZE); + htoun32(block->q, len); +} + +/** + * Build a counter block for counter i + */ +static void build_ctr(private_aesni_ccm_t *this, u_int32_t i, u_char *iv, + void *out) +{ + ctr_t *ctr = out; + + ctr->flags.reserved = 0; + ctr->flags.zero = 0; + ctr->flags.q_len = Q_SIZE - 1; + memcpy(ctr->nonce.salt, this->salt, SALT_SIZE); + memcpy(ctr->nonce.iv, iv, IV_SIZE); + htoun32(ctr->i, i); +} + +/** + * Calculate the ICV for the b0 and associated data + */ +static __m128i icv_header(private_aesni_ccm_t *this, size_t len, u_char *iv, + u_int16_t alen, u_char *assoc) +{ + __m128i *ks, b, t, c; + u_int i, round, blocks, rem; + + ks = this->key->schedule; + build_b0(this, len, alen, iv, &b); + c = _mm_loadu_si128(&b); + c = _mm_xor_si128(c, ks[0]); + for (round = 1; round < this->key->rounds; round++) + { + c = _mm_aesenc_si128(c, ks[round]); + } + c = _mm_aesenclast_si128(c, ks[this->key->rounds]); + + if (alen) + { + blocks = (alen + sizeof(alen)) / AES_BLOCK_SIZE; + rem = (alen + sizeof(alen)) % AES_BLOCK_SIZE; + if (rem) + { + blocks++; + } + for (i = 0; i < blocks; i++) + { + if (i == 0) + { /* first block */ + memset(&b, 0, sizeof(b)); + htoun16(&b, alen); + memcpy(((u_char*)&b) + sizeof(alen), assoc, + min(alen, sizeof(b) - sizeof(alen))); + t = _mm_loadu_si128(&b); + } + else if (i == blocks - 1 && rem) + { /* last block with padding */ + memset(&b, 0, sizeof(b)); + memcpy(&b, ((__m128i*)(assoc - sizeof(alen))) + i, rem); + t = _mm_loadu_si128(&b); + } + else + { /* full block */ + t = _mm_loadu_si128(((__m128i*)(assoc - sizeof(alen))) + i); + } + c = _mm_xor_si128(t, c); + c = _mm_xor_si128(c, ks[0]); + for (round = 1; round < this->key->rounds; round++) + { + c = _mm_aesenc_si128(c, ks[round]); + } + c = _mm_aesenclast_si128(c, ks[this->key->rounds]); + } + } + return c; +} + +/** + * En-/Decrypt the ICV, trim and store it + */ +static void crypt_icv(private_aesni_ccm_t *this, u_char *iv, + __m128i c, u_char *icv) +{ + __m128i *ks, b, t; + u_int round; + + ks = this->key->schedule; + build_ctr(this, 0, iv, &b); + + t = _mm_loadu_si128(&b); + t = _mm_xor_si128(t, ks[0]); + for (round = 1; round < this->key->rounds; round++) + { + t = _mm_aesenc_si128(t, ks[round]); + } + t = _mm_aesenclast_si128(t, ks[this->key->rounds]); + + t = _mm_xor_si128(t, c); + + _mm_storeu_si128(&b, t); + memcpy(icv, &b, this->icv_size); +} + +/** + * Do big-endian increment on x + */ +static inline __m128i increment_be(__m128i x) +{ + __m128i swap; + + swap = _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15); + + x = _mm_shuffle_epi8(x, swap); + x = _mm_add_epi64(x, _mm_set_epi32(0, 0, 0, 1)); + x = _mm_shuffle_epi8(x, swap); + + return x; +} + +/** + * Encrypt a remaining incomplete block + */ +static __m128i encrypt_ccm_rem(aesni_key_t *key, u_int rem, __m128i state, + void *in, void *out, __m128i c) +{ + __m128i *ks, t, b, d; + u_int round; + + ks = key->schedule; + memset(&b, 0, sizeof(b)); + memcpy(&b, in, rem); + d = _mm_loadu_si128(&b); + + c = _mm_xor_si128(d, c); + c = _mm_xor_si128(c, ks[0]); + t = _mm_xor_si128(state, ks[0]); + for (round = 1; round < key->rounds; round++) + { + c = _mm_aesenc_si128(c, ks[round]); + t = _mm_aesenc_si128(t, ks[round]); + } + c = _mm_aesenclast_si128(c, ks[key->rounds]); + t = _mm_aesenclast_si128(t, ks[key->rounds]); + + t = _mm_xor_si128(t, d); + _mm_storeu_si128(&b, t); + + memcpy(out, &b, rem); + + return c; +} + +/** + * Decrypt a remaining incomplete block + */ +static __m128i decrypt_ccm_rem(aesni_key_t *key, u_int rem, __m128i state, + void *in, void *out, __m128i c) +{ + __m128i *ks, t, b, d; + u_int round; + + ks = key->schedule; + memset(&b, 0, sizeof(b)); + memcpy(&b, in, rem); + d = _mm_loadu_si128(&b); + + t = _mm_xor_si128(state, ks[0]); + for (round = 1; round < key->rounds; round++) + { + t = _mm_aesenc_si128(t, ks[round]); + } + t = _mm_aesenclast_si128(t, ks[key->rounds]); + t = _mm_xor_si128(t, d); + _mm_storeu_si128(&b, t); + + memset((u_char*)&b + rem, 0, sizeof(b) - rem); + t = _mm_loadu_si128(&b); + c = _mm_xor_si128(t, c); + c = _mm_xor_si128(c, ks[0]); + for (round = 1; round < key->rounds; round++) + { + c = _mm_aesenc_si128(c, ks[round]); + } + c = _mm_aesenclast_si128(c, ks[key->rounds]); + + memcpy(out, &b, rem); + + return c; +} + +/** + * AES-128 CCM encryption/ICV generation + */ +static void encrypt_ccm128(private_aesni_ccm_t *this, + size_t len, u_char *in, u_char *out, u_char *iv, + size_t alen, u_char *assoc, u_char *icv) +{ + __m128i *ks, d, t, c, b, state, *bi, *bo; + u_int blocks, rem, i; + + c = icv_header(this, len, iv, alen, assoc); + build_ctr(this, 1, iv, &b); + state = _mm_load_si128(&b); + blocks = len / AES_BLOCK_SIZE; + rem = len % AES_BLOCK_SIZE; + bi = (__m128i*)in; + bo = (__m128i*)out; + + ks = this->key->schedule; + + for (i = 0; i < blocks; i++) + { + d = _mm_loadu_si128(bi + i); + + c = _mm_xor_si128(d, c); + c = _mm_xor_si128(c, ks[0]); + t = _mm_xor_si128(state, ks[0]); + + c = _mm_aesenc_si128(c, ks[1]); + t = _mm_aesenc_si128(t, ks[1]); + c = _mm_aesenc_si128(c, ks[2]); + t = _mm_aesenc_si128(t, ks[2]); + c = _mm_aesenc_si128(c, ks[3]); + t = _mm_aesenc_si128(t, ks[3]); + c = _mm_aesenc_si128(c, ks[4]); + t = _mm_aesenc_si128(t, ks[4]); + c = _mm_aesenc_si128(c, ks[5]); + t = _mm_aesenc_si128(t, ks[5]); + c = _mm_aesenc_si128(c, ks[6]); + t = _mm_aesenc_si128(t, ks[6]); + c = _mm_aesenc_si128(c, ks[7]); + t = _mm_aesenc_si128(t, ks[7]); + c = _mm_aesenc_si128(c, ks[8]); + t = _mm_aesenc_si128(t, ks[8]); + c = _mm_aesenc_si128(c, ks[9]); + t = _mm_aesenc_si128(t, ks[9]); + + c = _mm_aesenclast_si128(c, ks[10]); + t = _mm_aesenclast_si128(t, ks[10]); + + t = _mm_xor_si128(t, d); + _mm_storeu_si128(bo + i, t); + + state = increment_be(state); + } + + if (rem) + { + c = encrypt_ccm_rem(this->key, rem, state, bi + blocks, bo + blocks, c); + } + crypt_icv(this, iv, c, icv); +} + +/** + * AES-128 CCM decryption/ICV generation + */ +static void decrypt_ccm128(private_aesni_ccm_t *this, + size_t len, u_char *in, u_char *out, u_char *iv, + size_t alen, u_char *assoc, u_char *icv) +{ + __m128i *ks, d, t, c, b, state, *bi, *bo; + u_int blocks, rem, i; + + c = icv_header(this, len, iv, alen, assoc); + build_ctr(this, 1, iv, &b); + state = _mm_load_si128(&b); + blocks = len / AES_BLOCK_SIZE; + rem = len % AES_BLOCK_SIZE; + bi = (__m128i*)in; + bo = (__m128i*)out; + + ks = this->key->schedule; + + for (i = 0; i < blocks; i++) + { + d = _mm_loadu_si128(bi + i); + + t = _mm_xor_si128(state, ks[0]); + + t = _mm_aesenc_si128(t, ks[1]); + t = _mm_aesenc_si128(t, ks[2]); + t = _mm_aesenc_si128(t, ks[3]); + t = _mm_aesenc_si128(t, ks[4]); + t = _mm_aesenc_si128(t, ks[5]); + t = _mm_aesenc_si128(t, ks[6]); + t = _mm_aesenc_si128(t, ks[7]); + t = _mm_aesenc_si128(t, ks[8]); + t = _mm_aesenc_si128(t, ks[9]); + + t = _mm_aesenclast_si128(t, ks[10]); + t = _mm_xor_si128(t, d); + _mm_storeu_si128(bo + i, t); + + c = _mm_xor_si128(t, c); + c = _mm_xor_si128(c, ks[0]); + + c = _mm_aesenc_si128(c, ks[1]); + c = _mm_aesenc_si128(c, ks[2]); + c = _mm_aesenc_si128(c, ks[3]); + c = _mm_aesenc_si128(c, ks[4]); + c = _mm_aesenc_si128(c, ks[5]); + c = _mm_aesenc_si128(c, ks[6]); + c = _mm_aesenc_si128(c, ks[7]); + c = _mm_aesenc_si128(c, ks[8]); + c = _mm_aesenc_si128(c, ks[9]); + + c = _mm_aesenclast_si128(c, ks[10]); + + state = increment_be(state); + } + + if (rem) + { + c = decrypt_ccm_rem(this->key, rem, state, bi + blocks, bo + blocks, c); + } + crypt_icv(this, iv, c, icv); +} + +/** + * AES-192 CCM encryption/ICV generation + */ +static void encrypt_ccm192(private_aesni_ccm_t *this, + size_t len, u_char *in, u_char *out, u_char *iv, + size_t alen, u_char *assoc, u_char *icv) +{ + __m128i *ks, d, t, c, b, state, *bi, *bo; + u_int blocks, rem, i; + + c = icv_header(this, len, iv, alen, assoc); + build_ctr(this, 1, iv, &b); + state = _mm_load_si128(&b); + blocks = len / AES_BLOCK_SIZE; + rem = len % AES_BLOCK_SIZE; + bi = (__m128i*)in; + bo = (__m128i*)out; + + ks = this->key->schedule; + + for (i = 0; i < blocks; i++) + { + d = _mm_loadu_si128(bi + i); + + c = _mm_xor_si128(d, c); + c = _mm_xor_si128(c, ks[0]); + t = _mm_xor_si128(state, ks[0]); + + c = _mm_aesenc_si128(c, ks[1]); + t = _mm_aesenc_si128(t, ks[1]); + c = _mm_aesenc_si128(c, ks[2]); + t = _mm_aesenc_si128(t, ks[2]); + c = _mm_aesenc_si128(c, ks[3]); + t = _mm_aesenc_si128(t, ks[3]); + c = _mm_aesenc_si128(c, ks[4]); + t = _mm_aesenc_si128(t, ks[4]); + c = _mm_aesenc_si128(c, ks[5]); + t = _mm_aesenc_si128(t, ks[5]); + c = _mm_aesenc_si128(c, ks[6]); + t = _mm_aesenc_si128(t, ks[6]); + c = _mm_aesenc_si128(c, ks[7]); + t = _mm_aesenc_si128(t, ks[7]); + c = _mm_aesenc_si128(c, ks[8]); + t = _mm_aesenc_si128(t, ks[8]); + c = _mm_aesenc_si128(c, ks[9]); + t = _mm_aesenc_si128(t, ks[9]); + c = _mm_aesenc_si128(c, ks[10]); + t = _mm_aesenc_si128(t, ks[10]); + c = _mm_aesenc_si128(c, ks[11]); + t = _mm_aesenc_si128(t, ks[11]); + + c = _mm_aesenclast_si128(c, ks[12]); + t = _mm_aesenclast_si128(t, ks[12]); + + t = _mm_xor_si128(t, d); + _mm_storeu_si128(bo + i, t); + + state = increment_be(state); + } + + if (rem) + { + c = encrypt_ccm_rem(this->key, rem, state, bi + blocks, bo + blocks, c); + } + crypt_icv(this, iv, c, icv); +} + +/** + * AES-192 CCM decryption/ICV generation + */ +static void decrypt_ccm192(private_aesni_ccm_t *this, + size_t len, u_char *in, u_char *out, u_char *iv, + size_t alen, u_char *assoc, u_char *icv) +{ + __m128i *ks, d, t, c, b, state, *bi, *bo; + u_int blocks, rem, i; + + c = icv_header(this, len, iv, alen, assoc); + build_ctr(this, 1, iv, &b); + state = _mm_load_si128(&b); + blocks = len / AES_BLOCK_SIZE; + rem = len % AES_BLOCK_SIZE; + bi = (__m128i*)in; + bo = (__m128i*)out; + + ks = this->key->schedule; + + for (i = 0; i < blocks; i++) + { + d = _mm_loadu_si128(bi + i); + + t = _mm_xor_si128(state, ks[0]); + + t = _mm_aesenc_si128(t, ks[1]); + t = _mm_aesenc_si128(t, ks[2]); + t = _mm_aesenc_si128(t, ks[3]); + t = _mm_aesenc_si128(t, ks[4]); + t = _mm_aesenc_si128(t, ks[5]); + t = _mm_aesenc_si128(t, ks[6]); + t = _mm_aesenc_si128(t, ks[7]); + t = _mm_aesenc_si128(t, ks[8]); + t = _mm_aesenc_si128(t, ks[9]); + t = _mm_aesenc_si128(t, ks[10]); + t = _mm_aesenc_si128(t, ks[11]); + + t = _mm_aesenclast_si128(t, ks[12]); + t = _mm_xor_si128(t, d); + _mm_storeu_si128(bo + i, t); + + c = _mm_xor_si128(t, c); + c = _mm_xor_si128(c, ks[0]); + + c = _mm_aesenc_si128(c, ks[1]); + c = _mm_aesenc_si128(c, ks[2]); + c = _mm_aesenc_si128(c, ks[3]); + c = _mm_aesenc_si128(c, ks[4]); + c = _mm_aesenc_si128(c, ks[5]); + c = _mm_aesenc_si128(c, ks[6]); + c = _mm_aesenc_si128(c, ks[7]); + c = _mm_aesenc_si128(c, ks[8]); + c = _mm_aesenc_si128(c, ks[9]); + c = _mm_aesenc_si128(c, ks[10]); + c = _mm_aesenc_si128(c, ks[11]); + + c = _mm_aesenclast_si128(c, ks[12]); + + state = increment_be(state); + } + + if (rem) + { + c = decrypt_ccm_rem(this->key, rem, state, bi + blocks, bo + blocks, c); + } + crypt_icv(this, iv, c, icv); +} + +/** + * AES-256 CCM encryption/ICV generation + */ +static void encrypt_ccm256(private_aesni_ccm_t *this, + size_t len, u_char *in, u_char *out, u_char *iv, + size_t alen, u_char *assoc, u_char *icv) +{ + __m128i *ks, d, t, c, b, state, *bi, *bo; + u_int blocks, rem, i; + + c = icv_header(this, len, iv, alen, assoc); + build_ctr(this, 1, iv, &b); + state = _mm_load_si128(&b); + blocks = len / AES_BLOCK_SIZE; + rem = len % AES_BLOCK_SIZE; + bi = (__m128i*)in; + bo = (__m128i*)out; + + ks = this->key->schedule; + + for (i = 0; i < blocks; i++) + { + d = _mm_loadu_si128(bi + i); + + c = _mm_xor_si128(d, c); + c = _mm_xor_si128(c, ks[0]); + t = _mm_xor_si128(state, ks[0]); + + c = _mm_aesenc_si128(c, ks[1]); + t = _mm_aesenc_si128(t, ks[1]); + c = _mm_aesenc_si128(c, ks[2]); + t = _mm_aesenc_si128(t, ks[2]); + c = _mm_aesenc_si128(c, ks[3]); + t = _mm_aesenc_si128(t, ks[3]); + c = _mm_aesenc_si128(c, ks[4]); + t = _mm_aesenc_si128(t, ks[4]); + c = _mm_aesenc_si128(c, ks[5]); + t = _mm_aesenc_si128(t, ks[5]); + c = _mm_aesenc_si128(c, ks[6]); + t = _mm_aesenc_si128(t, ks[6]); + c = _mm_aesenc_si128(c, ks[7]); + t = _mm_aesenc_si128(t, ks[7]); + c = _mm_aesenc_si128(c, ks[8]); + t = _mm_aesenc_si128(t, ks[8]); + c = _mm_aesenc_si128(c, ks[9]); + t = _mm_aesenc_si128(t, ks[9]); + c = _mm_aesenc_si128(c, ks[10]); + t = _mm_aesenc_si128(t, ks[10]); + c = _mm_aesenc_si128(c, ks[11]); + t = _mm_aesenc_si128(t, ks[11]); + c = _mm_aesenc_si128(c, ks[12]); + t = _mm_aesenc_si128(t, ks[12]); + c = _mm_aesenc_si128(c, ks[13]); + t = _mm_aesenc_si128(t, ks[13]); + + c = _mm_aesenclast_si128(c, ks[14]); + t = _mm_aesenclast_si128(t, ks[14]); + + t = _mm_xor_si128(t, d); + _mm_storeu_si128(bo + i, t); + + state = increment_be(state); + } + + if (rem) + { + c = encrypt_ccm_rem(this->key, rem, state, bi + blocks, bo + blocks, c); + } + crypt_icv(this, iv, c, icv); +} + +/** + * AES-256 CCM decryption/ICV generation + */ +static void decrypt_ccm256(private_aesni_ccm_t *this, + size_t len, u_char *in, u_char *out, u_char *iv, + size_t alen, u_char *assoc, u_char *icv) +{ + __m128i *ks, d, t, c, b, state, *bi, *bo; + u_int blocks, rem, i; + + c = icv_header(this, len, iv, alen, assoc); + build_ctr(this, 1, iv, &b); + state = _mm_load_si128(&b); + blocks = len / AES_BLOCK_SIZE; + rem = len % AES_BLOCK_SIZE; + bi = (__m128i*)in; + bo = (__m128i*)out; + + ks = this->key->schedule; + + for (i = 0; i < blocks; i++) + { + d = _mm_loadu_si128(bi + i); + + t = _mm_xor_si128(state, ks[0]); + + t = _mm_aesenc_si128(t, ks[1]); + t = _mm_aesenc_si128(t, ks[2]); + t = _mm_aesenc_si128(t, ks[3]); + t = _mm_aesenc_si128(t, ks[4]); + t = _mm_aesenc_si128(t, ks[5]); + t = _mm_aesenc_si128(t, ks[6]); + t = _mm_aesenc_si128(t, ks[7]); + t = _mm_aesenc_si128(t, ks[8]); + t = _mm_aesenc_si128(t, ks[9]); + t = _mm_aesenc_si128(t, ks[10]); + t = _mm_aesenc_si128(t, ks[11]); + t = _mm_aesenc_si128(t, ks[12]); + t = _mm_aesenc_si128(t, ks[13]); + + t = _mm_aesenclast_si128(t, ks[14]); + t = _mm_xor_si128(t, d); + _mm_storeu_si128(bo + i, t); + + c = _mm_xor_si128(t, c); + c = _mm_xor_si128(c, ks[0]); + + c = _mm_aesenc_si128(c, ks[1]); + c = _mm_aesenc_si128(c, ks[2]); + c = _mm_aesenc_si128(c, ks[3]); + c = _mm_aesenc_si128(c, ks[4]); + c = _mm_aesenc_si128(c, ks[5]); + c = _mm_aesenc_si128(c, ks[6]); + c = _mm_aesenc_si128(c, ks[7]); + c = _mm_aesenc_si128(c, ks[8]); + c = _mm_aesenc_si128(c, ks[9]); + c = _mm_aesenc_si128(c, ks[10]); + c = _mm_aesenc_si128(c, ks[11]); + c = _mm_aesenc_si128(c, ks[12]); + c = _mm_aesenc_si128(c, ks[13]); + + c = _mm_aesenclast_si128(c, ks[14]); + + state = increment_be(state); + } + + if (rem) + { + c = decrypt_ccm_rem(this->key, rem, state, bi + blocks, bo + blocks, c); + } + crypt_icv(this, iv, c, icv); +} + +METHOD(aead_t, encrypt, bool, + private_aesni_ccm_t *this, chunk_t plain, chunk_t assoc, chunk_t iv, + chunk_t *encr) +{ + u_char *out; + + if (!this->key || iv.len != IV_SIZE) + { + return FALSE; + } + out = plain.ptr; + if (encr) + { + *encr = chunk_alloc(plain.len + this->icv_size); + out = encr->ptr; + } + this->encrypt(this, plain.len, plain.ptr, out, iv.ptr, + assoc.len, assoc.ptr, out + plain.len); + return TRUE; +} + +METHOD(aead_t, decrypt, bool, + private_aesni_ccm_t *this, chunk_t encr, chunk_t assoc, chunk_t iv, + chunk_t *plain) +{ + u_char *out, icv[this->icv_size]; + + if (!this->key || iv.len != IV_SIZE || encr.len < this->icv_size) + { + return FALSE; + } + encr.len -= this->icv_size; + out = encr.ptr; + if (plain) + { + *plain = chunk_alloc(encr.len); + out = plain->ptr; + } + + this->decrypt(this, encr.len, encr.ptr, out, iv.ptr, + assoc.len, assoc.ptr, icv); + return memeq_const(icv, encr.ptr + encr.len, this->icv_size); +} + +METHOD(aead_t, get_block_size, size_t, + private_aesni_ccm_t *this) +{ + return 1; +} + +METHOD(aead_t, get_icv_size, size_t, + private_aesni_ccm_t *this) +{ + return this->icv_size; +} + +METHOD(aead_t, get_iv_size, size_t, + private_aesni_ccm_t *this) +{ + return IV_SIZE; +} + +METHOD(aead_t, get_iv_gen, iv_gen_t*, + private_aesni_ccm_t *this) +{ + return this->iv_gen; +} + +METHOD(aead_t, get_key_size, size_t, + private_aesni_ccm_t *this) +{ + return this->key_size + SALT_SIZE; +} + +METHOD(aead_t, set_key, bool, + private_aesni_ccm_t *this, chunk_t key) +{ + if (key.len != this->key_size + SALT_SIZE) + { + return FALSE; + } + + memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE); + key.len -= SALT_SIZE; + + DESTROY_IF(this->key); + this->key = aesni_key_create(TRUE, key); + return TRUE; +} + +METHOD(aead_t, destroy, void, + private_aesni_ccm_t *this) +{ + DESTROY_IF(this->key); + this->iv_gen->destroy(this->iv_gen); + free_align(this); +} + +/** + * See header + */ +aesni_ccm_t *aesni_ccm_create(encryption_algorithm_t algo, + size_t key_size, size_t salt_size) +{ + private_aesni_ccm_t *this; + size_t icv_size; + + switch (key_size) + { + case 0: + key_size = 16; + break; + case 16: + case 24: + case 32: + break; + default: + return NULL; + } + if (salt_size && salt_size != SALT_SIZE) + { + /* currently not supported */ + return NULL; + } + switch (algo) + { + case ENCR_AES_CCM_ICV8: + algo = ENCR_AES_CBC; + icv_size = 8; + break; + case ENCR_AES_CCM_ICV12: + algo = ENCR_AES_CBC; + icv_size = 12; + break; + case ENCR_AES_CCM_ICV16: + algo = ENCR_AES_CBC; + icv_size = 16; + break; + default: + return NULL; + } + + INIT_ALIGN(this, sizeof(__m128i), + .public = { + .aead = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_block_size = _get_block_size, + .get_icv_size = _get_icv_size, + .get_iv_size = _get_iv_size, + .get_iv_gen = _get_iv_gen, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .key_size = key_size, + .iv_gen = iv_gen_seq_create(), + .icv_size = icv_size, + ); + + switch (key_size) + { + case 16: + this->encrypt = encrypt_ccm128; + this->decrypt = decrypt_ccm128; + break; + case 24: + this->encrypt = encrypt_ccm192; + this->decrypt = decrypt_ccm192; + break; + case 32: + this->encrypt = encrypt_ccm256; + this->decrypt = decrypt_ccm256; + break; + } + + return &this->public; +} diff --git a/src/libstrongswan/plugins/aesni/aesni_ccm.h b/src/libstrongswan/plugins/aesni/aesni_ccm.h new file mode 100644 index 000000000..69612b515 --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_ccm.h @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup aesni_ccm aesni_ccm + * @{ @ingroup aesni + */ + +#ifndef AESNI_CCM_H_ +#define AESNI_CCM_H_ + +#include + +typedef struct aesni_ccm_t aesni_ccm_t; + +/** + * CCM mode AEAD using AES-NI + */ +struct aesni_ccm_t { + + /** + * Implements aead_t interface + */ + aead_t aead; +}; + +/** + * Create a aesni_ccm instance. + * + * @param algo encryption algorithm, ENCR_AES_CCM* + * @param key_size AES key size, in bytes + * @param salt_size size of salt value + * @return AES-CCM AEAD, NULL if not supported + */ +aesni_ccm_t *aesni_ccm_create(encryption_algorithm_t algo, + size_t key_size, size_t salt_size); + +#endif /** AESNI_CCM_H_ @}*/ diff --git a/src/libstrongswan/plugins/aesni/aesni_cmac.c b/src/libstrongswan/plugins/aesni/aesni_cmac.c new file mode 100644 index 000000000..d6a87e6d7 --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_cmac.c @@ -0,0 +1,371 @@ +/* + * Copyright (C) 2012 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "aesni_cmac.h" +#include "aesni_key.h" + +#include +#include + +typedef struct private_mac_t private_mac_t; + +/** + * Private data of a mac_t object. + */ +struct private_mac_t { + + /** + * Public interface. + */ + mac_t public; + + /** + * Key schedule for key K + */ + aesni_key_t *k; + + /** + * K1 + */ + __m128i k1; + + /** + * K2 + */ + __m128i k2; + + /** + * T + */ + __m128i t; + + /** + * remaining, unprocessed bytes in append mode + */ + u_char rem[AES_BLOCK_SIZE]; + + /** + * number of bytes in remaining + */ + int rem_size; +}; + +METHOD(mac_t, get_mac, bool, + private_mac_t *this, chunk_t data, u_int8_t *out) +{ + __m128i *ks, t, l, *bi; + u_int blocks, rem, i; + + if (!this->k) + { + return FALSE; + } + + ks = this->k->schedule; + t = this->t; + + if (this->rem_size + data.len > AES_BLOCK_SIZE) + { + /* T := 0x00000000000000000000000000000000 (initially) + * for each block M_i (except the last) + * X := T XOR M_i; + * T := AES-128(K, X); + */ + + /* append data to remaining bytes, process block M_1 */ + memcpy(this->rem + this->rem_size, data.ptr, + AES_BLOCK_SIZE - this->rem_size); + data = chunk_skip(data, AES_BLOCK_SIZE - this->rem_size); + + t = _mm_xor_si128(t, _mm_loadu_si128((__m128i*)this->rem)); + + t = _mm_xor_si128(t, ks[0]); + t = _mm_aesenc_si128(t, ks[1]); + t = _mm_aesenc_si128(t, ks[2]); + t = _mm_aesenc_si128(t, ks[3]); + t = _mm_aesenc_si128(t, ks[4]); + t = _mm_aesenc_si128(t, ks[5]); + t = _mm_aesenc_si128(t, ks[6]); + t = _mm_aesenc_si128(t, ks[7]); + t = _mm_aesenc_si128(t, ks[8]); + t = _mm_aesenc_si128(t, ks[9]); + t = _mm_aesenclast_si128(t, ks[10]); + + /* process blocks M_2 ... M_n-1 */ + bi = (__m128i*)data.ptr; + rem = data.len % AES_BLOCK_SIZE; + blocks = data.len / AES_BLOCK_SIZE; + if (!rem && blocks) + { /* don't do last block */ + rem = AES_BLOCK_SIZE; + blocks--; + } + + /* process blocks M[2] ... M[n-1] */ + for (i = 0; i < blocks; i++) + { + t = _mm_xor_si128(t, _mm_loadu_si128(bi + i)); + + t = _mm_xor_si128(t, ks[0]); + t = _mm_aesenc_si128(t, ks[1]); + t = _mm_aesenc_si128(t, ks[2]); + t = _mm_aesenc_si128(t, ks[3]); + t = _mm_aesenc_si128(t, ks[4]); + t = _mm_aesenc_si128(t, ks[5]); + t = _mm_aesenc_si128(t, ks[6]); + t = _mm_aesenc_si128(t, ks[7]); + t = _mm_aesenc_si128(t, ks[8]); + t = _mm_aesenc_si128(t, ks[9]); + t = _mm_aesenclast_si128(t, ks[10]); + } + + /* store remaining bytes of block M_n */ + memcpy(this->rem, data.ptr + data.len - rem, rem); + this->rem_size = rem; + } + else + { + /* no complete block (or last block), just copy into remaining */ + memcpy(this->rem + this->rem_size, data.ptr, data.len); + this->rem_size += data.len; + } + if (out) + { + /* if last block is complete + * M_last := M_n XOR K1; + * else + * M_last := padding(M_n) XOR K2; + */ + if (this->rem_size == AES_BLOCK_SIZE) + { + l = _mm_loadu_si128((__m128i*)this->rem); + l = _mm_xor_si128(l, this->k1); + } + else + { + /* padding(x) = x || 10^i where i is 128-8*r-1 + * That is, padding(x) is the concatenation of x and a single '1', + * followed by the minimum number of '0's, so that the total length is + * equal to 128 bits. + */ + if (this->rem_size < AES_BLOCK_SIZE) + { + memset(this->rem + this->rem_size, 0, + AES_BLOCK_SIZE - this->rem_size); + this->rem[this->rem_size] = 0x80; + } + l = _mm_loadu_si128((__m128i*)this->rem); + l = _mm_xor_si128(l, this->k2); + } + /* T := M_last XOR T; + * T := AES-128(K,T); + */ + t = _mm_xor_si128(l, t); + + t = _mm_xor_si128(t, ks[0]); + t = _mm_aesenc_si128(t, ks[1]); + t = _mm_aesenc_si128(t, ks[2]); + t = _mm_aesenc_si128(t, ks[3]); + t = _mm_aesenc_si128(t, ks[4]); + t = _mm_aesenc_si128(t, ks[5]); + t = _mm_aesenc_si128(t, ks[6]); + t = _mm_aesenc_si128(t, ks[7]); + t = _mm_aesenc_si128(t, ks[8]); + t = _mm_aesenc_si128(t, ks[9]); + t = _mm_aesenclast_si128(t, ks[10]); + + _mm_storeu_si128((__m128i*)out, t); + + /* reset state */ + t = _mm_setzero_si128(); + this->rem_size = 0; + } + this->t = t; + return TRUE; +} + +METHOD(mac_t, get_mac_size, size_t, + private_mac_t *this) +{ + return AES_BLOCK_SIZE; +} + +/** + * Left-shift the given chunk by one bit. + */ +static void bit_shift(chunk_t chunk) +{ + size_t i; + + for (i = 0; i < chunk.len; i++) + { + chunk.ptr[i] <<= 1; + if (i < chunk.len - 1 && chunk.ptr[i + 1] & 0x80) + { + chunk.ptr[i] |= 0x01; + } + } +} + +METHOD(mac_t, set_key, bool, + private_mac_t *this, chunk_t key) +{ + __m128i rb, msb, l, a; + u_int round; + chunk_t k; + + this->t = _mm_setzero_si128(); + this->rem_size = 0; + + /* we support variable keys as defined in RFC 4615 */ + if (key.len == AES_BLOCK_SIZE) + { + k = key; + } + else + { /* use cmac recursively to resize longer or shorter keys */ + k = chunk_alloca(AES_BLOCK_SIZE); + memset(k.ptr, 0, k.len); + if (!set_key(this, k) || !get_mac(this, key, k.ptr)) + { + return FALSE; + } + } + + DESTROY_IF(this->k); + this->k = aesni_key_create(TRUE, k); + if (!this->k) + { + return FALSE; + } + + /* + * Rb = 0x00000000000000000000000000000087 + * L = 0x00000000000000000000000000000000 encrypted with K + * if MSB(L) == 0 + * K1 = L << 1 + * else + * K1 = (L << 1) XOR Rb + * if MSB(K1) == 0 + * K2 = K1 << 1 + * else + * K2 = (K1 << 1) XOR Rb + */ + + rb = _mm_set_epi32(0x87000000, 0, 0, 0); + msb = _mm_set_epi32(0, 0, 0, 0x80); + + l = _mm_setzero_si128(); + + l = _mm_xor_si128(l, this->k->schedule[0]); + for (round = 1; round < this->k->rounds; round++) + { + l = _mm_aesenc_si128(l, this->k->schedule[round]); + } + l = _mm_aesenclast_si128(l, this->k->schedule[this->k->rounds]); + + this->k1 = l; + bit_shift(chunk_from_thing(this->k1)); + a = _mm_and_si128(l, msb); + if (memchr(&a, 0x80, 1)) + { + this->k1 = _mm_xor_si128(this->k1, rb); + } + this->k2 = this->k1; + bit_shift(chunk_from_thing(this->k2)); + a = _mm_and_si128(this->k1, msb); + if (memchr(&a, 0x80, 1)) + { + this->k2 = _mm_xor_si128(this->k2, rb); + } + + return TRUE; +} + +METHOD(mac_t, destroy, void, + private_mac_t *this) +{ + DESTROY_IF(this->k); + memwipe(&this->k1, sizeof(this->k1)); + memwipe(&this->k2, sizeof(this->k2)); + free_align(this); +} + +/* + * Described in header + */ +mac_t *aesni_cmac_create(encryption_algorithm_t algo, size_t key_size) +{ + private_mac_t *this; + + INIT_ALIGN(this, sizeof(__m128i), + .public = { + .get_mac = _get_mac, + .get_mac_size = _get_mac_size, + .set_key = _set_key, + .destroy = _destroy, + }, + ); + + return &this->public; +} + +/* + * Described in header. + */ +prf_t *aesni_cmac_prf_create(pseudo_random_function_t algo) +{ + mac_t *cmac; + + switch (algo) + { + case PRF_AES128_CMAC: + cmac = aesni_cmac_create(ENCR_AES_CBC, 16); + break; + default: + return NULL; + } + if (cmac) + { + return mac_prf_create(cmac); + } + return NULL; +} + +/* + * Described in header + */ +signer_t *aesni_cmac_signer_create(integrity_algorithm_t algo) +{ + size_t truncation; + mac_t *cmac; + + switch (algo) + { + case AUTH_AES_CMAC_96: + cmac = aesni_cmac_create(ENCR_AES_CBC, 16); + truncation = 12; + break; + default: + return NULL; + } + if (cmac) + { + return mac_signer_create(cmac, truncation); + } + return NULL; +} diff --git a/src/libstrongswan/plugins/aesni/aesni_cmac.h b/src/libstrongswan/plugins/aesni/aesni_cmac.h new file mode 100644 index 000000000..5f0af7393 --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_cmac.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup aesni_xcbc aesni_xcbc + * @{ @ingroup aesni + */ + +#ifndef CMAC_H_ +#define CMAC_H_ + +#include +#include +#include + +/** + * Create a generic mac_t object using AESNI CMAC. + * + * @param algo underlying encryption algorithm + * @param key_size size of encryption key, in bytes + */ +mac_t *aesni_cmac_create(encryption_algorithm_t algo, size_t key_size); + +/** + * Creates a new prf_t object based AESNI CMAC. + * + * @param algo algorithm to implement + * @return prf_t object, NULL if not supported + */ +prf_t *aesni_cmac_prf_create(pseudo_random_function_t algo); + +/** + * Creates a new signer_t object based on AESNI CMAC. + * + * @param algo algorithm to implement + * @return signer_t, NULL if not supported + */ +signer_t *aesni_cmac_signer_create(integrity_algorithm_t algo); + +#endif /** CMAC_H_ @}*/ diff --git a/src/libstrongswan/plugins/aesni/aesni_ctr.c b/src/libstrongswan/plugins/aesni/aesni_ctr.c new file mode 100644 index 000000000..989813814 --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_ctr.c @@ -0,0 +1,643 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "aesni_ctr.h" +#include "aesni_key.h" + +#include + +/** + * Pipeline parallelism we use for CTR en/decryption + */ +#define CTR_CRYPT_PARALLELISM 4 + +typedef struct private_aesni_ctr_t private_aesni_ctr_t; + +/** + * CTR en/decryption method type + */ +typedef void (*aesni_ctr_fn_t)(private_aesni_ctr_t*, size_t, u_char*, u_char*); + +/** + * Private data of an aesni_ctr_t object. + */ +struct private_aesni_ctr_t { + + /** + * Public aesni_ctr_t interface. + */ + aesni_ctr_t public; + + /** + * Key size + */ + u_int key_size; + + /** + * Key schedule + */ + aesni_key_t *key; + + /** + * Encryption method + */ + aesni_ctr_fn_t crypt; + + /** + * Counter state + */ + struct { + char nonce[4]; + char iv[8]; + u_int32_t counter; + } __attribute__((packed, aligned(sizeof(__m128i)))) state; +}; + +/** + * Do big-endian increment on x + */ +static inline __m128i increment_be(__m128i x) +{ + __m128i swap; + + swap = _mm_setr_epi8(15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0); + + x = _mm_shuffle_epi8(x, swap); + x = _mm_add_epi64(x, _mm_set_epi32(0, 0, 0, 1)); + x = _mm_shuffle_epi8(x, swap); + + return x; +} + +/** + * AES-128 CTR encryption + */ +static void encrypt_ctr128(private_aesni_ctr_t *this, + size_t len, u_char *in, u_char *out) +{ + __m128i t1, t2, t3, t4; + __m128i d1, d2, d3, d4; + __m128i *ks, state, b, *bi, *bo; + u_int i, blocks, pblocks, rem; + + state = _mm_load_si128((__m128i*)&this->state); + blocks = len / AES_BLOCK_SIZE; + pblocks = blocks - (blocks % CTR_CRYPT_PARALLELISM); + rem = len % AES_BLOCK_SIZE; + bi = (__m128i*)in; + bo = (__m128i*)out; + + ks = this->key->schedule; + + for (i = 0; i < pblocks; i += CTR_CRYPT_PARALLELISM) + { + d1 = _mm_loadu_si128(bi + i + 0); + d2 = _mm_loadu_si128(bi + i + 1); + d3 = _mm_loadu_si128(bi + i + 2); + d4 = _mm_loadu_si128(bi + i + 3); + + t1 = _mm_xor_si128(state, ks[0]); + state = increment_be(state); + t2 = _mm_xor_si128(state, ks[0]); + state = increment_be(state); + t3 = _mm_xor_si128(state, ks[0]); + state = increment_be(state); + t4 = _mm_xor_si128(state, ks[0]); + state = increment_be(state); + + t1 = _mm_aesenc_si128(t1, ks[1]); + t2 = _mm_aesenc_si128(t2, ks[1]); + t3 = _mm_aesenc_si128(t3, ks[1]); + t4 = _mm_aesenc_si128(t4, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t2 = _mm_aesenc_si128(t2, ks[2]); + t3 = _mm_aesenc_si128(t3, ks[2]); + t4 = _mm_aesenc_si128(t4, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t2 = _mm_aesenc_si128(t2, ks[3]); + t3 = _mm_aesenc_si128(t3, ks[3]); + t4 = _mm_aesenc_si128(t4, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t2 = _mm_aesenc_si128(t2, ks[4]); + t3 = _mm_aesenc_si128(t3, ks[4]); + t4 = _mm_aesenc_si128(t4, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t2 = _mm_aesenc_si128(t2, ks[5]); + t3 = _mm_aesenc_si128(t3, ks[5]); + t4 = _mm_aesenc_si128(t4, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t2 = _mm_aesenc_si128(t2, ks[6]); + t3 = _mm_aesenc_si128(t3, ks[6]); + t4 = _mm_aesenc_si128(t4, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t2 = _mm_aesenc_si128(t2, ks[7]); + t3 = _mm_aesenc_si128(t3, ks[7]); + t4 = _mm_aesenc_si128(t4, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t2 = _mm_aesenc_si128(t2, ks[8]); + t3 = _mm_aesenc_si128(t3, ks[8]); + t4 = _mm_aesenc_si128(t4, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t2 = _mm_aesenc_si128(t2, ks[9]); + t3 = _mm_aesenc_si128(t3, ks[9]); + t4 = _mm_aesenc_si128(t4, ks[9]); + + t1 = _mm_aesenclast_si128(t1, ks[10]); + t2 = _mm_aesenclast_si128(t2, ks[10]); + t3 = _mm_aesenclast_si128(t3, ks[10]); + t4 = _mm_aesenclast_si128(t4, ks[10]); + t1 = _mm_xor_si128(t1, d1); + t2 = _mm_xor_si128(t2, d2); + t3 = _mm_xor_si128(t3, d3); + t4 = _mm_xor_si128(t4, d4); + _mm_storeu_si128(bo + i + 0, t1); + _mm_storeu_si128(bo + i + 1, t2); + _mm_storeu_si128(bo + i + 2, t3); + _mm_storeu_si128(bo + i + 3, t4); + } + + for (i = pblocks; i < blocks; i++) + { + d1 = _mm_loadu_si128(bi + i); + + t1 = _mm_xor_si128(state, ks[0]); + state = increment_be(state); + + t1 = _mm_aesenc_si128(t1, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + + t1 = _mm_aesenclast_si128(t1, ks[10]); + t1 = _mm_xor_si128(t1, d1); + _mm_storeu_si128(bo + i, t1); + } + + if (rem) + { + memset(&b, 0, sizeof(b)); + memcpy(&b, bi + blocks, rem); + + d1 = _mm_loadu_si128(&b); + t1 = _mm_xor_si128(state, ks[0]); + + t1 = _mm_aesenc_si128(t1, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + + t1 = _mm_aesenclast_si128(t1, ks[10]); + t1 = _mm_xor_si128(t1, d1); + _mm_storeu_si128(&b, t1); + + memcpy(bo + blocks, &b, rem); + } +} + +/** + * AES-192 CTR encryption + */ +static void encrypt_ctr192(private_aesni_ctr_t *this, + size_t len, u_char *in, u_char *out) +{ + __m128i t1, t2, t3, t4; + __m128i d1, d2, d3, d4; + __m128i *ks, state, b, *bi, *bo; + u_int i, blocks, pblocks, rem; + + state = _mm_load_si128((__m128i*)&this->state); + blocks = len / AES_BLOCK_SIZE; + pblocks = blocks - (blocks % CTR_CRYPT_PARALLELISM); + rem = len % AES_BLOCK_SIZE; + bi = (__m128i*)in; + bo = (__m128i*)out; + + ks = this->key->schedule; + + for (i = 0; i < pblocks; i += CTR_CRYPT_PARALLELISM) + { + d1 = _mm_loadu_si128(bi + i + 0); + d2 = _mm_loadu_si128(bi + i + 1); + d3 = _mm_loadu_si128(bi + i + 2); + d4 = _mm_loadu_si128(bi + i + 3); + + t1 = _mm_xor_si128(state, ks[0]); + state = increment_be(state); + t2 = _mm_xor_si128(state, ks[0]); + state = increment_be(state); + t3 = _mm_xor_si128(state, ks[0]); + state = increment_be(state); + t4 = _mm_xor_si128(state, ks[0]); + state = increment_be(state); + + t1 = _mm_aesenc_si128(t1, ks[1]); + t2 = _mm_aesenc_si128(t2, ks[1]); + t3 = _mm_aesenc_si128(t3, ks[1]); + t4 = _mm_aesenc_si128(t4, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t2 = _mm_aesenc_si128(t2, ks[2]); + t3 = _mm_aesenc_si128(t3, ks[2]); + t4 = _mm_aesenc_si128(t4, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t2 = _mm_aesenc_si128(t2, ks[3]); + t3 = _mm_aesenc_si128(t3, ks[3]); + t4 = _mm_aesenc_si128(t4, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t2 = _mm_aesenc_si128(t2, ks[4]); + t3 = _mm_aesenc_si128(t3, ks[4]); + t4 = _mm_aesenc_si128(t4, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t2 = _mm_aesenc_si128(t2, ks[5]); + t3 = _mm_aesenc_si128(t3, ks[5]); + t4 = _mm_aesenc_si128(t4, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t2 = _mm_aesenc_si128(t2, ks[6]); + t3 = _mm_aesenc_si128(t3, ks[6]); + t4 = _mm_aesenc_si128(t4, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t2 = _mm_aesenc_si128(t2, ks[7]); + t3 = _mm_aesenc_si128(t3, ks[7]); + t4 = _mm_aesenc_si128(t4, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t2 = _mm_aesenc_si128(t2, ks[8]); + t3 = _mm_aesenc_si128(t3, ks[8]); + t4 = _mm_aesenc_si128(t4, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t2 = _mm_aesenc_si128(t2, ks[9]); + t3 = _mm_aesenc_si128(t3, ks[9]); + t4 = _mm_aesenc_si128(t4, ks[9]); + t1 = _mm_aesenc_si128(t1, ks[10]); + t2 = _mm_aesenc_si128(t2, ks[10]); + t3 = _mm_aesenc_si128(t3, ks[10]); + t4 = _mm_aesenc_si128(t4, ks[10]); + t1 = _mm_aesenc_si128(t1, ks[11]); + t2 = _mm_aesenc_si128(t2, ks[11]); + t3 = _mm_aesenc_si128(t3, ks[11]); + t4 = _mm_aesenc_si128(t4, ks[11]); + + t1 = _mm_aesenclast_si128(t1, ks[12]); + t2 = _mm_aesenclast_si128(t2, ks[12]); + t3 = _mm_aesenclast_si128(t3, ks[12]); + t4 = _mm_aesenclast_si128(t4, ks[12]); + t1 = _mm_xor_si128(t1, d1); + t2 = _mm_xor_si128(t2, d2); + t3 = _mm_xor_si128(t3, d3); + t4 = _mm_xor_si128(t4, d4); + _mm_storeu_si128(bo + i + 0, t1); + _mm_storeu_si128(bo + i + 1, t2); + _mm_storeu_si128(bo + i + 2, t3); + _mm_storeu_si128(bo + i + 3, t4); + } + + for (i = pblocks; i < blocks; i++) + { + d1 = _mm_loadu_si128(bi + i); + + t1 = _mm_xor_si128(state, ks[0]); + state = increment_be(state); + + t1 = _mm_aesenc_si128(t1, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t1 = _mm_aesenc_si128(t1, ks[10]); + t1 = _mm_aesenc_si128(t1, ks[11]); + + t1 = _mm_aesenclast_si128(t1, ks[12]); + t1 = _mm_xor_si128(t1, d1); + _mm_storeu_si128(bo + i, t1); + } + + if (rem) + { + memset(&b, 0, sizeof(b)); + memcpy(&b, bi + blocks, rem); + + d1 = _mm_loadu_si128(&b); + t1 = _mm_xor_si128(state, ks[0]); + + t1 = _mm_aesenc_si128(t1, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t1 = _mm_aesenc_si128(t1, ks[10]); + t1 = _mm_aesenc_si128(t1, ks[11]); + + t1 = _mm_aesenclast_si128(t1, ks[12]); + t1 = _mm_xor_si128(t1, d1); + _mm_storeu_si128(&b, t1); + + memcpy(bo + blocks, &b, rem); + } +} + +/** + * AES-256 CTR encryption + */ +static void encrypt_ctr256(private_aesni_ctr_t *this, + size_t len, u_char *in, u_char *out) +{ + __m128i t1, t2, t3, t4; + __m128i d1, d2, d3, d4; + __m128i *ks, state, b, *bi, *bo; + u_int i, blocks, pblocks, rem; + + state = _mm_load_si128((__m128i*)&this->state); + blocks = len / AES_BLOCK_SIZE; + pblocks = blocks - (blocks % CTR_CRYPT_PARALLELISM); + rem = len % AES_BLOCK_SIZE; + bi = (__m128i*)in; + bo = (__m128i*)out; + + ks = this->key->schedule; + + for (i = 0; i < pblocks; i += CTR_CRYPT_PARALLELISM) + { + d1 = _mm_loadu_si128(bi + i + 0); + d2 = _mm_loadu_si128(bi + i + 1); + d3 = _mm_loadu_si128(bi + i + 2); + d4 = _mm_loadu_si128(bi + i + 3); + + t1 = _mm_xor_si128(state, ks[0]); + state = increment_be(state); + t2 = _mm_xor_si128(state, ks[0]); + state = increment_be(state); + t3 = _mm_xor_si128(state, ks[0]); + state = increment_be(state); + t4 = _mm_xor_si128(state, ks[0]); + state = increment_be(state); + + t1 = _mm_aesenc_si128(t1, ks[1]); + t2 = _mm_aesenc_si128(t2, ks[1]); + t3 = _mm_aesenc_si128(t3, ks[1]); + t4 = _mm_aesenc_si128(t4, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t2 = _mm_aesenc_si128(t2, ks[2]); + t3 = _mm_aesenc_si128(t3, ks[2]); + t4 = _mm_aesenc_si128(t4, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t2 = _mm_aesenc_si128(t2, ks[3]); + t3 = _mm_aesenc_si128(t3, ks[3]); + t4 = _mm_aesenc_si128(t4, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t2 = _mm_aesenc_si128(t2, ks[4]); + t3 = _mm_aesenc_si128(t3, ks[4]); + t4 = _mm_aesenc_si128(t4, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t2 = _mm_aesenc_si128(t2, ks[5]); + t3 = _mm_aesenc_si128(t3, ks[5]); + t4 = _mm_aesenc_si128(t4, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t2 = _mm_aesenc_si128(t2, ks[6]); + t3 = _mm_aesenc_si128(t3, ks[6]); + t4 = _mm_aesenc_si128(t4, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t2 = _mm_aesenc_si128(t2, ks[7]); + t3 = _mm_aesenc_si128(t3, ks[7]); + t4 = _mm_aesenc_si128(t4, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t2 = _mm_aesenc_si128(t2, ks[8]); + t3 = _mm_aesenc_si128(t3, ks[8]); + t4 = _mm_aesenc_si128(t4, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t2 = _mm_aesenc_si128(t2, ks[9]); + t3 = _mm_aesenc_si128(t3, ks[9]); + t4 = _mm_aesenc_si128(t4, ks[9]); + t1 = _mm_aesenc_si128(t1, ks[10]); + t2 = _mm_aesenc_si128(t2, ks[10]); + t3 = _mm_aesenc_si128(t3, ks[10]); + t4 = _mm_aesenc_si128(t4, ks[10]); + t1 = _mm_aesenc_si128(t1, ks[11]); + t2 = _mm_aesenc_si128(t2, ks[11]); + t3 = _mm_aesenc_si128(t3, ks[11]); + t4 = _mm_aesenc_si128(t4, ks[11]); + t1 = _mm_aesenc_si128(t1, ks[12]); + t2 = _mm_aesenc_si128(t2, ks[12]); + t3 = _mm_aesenc_si128(t3, ks[12]); + t4 = _mm_aesenc_si128(t4, ks[12]); + t1 = _mm_aesenc_si128(t1, ks[13]); + t2 = _mm_aesenc_si128(t2, ks[13]); + t3 = _mm_aesenc_si128(t3, ks[13]); + t4 = _mm_aesenc_si128(t4, ks[13]); + + t1 = _mm_aesenclast_si128(t1, ks[14]); + t2 = _mm_aesenclast_si128(t2, ks[14]); + t3 = _mm_aesenclast_si128(t3, ks[14]); + t4 = _mm_aesenclast_si128(t4, ks[14]); + t1 = _mm_xor_si128(t1, d1); + t2 = _mm_xor_si128(t2, d2); + t3 = _mm_xor_si128(t3, d3); + t4 = _mm_xor_si128(t4, d4); + _mm_storeu_si128(bo + i + 0, t1); + _mm_storeu_si128(bo + i + 1, t2); + _mm_storeu_si128(bo + i + 2, t3); + _mm_storeu_si128(bo + i + 3, t4); + } + + for (i = pblocks; i < blocks; i++) + { + d1 = _mm_loadu_si128(bi + i); + + t1 = _mm_xor_si128(state, ks[0]); + state = increment_be(state); + + t1 = _mm_aesenc_si128(t1, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t1 = _mm_aesenc_si128(t1, ks[10]); + t1 = _mm_aesenc_si128(t1, ks[11]); + t1 = _mm_aesenc_si128(t1, ks[12]); + t1 = _mm_aesenc_si128(t1, ks[13]); + + t1 = _mm_aesenclast_si128(t1, ks[14]); + t1 = _mm_xor_si128(t1, d1); + _mm_storeu_si128(bo + i, t1); + } + + if (rem) + { + memset(&b, 0, sizeof(b)); + memcpy(&b, bi + blocks, rem); + + d1 = _mm_loadu_si128(&b); + t1 = _mm_xor_si128(state, ks[0]); + + t1 = _mm_aesenc_si128(t1, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t1 = _mm_aesenc_si128(t1, ks[10]); + t1 = _mm_aesenc_si128(t1, ks[11]); + t1 = _mm_aesenc_si128(t1, ks[12]); + t1 = _mm_aesenc_si128(t1, ks[13]); + + t1 = _mm_aesenclast_si128(t1, ks[14]); + t1 = _mm_xor_si128(t1, d1); + _mm_storeu_si128(&b, t1); + + memcpy(bo + blocks, &b, rem); + } +} + +METHOD(crypter_t, crypt, bool, + private_aesni_ctr_t *this, chunk_t in, chunk_t iv, chunk_t *out) +{ + u_char *buf; + + if (!this->key || iv.len != sizeof(this->state.iv)) + { + return FALSE; + } + memcpy(this->state.iv, iv.ptr, sizeof(this->state.iv)); + this->state.counter = htonl(1); + + buf = in.ptr; + if (out) + { + *out = chunk_alloc(in.len); + buf = out->ptr; + } + this->crypt(this, in.len, in.ptr, buf); + return TRUE; +} + +METHOD(crypter_t, get_block_size, size_t, + private_aesni_ctr_t *this) +{ + return 1; +} + +METHOD(crypter_t, get_iv_size, size_t, + private_aesni_ctr_t *this) +{ + return sizeof(this->state.iv); +} + +METHOD(crypter_t, get_key_size, size_t, + private_aesni_ctr_t *this) +{ + return this->key_size + sizeof(this->state.nonce); +} + +METHOD(crypter_t, set_key, bool, + private_aesni_ctr_t *this, chunk_t key) +{ + if (key.len != get_key_size(this)) + { + return FALSE; + } + + memcpy(this->state.nonce, key.ptr + key.len - sizeof(this->state.nonce), + sizeof(this->state.nonce)); + key.len -= sizeof(this->state.nonce); + + DESTROY_IF(this->key); + this->key = aesni_key_create(TRUE, key); + + return this->key; +} + +METHOD(crypter_t, destroy, void, + private_aesni_ctr_t *this) +{ + DESTROY_IF(this->key); + free_align(this); +} + +/** + * See header + */ +aesni_ctr_t *aesni_ctr_create(encryption_algorithm_t algo, size_t key_size) +{ + private_aesni_ctr_t *this; + + if (algo != ENCR_AES_CTR) + { + return NULL; + } + switch (key_size) + { + case 0: + key_size = 16; + break; + case 16: + case 24: + case 32: + break; + default: + return NULL; + } + + INIT_ALIGN(this, sizeof(__m128i), + .public = { + .crypter = { + .encrypt = _crypt, + .decrypt = _crypt, + .get_block_size = _get_block_size, + .get_iv_size = _get_iv_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .key_size = key_size, + ); + + switch (key_size) + { + case 16: + this->crypt = encrypt_ctr128; + break; + case 24: + this->crypt = encrypt_ctr192; + break; + case 32: + this->crypt = encrypt_ctr256; + break; + } + + return &this->public; +} diff --git a/src/libstrongswan/plugins/aesni/aesni_ctr.h b/src/libstrongswan/plugins/aesni/aesni_ctr.h new file mode 100644 index 000000000..6126a2c75 --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_ctr.h @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup aesni_ctr aesni_ctr + * @{ @ingroup aesni + */ + +#ifndef AESNI_CTR_H_ +#define AESNI_CTR_H_ + +#include + +typedef struct aesni_ctr_t aesni_ctr_t; + +/** + * CTR mode crypter using AES-NI + */ +struct aesni_ctr_t { + + /** + * Implements crypter interface + */ + crypter_t crypter; +}; + +/** + * Create a aesni_ctr instance. + * + * @param algo encryption algorithm, AES_ENCR_CTR + * @param key_size AES key size, in bytes + * @return AES-CTR crypter, NULL if not supported + */ +aesni_ctr_t *aesni_ctr_create(encryption_algorithm_t algo, size_t key_size); + +#endif /** AESNI_CTR_H_ @}*/ diff --git a/src/libstrongswan/plugins/aesni/aesni_gcm.c b/src/libstrongswan/plugins/aesni/aesni_gcm.c new file mode 100644 index 000000000..53c0b144e --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_gcm.c @@ -0,0 +1,1447 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "aesni_gcm.h" +#include "aesni_key.h" + +#include + +#include + +#define NONCE_SIZE 12 +#define IV_SIZE 8 +#define SALT_SIZE (NONCE_SIZE - IV_SIZE) + +/** + * Parallel pipelining + */ +#define GCM_CRYPT_PARALLELISM 4 + +typedef struct private_aesni_gcm_t private_aesni_gcm_t; + +/** + * GCM en/decryption method type + */ +typedef void (*aesni_gcm_fn_t)(private_aesni_gcm_t*, size_t, u_char*, u_char*, + u_char*, size_t, u_char*, u_char*); + +/** + * Private data of an aesni_gcm_t object. + */ +struct private_aesni_gcm_t { + + /** + * Public aesni_gcm_t interface. + */ + aesni_gcm_t public; + + /** + * Encryption key schedule + */ + aesni_key_t *key; + + /** + * IV generator. + */ + iv_gen_t *iv_gen; + + /** + * Length of the integrity check value + */ + size_t icv_size; + + /** + * Length of the key in bytes + */ + size_t key_size; + + /** + * GCM encryption function + */ + aesni_gcm_fn_t encrypt; + + /** + * GCM decryption function + */ + aesni_gcm_fn_t decrypt; + + /** + * salt to add to nonce + */ + u_char salt[SALT_SIZE]; + + /** + * GHASH subkey H, big-endian + */ + __m128i h; + + /** + * GHASH key H^2, big-endian + */ + __m128i hh; + + /** + * GHASH key H^3, big-endian + */ + __m128i hhh; + + /** + * GHASH key H^4, big-endian + */ + __m128i hhhh; +}; + +/** + * Byte-swap a 128-bit integer + */ +static inline __m128i swap128(__m128i x) +{ + return _mm_shuffle_epi8(x, + _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)); +} + +/** + * Multiply two blocks in GF128 + */ +static __m128i mult_block(__m128i h, __m128i y) +{ + __m128i t1, t2, t3, t4, t5, t6; + + y = swap128(y); + + t1 = _mm_clmulepi64_si128(h, y, 0x00); + t2 = _mm_clmulepi64_si128(h, y, 0x01); + t3 = _mm_clmulepi64_si128(h, y, 0x10); + t4 = _mm_clmulepi64_si128(h, y, 0x11); + + t2 = _mm_xor_si128(t2, t3); + t3 = _mm_slli_si128(t2, 8); + t2 = _mm_srli_si128(t2, 8); + t1 = _mm_xor_si128(t1, t3); + t4 = _mm_xor_si128(t4, t2); + + t5 = _mm_srli_epi32(t1, 31); + t1 = _mm_slli_epi32(t1, 1); + t6 = _mm_srli_epi32(t4, 31); + t4 = _mm_slli_epi32(t4, 1); + + t3 = _mm_srli_si128(t5, 12); + t6 = _mm_slli_si128(t6, 4); + t5 = _mm_slli_si128(t5, 4); + t1 = _mm_or_si128(t1, t5); + t4 = _mm_or_si128(t4, t6); + t4 = _mm_or_si128(t4, t3); + + t5 = _mm_slli_epi32(t1, 31); + t6 = _mm_slli_epi32(t1, 30); + t3 = _mm_slli_epi32(t1, 25); + + t5 = _mm_xor_si128(t5, t6); + t5 = _mm_xor_si128(t5, t3); + t6 = _mm_srli_si128(t5, 4); + t4 = _mm_xor_si128(t4, t6); + t5 = _mm_slli_si128(t5, 12); + t1 = _mm_xor_si128(t1, t5); + t4 = _mm_xor_si128(t4, t1); + + t5 = _mm_srli_epi32(t1, 1); + t2 = _mm_srli_epi32(t1, 2); + t3 = _mm_srli_epi32(t1, 7); + t4 = _mm_xor_si128(t4, t2); + t4 = _mm_xor_si128(t4, t3); + t4 = _mm_xor_si128(t4, t5); + + return swap128(t4); +} + +/** + * Multiply four consecutive blocks by their respective GHASH key, XOR + */ +static inline __m128i mult4xor(__m128i h1, __m128i h2, __m128i h3, __m128i h4, + __m128i d1, __m128i d2, __m128i d3, __m128i d4) +{ + __m128i t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; + + d1 = swap128(d1); + d2 = swap128(d2); + d3 = swap128(d3); + d4 = swap128(d4); + + t0 = _mm_clmulepi64_si128(h1, d1, 0x00); + t1 = _mm_clmulepi64_si128(h2, d2, 0x00); + t2 = _mm_clmulepi64_si128(h3, d3, 0x00); + t3 = _mm_clmulepi64_si128(h4, d4, 0x00); + t8 = _mm_xor_si128(t0, t1); + t8 = _mm_xor_si128(t8, t2); + t8 = _mm_xor_si128(t8, t3); + + t4 = _mm_clmulepi64_si128(h1, d1, 0x11); + t5 = _mm_clmulepi64_si128(h2, d2, 0x11); + t6 = _mm_clmulepi64_si128(h3, d3, 0x11); + t7 = _mm_clmulepi64_si128(h4, d4, 0x11); + t9 = _mm_xor_si128(t4, t5); + t9 = _mm_xor_si128(t9, t6); + t9 = _mm_xor_si128(t9, t7); + + t0 = _mm_shuffle_epi32(h1, 78); + t4 = _mm_shuffle_epi32(d1, 78); + t0 = _mm_xor_si128(t0, h1); + t4 = _mm_xor_si128(t4, d1); + t1 = _mm_shuffle_epi32(h2, 78); + t5 = _mm_shuffle_epi32(d2, 78); + t1 = _mm_xor_si128(t1, h2); + t5 = _mm_xor_si128(t5, d2); + t2 = _mm_shuffle_epi32(h3, 78); + t6 = _mm_shuffle_epi32(d3, 78); + t2 = _mm_xor_si128(t2, h3); + t6 = _mm_xor_si128(t6, d3); + t3 = _mm_shuffle_epi32(h4, 78); + t7 = _mm_shuffle_epi32(d4, 78); + t3 = _mm_xor_si128(t3, h4); + t7 = _mm_xor_si128(t7, d4); + + t0 = _mm_clmulepi64_si128(t0, t4, 0x00); + t1 = _mm_clmulepi64_si128(t1, t5, 0x00); + t2 = _mm_clmulepi64_si128(t2, t6, 0x00); + t3 = _mm_clmulepi64_si128(t3, t7, 0x00); + t0 = _mm_xor_si128(t0, t8); + t0 = _mm_xor_si128(t0, t9); + t0 = _mm_xor_si128(t1, t0); + t0 = _mm_xor_si128(t2, t0); + + t0 = _mm_xor_si128(t3, t0); + t4 = _mm_slli_si128(t0, 8); + t0 = _mm_srli_si128(t0, 8); + t3 = _mm_xor_si128(t4, t8); + t6 = _mm_xor_si128(t0, t9); + t7 = _mm_srli_epi32(t3, 31); + t8 = _mm_srli_epi32(t6, 31); + t3 = _mm_slli_epi32(t3, 1); + t6 = _mm_slli_epi32(t6, 1); + t9 = _mm_srli_si128(t7, 12); + t8 = _mm_slli_si128(t8, 4); + t7 = _mm_slli_si128(t7, 4); + t3 = _mm_or_si128(t3, t7); + t6 = _mm_or_si128(t6, t8); + t6 = _mm_or_si128(t6, t9); + t7 = _mm_slli_epi32(t3, 31); + t8 = _mm_slli_epi32(t3, 30); + t9 = _mm_slli_epi32(t3, 25); + t7 = _mm_xor_si128(t7, t8); + t7 = _mm_xor_si128(t7, t9); + t8 = _mm_srli_si128(t7, 4); + t7 = _mm_slli_si128(t7, 12); + t3 = _mm_xor_si128(t3, t7); + t2 = _mm_srli_epi32(t3, 1); + t4 = _mm_srli_epi32(t3, 2); + t5 = _mm_srli_epi32(t3, 7); + t2 = _mm_xor_si128(t2, t4); + t2 = _mm_xor_si128(t2, t5); + t2 = _mm_xor_si128(t2, t8); + t3 = _mm_xor_si128(t3, t2); + t6 = _mm_xor_si128(t6, t3); + + return swap128(t6); +} + +/** + * GHASH on a single block + */ +static __m128i ghash(__m128i h, __m128i y, __m128i x) +{ + return mult_block(h, _mm_xor_si128(y, x)); +} + +/** + * Start constructing the ICV for the associated data + */ +static __m128i icv_header(private_aesni_gcm_t *this, void *assoc, size_t alen) +{ + u_int blocks, pblocks, rem, i; + __m128i h1, h2, h3, h4, d1, d2, d3, d4; + __m128i y, last, *ab; + + h1 = this->hhhh; + h2 = this->hhh; + h3 = this->hh; + h4 = this->h; + + y = _mm_setzero_si128(); + ab = assoc; + blocks = alen / AES_BLOCK_SIZE; + pblocks = blocks - (blocks % GCM_CRYPT_PARALLELISM); + rem = alen % AES_BLOCK_SIZE; + for (i = 0; i < pblocks; i += GCM_CRYPT_PARALLELISM) + { + d1 = _mm_loadu_si128(ab + i + 0); + d2 = _mm_loadu_si128(ab + i + 1); + d3 = _mm_loadu_si128(ab + i + 2); + d4 = _mm_loadu_si128(ab + i + 3); + y = _mm_xor_si128(y, d1); + y = mult4xor(h1, h2, h3, h4, y, d2, d3, d4); + } + for (i = pblocks; i < blocks; i++) + { + y = ghash(this->h, y, _mm_loadu_si128(ab + i)); + } + if (rem) + { + last = _mm_setzero_si128(); + memcpy(&last, ab + blocks, rem); + + y = ghash(this->h, y, last); + } + + return y; +} + +/** + * Complete the ICV by hashing a assoc/data length block + */ +static __m128i icv_tailer(private_aesni_gcm_t *this, __m128i y, + size_t alen, size_t dlen) +{ + __m128i b; + + htoun64(&b, alen * 8); + htoun64((u_char*)&b + sizeof(u_int64_t), dlen * 8); + + return ghash(this->h, y, b); +} + +/** + * En-/Decrypt the ICV, trim and store it + */ +static void icv_crypt(private_aesni_gcm_t *this, __m128i y, __m128i j, + u_char *icv) +{ + __m128i *ks, t, b; + u_int round; + + ks = this->key->schedule; + t = _mm_xor_si128(j, ks[0]); + for (round = 1; round < this->key->rounds; round++) + { + t = _mm_aesenc_si128(t, ks[round]); + } + t = _mm_aesenclast_si128(t, ks[this->key->rounds]); + + t = _mm_xor_si128(y, t); + + _mm_storeu_si128(&b, t); + memcpy(icv, &b, this->icv_size); +} + +/** + * Do big-endian increment on x + */ +static inline __m128i increment_be(__m128i x) +{ + x = swap128(x); + x = _mm_add_epi64(x, _mm_set_epi32(0, 0, 0, 1)); + x = swap128(x); + + return x; +} + +/** + * Generate the block J0 + */ +static inline __m128i create_j(private_aesni_gcm_t *this, u_char *iv) +{ + u_char j[AES_BLOCK_SIZE]; + + memcpy(j, this->salt, SALT_SIZE); + memcpy(j + SALT_SIZE, iv, IV_SIZE); + htoun32(j + SALT_SIZE + IV_SIZE, 1); + + return _mm_loadu_si128((__m128i*)j); +} + +/** + * Encrypt a remaining incomplete block, return updated Y + */ +static __m128i encrypt_gcm_rem(private_aesni_gcm_t *this, u_int rem, + void *in, void *out, __m128i cb, __m128i y) +{ + __m128i *ks, t, b; + u_int round; + + memset(&b, 0, sizeof(b)); + memcpy(&b, in, rem); + + ks = this->key->schedule; + t = _mm_xor_si128(cb, ks[0]); + for (round = 1; round < this->key->rounds; round++) + { + t = _mm_aesenc_si128(t, ks[round]); + } + t = _mm_aesenclast_si128(t, ks[this->key->rounds]); + b = _mm_xor_si128(t, b); + + memcpy(out, &b, rem); + + memset((u_char*)&b + rem, 0, AES_BLOCK_SIZE - rem); + return ghash(this->h, y, b); +} + +/** + * Decrypt a remaining incomplete block, return updated Y + */ +static __m128i decrypt_gcm_rem(private_aesni_gcm_t *this, u_int rem, + void *in, void *out, __m128i cb, __m128i y) +{ + __m128i *ks, t, b; + u_int round; + + memset(&b, 0, sizeof(b)); + memcpy(&b, in, rem); + + y = ghash(this->h, y, b); + + ks = this->key->schedule; + t = _mm_xor_si128(cb, ks[0]); + for (round = 1; round < this->key->rounds; round++) + { + t = _mm_aesenc_si128(t, ks[round]); + } + t = _mm_aesenclast_si128(t, ks[this->key->rounds]); + b = _mm_xor_si128(t, b); + + memcpy(out, &b, rem); + + return y; +} + +/** + * AES-128 GCM encryption/ICV generation + */ +static void encrypt_gcm128(private_aesni_gcm_t *this, + size_t len, u_char *in, u_char *out, u_char *iv, + size_t alen, u_char *assoc, u_char *icv) +{ + __m128i d1, d2, d3, d4, t1, t2, t3, t4; + __m128i *ks, y, j, cb, *bi, *bo; + u_int blocks, pblocks, rem, i; + + j = create_j(this, iv); + cb = increment_be(j); + y = icv_header(this, assoc, alen); + blocks = len / AES_BLOCK_SIZE; + pblocks = blocks - (blocks % GCM_CRYPT_PARALLELISM); + rem = len % AES_BLOCK_SIZE; + bi = (__m128i*)in; + bo = (__m128i*)out; + + ks = this->key->schedule; + + for (i = 0; i < pblocks; i += GCM_CRYPT_PARALLELISM) + { + d1 = _mm_loadu_si128(bi + i + 0); + d2 = _mm_loadu_si128(bi + i + 1); + d3 = _mm_loadu_si128(bi + i + 2); + d4 = _mm_loadu_si128(bi + i + 3); + + t1 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + t2 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + t3 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + t4 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + + t1 = _mm_aesenc_si128(t1, ks[1]); + t2 = _mm_aesenc_si128(t2, ks[1]); + t3 = _mm_aesenc_si128(t3, ks[1]); + t4 = _mm_aesenc_si128(t4, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t2 = _mm_aesenc_si128(t2, ks[2]); + t3 = _mm_aesenc_si128(t3, ks[2]); + t4 = _mm_aesenc_si128(t4, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t2 = _mm_aesenc_si128(t2, ks[3]); + t3 = _mm_aesenc_si128(t3, ks[3]); + t4 = _mm_aesenc_si128(t4, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t2 = _mm_aesenc_si128(t2, ks[4]); + t3 = _mm_aesenc_si128(t3, ks[4]); + t4 = _mm_aesenc_si128(t4, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t2 = _mm_aesenc_si128(t2, ks[5]); + t3 = _mm_aesenc_si128(t3, ks[5]); + t4 = _mm_aesenc_si128(t4, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t2 = _mm_aesenc_si128(t2, ks[6]); + t3 = _mm_aesenc_si128(t3, ks[6]); + t4 = _mm_aesenc_si128(t4, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t2 = _mm_aesenc_si128(t2, ks[7]); + t3 = _mm_aesenc_si128(t3, ks[7]); + t4 = _mm_aesenc_si128(t4, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t2 = _mm_aesenc_si128(t2, ks[8]); + t3 = _mm_aesenc_si128(t3, ks[8]); + t4 = _mm_aesenc_si128(t4, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t2 = _mm_aesenc_si128(t2, ks[9]); + t3 = _mm_aesenc_si128(t3, ks[9]); + t4 = _mm_aesenc_si128(t4, ks[9]); + + t1 = _mm_aesenclast_si128(t1, ks[10]); + t2 = _mm_aesenclast_si128(t2, ks[10]); + t3 = _mm_aesenclast_si128(t3, ks[10]); + t4 = _mm_aesenclast_si128(t4, ks[10]); + + t1 = _mm_xor_si128(t1, d1); + t2 = _mm_xor_si128(t2, d2); + t3 = _mm_xor_si128(t3, d3); + t4 = _mm_xor_si128(t4, d4); + + y = _mm_xor_si128(y, t1); + y = mult4xor(this->hhhh, this->hhh, this->hh, this->h, y, t2, t3, t4); + + _mm_storeu_si128(bo + i + 0, t1); + _mm_storeu_si128(bo + i + 1, t2); + _mm_storeu_si128(bo + i + 2, t3); + _mm_storeu_si128(bo + i + 3, t4); + } + + for (i = pblocks; i < blocks; i++) + { + d1 = _mm_loadu_si128(bi + i); + + t1 = _mm_xor_si128(cb, ks[0]); + t1 = _mm_aesenc_si128(t1, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t1 = _mm_aesenclast_si128(t1, ks[10]); + + t1 = _mm_xor_si128(t1, d1); + _mm_storeu_si128(bo + i, t1); + + y = ghash(this->h, y, t1); + + cb = increment_be(cb); + } + + if (rem) + { + y = encrypt_gcm_rem(this, rem, bi + blocks, bo + blocks, cb, y); + } + y = icv_tailer(this, y, alen, len); + icv_crypt(this, y, j, icv); +} + +/** + * AES-128 GCM decryption/ICV generation + */ +static void decrypt_gcm128(private_aesni_gcm_t *this, + size_t len, u_char *in, u_char *out, u_char *iv, + size_t alen, u_char *assoc, u_char *icv) +{ + __m128i d1, d2, d3, d4, t1, t2, t3, t4; + __m128i *ks, y, j, cb, *bi, *bo; + u_int blocks, pblocks, rem, i; + + j = create_j(this, iv); + cb = increment_be(j); + y = icv_header(this, assoc, alen); + blocks = len / AES_BLOCK_SIZE; + pblocks = blocks - (blocks % GCM_CRYPT_PARALLELISM); + rem = len % AES_BLOCK_SIZE; + bi = (__m128i*)in; + bo = (__m128i*)out; + + ks = this->key->schedule; + + for (i = 0; i < pblocks; i += GCM_CRYPT_PARALLELISM) + { + d1 = _mm_loadu_si128(bi + i + 0); + d2 = _mm_loadu_si128(bi + i + 1); + d3 = _mm_loadu_si128(bi + i + 2); + d4 = _mm_loadu_si128(bi + i + 3); + + y = _mm_xor_si128(y, d1); + y = mult4xor(this->hhhh, this->hhh, this->hh, this->h, y, d2, d3, d4); + + t1 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + t2 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + t3 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + t4 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + + t1 = _mm_aesenc_si128(t1, ks[1]); + t2 = _mm_aesenc_si128(t2, ks[1]); + t3 = _mm_aesenc_si128(t3, ks[1]); + t4 = _mm_aesenc_si128(t4, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t2 = _mm_aesenc_si128(t2, ks[2]); + t3 = _mm_aesenc_si128(t3, ks[2]); + t4 = _mm_aesenc_si128(t4, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t2 = _mm_aesenc_si128(t2, ks[3]); + t3 = _mm_aesenc_si128(t3, ks[3]); + t4 = _mm_aesenc_si128(t4, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t2 = _mm_aesenc_si128(t2, ks[4]); + t3 = _mm_aesenc_si128(t3, ks[4]); + t4 = _mm_aesenc_si128(t4, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t2 = _mm_aesenc_si128(t2, ks[5]); + t3 = _mm_aesenc_si128(t3, ks[5]); + t4 = _mm_aesenc_si128(t4, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t2 = _mm_aesenc_si128(t2, ks[6]); + t3 = _mm_aesenc_si128(t3, ks[6]); + t4 = _mm_aesenc_si128(t4, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t2 = _mm_aesenc_si128(t2, ks[7]); + t3 = _mm_aesenc_si128(t3, ks[7]); + t4 = _mm_aesenc_si128(t4, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t2 = _mm_aesenc_si128(t2, ks[8]); + t3 = _mm_aesenc_si128(t3, ks[8]); + t4 = _mm_aesenc_si128(t4, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t2 = _mm_aesenc_si128(t2, ks[9]); + t3 = _mm_aesenc_si128(t3, ks[9]); + t4 = _mm_aesenc_si128(t4, ks[9]); + + t1 = _mm_aesenclast_si128(t1, ks[10]); + t2 = _mm_aesenclast_si128(t2, ks[10]); + t3 = _mm_aesenclast_si128(t3, ks[10]); + t4 = _mm_aesenclast_si128(t4, ks[10]); + + t1 = _mm_xor_si128(t1, d1); + t2 = _mm_xor_si128(t2, d2); + t3 = _mm_xor_si128(t3, d3); + t4 = _mm_xor_si128(t4, d4); + + _mm_storeu_si128(bo + i + 0, t1); + _mm_storeu_si128(bo + i + 1, t2); + _mm_storeu_si128(bo + i + 2, t3); + _mm_storeu_si128(bo + i + 3, t4); + } + + for (i = pblocks; i < blocks; i++) + { + d1 = _mm_loadu_si128(bi + i); + + y = ghash(this->h, y, d1); + + t1 = _mm_xor_si128(cb, ks[0]); + t1 = _mm_aesenc_si128(t1, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t1 = _mm_aesenclast_si128(t1, ks[10]); + + t1 = _mm_xor_si128(t1, d1); + _mm_storeu_si128(bo + i, t1); + + cb = increment_be(cb); + } + + if (rem) + { + y = decrypt_gcm_rem(this, rem, bi + blocks, bo + blocks, cb, y); + } + y = icv_tailer(this, y, alen, len); + icv_crypt(this, y, j, icv); +} + +/** + * AES-192 GCM encryption/ICV generation + */ +static void encrypt_gcm192(private_aesni_gcm_t *this, + size_t len, u_char *in, u_char *out, u_char *iv, + size_t alen, u_char *assoc, u_char *icv) +{ + __m128i d1, d2, d3, d4, t1, t2, t3, t4; + __m128i *ks, y, j, cb, *bi, *bo; + u_int blocks, pblocks, rem, i; + + j = create_j(this, iv); + cb = increment_be(j); + y = icv_header(this, assoc, alen); + blocks = len / AES_BLOCK_SIZE; + pblocks = blocks - (blocks % GCM_CRYPT_PARALLELISM); + rem = len % AES_BLOCK_SIZE; + bi = (__m128i*)in; + bo = (__m128i*)out; + + ks = this->key->schedule; + + for (i = 0; i < pblocks; i += GCM_CRYPT_PARALLELISM) + { + d1 = _mm_loadu_si128(bi + i + 0); + d2 = _mm_loadu_si128(bi + i + 1); + d3 = _mm_loadu_si128(bi + i + 2); + d4 = _mm_loadu_si128(bi + i + 3); + + t1 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + t2 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + t3 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + t4 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + + t1 = _mm_aesenc_si128(t1, ks[1]); + t2 = _mm_aesenc_si128(t2, ks[1]); + t3 = _mm_aesenc_si128(t3, ks[1]); + t4 = _mm_aesenc_si128(t4, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t2 = _mm_aesenc_si128(t2, ks[2]); + t3 = _mm_aesenc_si128(t3, ks[2]); + t4 = _mm_aesenc_si128(t4, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t2 = _mm_aesenc_si128(t2, ks[3]); + t3 = _mm_aesenc_si128(t3, ks[3]); + t4 = _mm_aesenc_si128(t4, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t2 = _mm_aesenc_si128(t2, ks[4]); + t3 = _mm_aesenc_si128(t3, ks[4]); + t4 = _mm_aesenc_si128(t4, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t2 = _mm_aesenc_si128(t2, ks[5]); + t3 = _mm_aesenc_si128(t3, ks[5]); + t4 = _mm_aesenc_si128(t4, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t2 = _mm_aesenc_si128(t2, ks[6]); + t3 = _mm_aesenc_si128(t3, ks[6]); + t4 = _mm_aesenc_si128(t4, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t2 = _mm_aesenc_si128(t2, ks[7]); + t3 = _mm_aesenc_si128(t3, ks[7]); + t4 = _mm_aesenc_si128(t4, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t2 = _mm_aesenc_si128(t2, ks[8]); + t3 = _mm_aesenc_si128(t3, ks[8]); + t4 = _mm_aesenc_si128(t4, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t2 = _mm_aesenc_si128(t2, ks[9]); + t3 = _mm_aesenc_si128(t3, ks[9]); + t4 = _mm_aesenc_si128(t4, ks[9]); + t1 = _mm_aesenc_si128(t1, ks[10]); + t2 = _mm_aesenc_si128(t2, ks[10]); + t3 = _mm_aesenc_si128(t3, ks[10]); + t4 = _mm_aesenc_si128(t4, ks[10]); + t1 = _mm_aesenc_si128(t1, ks[11]); + t2 = _mm_aesenc_si128(t2, ks[11]); + t3 = _mm_aesenc_si128(t3, ks[11]); + t4 = _mm_aesenc_si128(t4, ks[11]); + + t1 = _mm_aesenclast_si128(t1, ks[12]); + t2 = _mm_aesenclast_si128(t2, ks[12]); + t3 = _mm_aesenclast_si128(t3, ks[12]); + t4 = _mm_aesenclast_si128(t4, ks[12]); + + t1 = _mm_xor_si128(t1, d1); + t2 = _mm_xor_si128(t2, d2); + t3 = _mm_xor_si128(t3, d3); + t4 = _mm_xor_si128(t4, d4); + + y = _mm_xor_si128(y, t1); + y = mult4xor(this->hhhh, this->hhh, this->hh, this->h, y, t2, t3, t4); + + _mm_storeu_si128(bo + i + 0, t1); + _mm_storeu_si128(bo + i + 1, t2); + _mm_storeu_si128(bo + i + 2, t3); + _mm_storeu_si128(bo + i + 3, t4); + } + + for (i = pblocks; i < blocks; i++) + { + d1 = _mm_loadu_si128(bi + i); + + t1 = _mm_xor_si128(cb, ks[0]); + t1 = _mm_aesenc_si128(t1, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t1 = _mm_aesenc_si128(t1, ks[10]); + t1 = _mm_aesenc_si128(t1, ks[11]); + t1 = _mm_aesenclast_si128(t1, ks[12]); + + t1 = _mm_xor_si128(t1, d1); + _mm_storeu_si128(bo + i, t1); + + y = ghash(this->h, y, t1); + + cb = increment_be(cb); + } + + if (rem) + { + y = encrypt_gcm_rem(this, rem, bi + blocks, bo + blocks, cb, y); + } + y = icv_tailer(this, y, alen, len); + icv_crypt(this, y, j, icv); +} + +/** + * AES-192 GCM decryption/ICV generation + */ +static void decrypt_gcm192(private_aesni_gcm_t *this, + size_t len, u_char *in, u_char *out, u_char *iv, + size_t alen, u_char *assoc, u_char *icv) +{ + __m128i d1, d2, d3, d4, t1, t2, t3, t4; + __m128i *ks, y, j, cb, *bi, *bo; + u_int blocks, pblocks, rem, i; + + j = create_j(this, iv); + cb = increment_be(j); + y = icv_header(this, assoc, alen); + blocks = len / AES_BLOCK_SIZE; + pblocks = blocks - (blocks % GCM_CRYPT_PARALLELISM); + rem = len % AES_BLOCK_SIZE; + bi = (__m128i*)in; + bo = (__m128i*)out; + + ks = this->key->schedule; + + for (i = 0; i < pblocks; i += GCM_CRYPT_PARALLELISM) + { + d1 = _mm_loadu_si128(bi + i + 0); + d2 = _mm_loadu_si128(bi + i + 1); + d3 = _mm_loadu_si128(bi + i + 2); + d4 = _mm_loadu_si128(bi + i + 3); + + y = _mm_xor_si128(y, d1); + y = mult4xor(this->hhhh, this->hhh, this->hh, this->h, y, d2, d3, d4); + + t1 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + t2 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + t3 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + t4 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + + t1 = _mm_aesenc_si128(t1, ks[1]); + t2 = _mm_aesenc_si128(t2, ks[1]); + t3 = _mm_aesenc_si128(t3, ks[1]); + t4 = _mm_aesenc_si128(t4, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t2 = _mm_aesenc_si128(t2, ks[2]); + t3 = _mm_aesenc_si128(t3, ks[2]); + t4 = _mm_aesenc_si128(t4, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t2 = _mm_aesenc_si128(t2, ks[3]); + t3 = _mm_aesenc_si128(t3, ks[3]); + t4 = _mm_aesenc_si128(t4, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t2 = _mm_aesenc_si128(t2, ks[4]); + t3 = _mm_aesenc_si128(t3, ks[4]); + t4 = _mm_aesenc_si128(t4, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t2 = _mm_aesenc_si128(t2, ks[5]); + t3 = _mm_aesenc_si128(t3, ks[5]); + t4 = _mm_aesenc_si128(t4, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t2 = _mm_aesenc_si128(t2, ks[6]); + t3 = _mm_aesenc_si128(t3, ks[6]); + t4 = _mm_aesenc_si128(t4, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t2 = _mm_aesenc_si128(t2, ks[7]); + t3 = _mm_aesenc_si128(t3, ks[7]); + t4 = _mm_aesenc_si128(t4, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t2 = _mm_aesenc_si128(t2, ks[8]); + t3 = _mm_aesenc_si128(t3, ks[8]); + t4 = _mm_aesenc_si128(t4, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t2 = _mm_aesenc_si128(t2, ks[9]); + t3 = _mm_aesenc_si128(t3, ks[9]); + t4 = _mm_aesenc_si128(t4, ks[9]); + t1 = _mm_aesenc_si128(t1, ks[10]); + t2 = _mm_aesenc_si128(t2, ks[10]); + t3 = _mm_aesenc_si128(t3, ks[10]); + t4 = _mm_aesenc_si128(t4, ks[10]); + t1 = _mm_aesenc_si128(t1, ks[11]); + t2 = _mm_aesenc_si128(t2, ks[11]); + t3 = _mm_aesenc_si128(t3, ks[11]); + t4 = _mm_aesenc_si128(t4, ks[11]); + + t1 = _mm_aesenclast_si128(t1, ks[12]); + t2 = _mm_aesenclast_si128(t2, ks[12]); + t3 = _mm_aesenclast_si128(t3, ks[12]); + t4 = _mm_aesenclast_si128(t4, ks[12]); + + t1 = _mm_xor_si128(t1, d1); + t2 = _mm_xor_si128(t2, d2); + t3 = _mm_xor_si128(t3, d3); + t4 = _mm_xor_si128(t4, d4); + + _mm_storeu_si128(bo + i + 0, t1); + _mm_storeu_si128(bo + i + 1, t2); + _mm_storeu_si128(bo + i + 2, t3); + _mm_storeu_si128(bo + i + 3, t4); + } + + for (i = pblocks; i < blocks; i++) + { + d1 = _mm_loadu_si128(bi + i); + + y = ghash(this->h, y, d1); + + t1 = _mm_xor_si128(cb, ks[0]); + t1 = _mm_aesenc_si128(t1, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t1 = _mm_aesenc_si128(t1, ks[10]); + t1 = _mm_aesenc_si128(t1, ks[11]); + t1 = _mm_aesenclast_si128(t1, ks[12]); + + t1 = _mm_xor_si128(t1, d1); + _mm_storeu_si128(bo + i, t1); + + cb = increment_be(cb); + } + + if (rem) + { + y = decrypt_gcm_rem(this, rem, bi + blocks, bo + blocks, cb, y); + } + y = icv_tailer(this, y, alen, len); + icv_crypt(this, y, j, icv); +} + +/** + * AES-256 GCM encryption/ICV generation + */ +static void encrypt_gcm256(private_aesni_gcm_t *this, + size_t len, u_char *in, u_char *out, u_char *iv, + size_t alen, u_char *assoc, u_char *icv) +{ + __m128i d1, d2, d3, d4, t1, t2, t3, t4; + __m128i *ks, y, j, cb, *bi, *bo; + u_int blocks, pblocks, rem, i; + + j = create_j(this, iv); + cb = increment_be(j); + y = icv_header(this, assoc, alen); + blocks = len / AES_BLOCK_SIZE; + pblocks = blocks - (blocks % GCM_CRYPT_PARALLELISM); + rem = len % AES_BLOCK_SIZE; + bi = (__m128i*)in; + bo = (__m128i*)out; + + ks = this->key->schedule; + + for (i = 0; i < pblocks; i += GCM_CRYPT_PARALLELISM) + { + d1 = _mm_loadu_si128(bi + i + 0); + d2 = _mm_loadu_si128(bi + i + 1); + d3 = _mm_loadu_si128(bi + i + 2); + d4 = _mm_loadu_si128(bi + i + 3); + + t1 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + t2 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + t3 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + t4 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + + t1 = _mm_aesenc_si128(t1, ks[1]); + t2 = _mm_aesenc_si128(t2, ks[1]); + t3 = _mm_aesenc_si128(t3, ks[1]); + t4 = _mm_aesenc_si128(t4, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t2 = _mm_aesenc_si128(t2, ks[2]); + t3 = _mm_aesenc_si128(t3, ks[2]); + t4 = _mm_aesenc_si128(t4, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t2 = _mm_aesenc_si128(t2, ks[3]); + t3 = _mm_aesenc_si128(t3, ks[3]); + t4 = _mm_aesenc_si128(t4, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t2 = _mm_aesenc_si128(t2, ks[4]); + t3 = _mm_aesenc_si128(t3, ks[4]); + t4 = _mm_aesenc_si128(t4, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t2 = _mm_aesenc_si128(t2, ks[5]); + t3 = _mm_aesenc_si128(t3, ks[5]); + t4 = _mm_aesenc_si128(t4, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t2 = _mm_aesenc_si128(t2, ks[6]); + t3 = _mm_aesenc_si128(t3, ks[6]); + t4 = _mm_aesenc_si128(t4, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t2 = _mm_aesenc_si128(t2, ks[7]); + t3 = _mm_aesenc_si128(t3, ks[7]); + t4 = _mm_aesenc_si128(t4, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t2 = _mm_aesenc_si128(t2, ks[8]); + t3 = _mm_aesenc_si128(t3, ks[8]); + t4 = _mm_aesenc_si128(t4, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t2 = _mm_aesenc_si128(t2, ks[9]); + t3 = _mm_aesenc_si128(t3, ks[9]); + t4 = _mm_aesenc_si128(t4, ks[9]); + t1 = _mm_aesenc_si128(t1, ks[10]); + t2 = _mm_aesenc_si128(t2, ks[10]); + t3 = _mm_aesenc_si128(t3, ks[10]); + t4 = _mm_aesenc_si128(t4, ks[10]); + t1 = _mm_aesenc_si128(t1, ks[11]); + t2 = _mm_aesenc_si128(t2, ks[11]); + t3 = _mm_aesenc_si128(t3, ks[11]); + t4 = _mm_aesenc_si128(t4, ks[11]); + t1 = _mm_aesenc_si128(t1, ks[12]); + t2 = _mm_aesenc_si128(t2, ks[12]); + t3 = _mm_aesenc_si128(t3, ks[12]); + t4 = _mm_aesenc_si128(t4, ks[12]); + t1 = _mm_aesenc_si128(t1, ks[13]); + t2 = _mm_aesenc_si128(t2, ks[13]); + t3 = _mm_aesenc_si128(t3, ks[13]); + t4 = _mm_aesenc_si128(t4, ks[13]); + + t1 = _mm_aesenclast_si128(t1, ks[14]); + t2 = _mm_aesenclast_si128(t2, ks[14]); + t3 = _mm_aesenclast_si128(t3, ks[14]); + t4 = _mm_aesenclast_si128(t4, ks[14]); + + t1 = _mm_xor_si128(t1, d1); + t2 = _mm_xor_si128(t2, d2); + t3 = _mm_xor_si128(t3, d3); + t4 = _mm_xor_si128(t4, d4); + + y = _mm_xor_si128(y, t1); + y = mult4xor(this->hhhh, this->hhh, this->hh, this->h, y, t2, t3, t4); + + _mm_storeu_si128(bo + i + 0, t1); + _mm_storeu_si128(bo + i + 1, t2); + _mm_storeu_si128(bo + i + 2, t3); + _mm_storeu_si128(bo + i + 3, t4); + } + + for (i = pblocks; i < blocks; i++) + { + d1 = _mm_loadu_si128(bi + i); + + t1 = _mm_xor_si128(cb, ks[0]); + t1 = _mm_aesenc_si128(t1, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t1 = _mm_aesenc_si128(t1, ks[10]); + t1 = _mm_aesenc_si128(t1, ks[11]); + t1 = _mm_aesenc_si128(t1, ks[12]); + t1 = _mm_aesenc_si128(t1, ks[13]); + t1 = _mm_aesenclast_si128(t1, ks[14]); + + t1 = _mm_xor_si128(t1, d1); + _mm_storeu_si128(bo + i, t1); + + y = ghash(this->h, y, t1); + + cb = increment_be(cb); + } + + if (rem) + { + y = encrypt_gcm_rem(this, rem, bi + blocks, bo + blocks, cb, y); + } + y = icv_tailer(this, y, alen, len); + icv_crypt(this, y, j, icv); +} + +/** + * AES-256 GCM decryption/ICV generation + */ +static void decrypt_gcm256(private_aesni_gcm_t *this, + size_t len, u_char *in, u_char *out, u_char *iv, + size_t alen, u_char *assoc, u_char *icv) +{ + __m128i d1, d2, d3, d4, t1, t2, t3, t4; + __m128i *ks, y, j, cb, *bi, *bo; + u_int blocks, pblocks, rem, i; + + j = create_j(this, iv); + cb = increment_be(j); + y = icv_header(this, assoc, alen); + blocks = len / AES_BLOCK_SIZE; + pblocks = blocks - (blocks % GCM_CRYPT_PARALLELISM); + rem = len % AES_BLOCK_SIZE; + bi = (__m128i*)in; + bo = (__m128i*)out; + + ks = this->key->schedule; + + for (i = 0; i < pblocks; i += GCM_CRYPT_PARALLELISM) + { + d1 = _mm_loadu_si128(bi + i + 0); + d2 = _mm_loadu_si128(bi + i + 1); + d3 = _mm_loadu_si128(bi + i + 2); + d4 = _mm_loadu_si128(bi + i + 3); + + y = _mm_xor_si128(y, d1); + y = mult4xor(this->hhhh, this->hhh, this->hh, this->h, y, d2, d3, d4); + + t1 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + t2 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + t3 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + t4 = _mm_xor_si128(cb, ks[0]); + cb = increment_be(cb); + + t1 = _mm_aesenc_si128(t1, ks[1]); + t2 = _mm_aesenc_si128(t2, ks[1]); + t3 = _mm_aesenc_si128(t3, ks[1]); + t4 = _mm_aesenc_si128(t4, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t2 = _mm_aesenc_si128(t2, ks[2]); + t3 = _mm_aesenc_si128(t3, ks[2]); + t4 = _mm_aesenc_si128(t4, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t2 = _mm_aesenc_si128(t2, ks[3]); + t3 = _mm_aesenc_si128(t3, ks[3]); + t4 = _mm_aesenc_si128(t4, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t2 = _mm_aesenc_si128(t2, ks[4]); + t3 = _mm_aesenc_si128(t3, ks[4]); + t4 = _mm_aesenc_si128(t4, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t2 = _mm_aesenc_si128(t2, ks[5]); + t3 = _mm_aesenc_si128(t3, ks[5]); + t4 = _mm_aesenc_si128(t4, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t2 = _mm_aesenc_si128(t2, ks[6]); + t3 = _mm_aesenc_si128(t3, ks[6]); + t4 = _mm_aesenc_si128(t4, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t2 = _mm_aesenc_si128(t2, ks[7]); + t3 = _mm_aesenc_si128(t3, ks[7]); + t4 = _mm_aesenc_si128(t4, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t2 = _mm_aesenc_si128(t2, ks[8]); + t3 = _mm_aesenc_si128(t3, ks[8]); + t4 = _mm_aesenc_si128(t4, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t2 = _mm_aesenc_si128(t2, ks[9]); + t3 = _mm_aesenc_si128(t3, ks[9]); + t4 = _mm_aesenc_si128(t4, ks[9]); + t1 = _mm_aesenc_si128(t1, ks[10]); + t2 = _mm_aesenc_si128(t2, ks[10]); + t3 = _mm_aesenc_si128(t3, ks[10]); + t4 = _mm_aesenc_si128(t4, ks[10]); + t1 = _mm_aesenc_si128(t1, ks[11]); + t2 = _mm_aesenc_si128(t2, ks[11]); + t3 = _mm_aesenc_si128(t3, ks[11]); + t4 = _mm_aesenc_si128(t4, ks[11]); + t1 = _mm_aesenc_si128(t1, ks[12]); + t2 = _mm_aesenc_si128(t2, ks[12]); + t3 = _mm_aesenc_si128(t3, ks[12]); + t4 = _mm_aesenc_si128(t4, ks[12]); + t1 = _mm_aesenc_si128(t1, ks[13]); + t2 = _mm_aesenc_si128(t2, ks[13]); + t3 = _mm_aesenc_si128(t3, ks[13]); + t4 = _mm_aesenc_si128(t4, ks[13]); + + t1 = _mm_aesenclast_si128(t1, ks[14]); + t2 = _mm_aesenclast_si128(t2, ks[14]); + t3 = _mm_aesenclast_si128(t3, ks[14]); + t4 = _mm_aesenclast_si128(t4, ks[14]); + + t1 = _mm_xor_si128(t1, d1); + t2 = _mm_xor_si128(t2, d2); + t3 = _mm_xor_si128(t3, d3); + t4 = _mm_xor_si128(t4, d4); + + _mm_storeu_si128(bo + i + 0, t1); + _mm_storeu_si128(bo + i + 1, t2); + _mm_storeu_si128(bo + i + 2, t3); + _mm_storeu_si128(bo + i + 3, t4); + } + + for (i = pblocks; i < blocks; i++) + { + d1 = _mm_loadu_si128(bi + i); + + y = ghash(this->h, y, d1); + + t1 = _mm_xor_si128(cb, ks[0]); + t1 = _mm_aesenc_si128(t1, ks[1]); + t1 = _mm_aesenc_si128(t1, ks[2]); + t1 = _mm_aesenc_si128(t1, ks[3]); + t1 = _mm_aesenc_si128(t1, ks[4]); + t1 = _mm_aesenc_si128(t1, ks[5]); + t1 = _mm_aesenc_si128(t1, ks[6]); + t1 = _mm_aesenc_si128(t1, ks[7]); + t1 = _mm_aesenc_si128(t1, ks[8]); + t1 = _mm_aesenc_si128(t1, ks[9]); + t1 = _mm_aesenc_si128(t1, ks[10]); + t1 = _mm_aesenc_si128(t1, ks[11]); + t1 = _mm_aesenc_si128(t1, ks[12]); + t1 = _mm_aesenc_si128(t1, ks[13]); + t1 = _mm_aesenclast_si128(t1, ks[14]); + + t1 = _mm_xor_si128(t1, d1); + _mm_storeu_si128(bo + i, t1); + + cb = increment_be(cb); + } + + if (rem) + { + y = decrypt_gcm_rem(this, rem, bi + blocks, bo + blocks, cb, y); + } + y = icv_tailer(this, y, alen, len); + icv_crypt(this, y, j, icv); +} + +METHOD(aead_t, encrypt, bool, + private_aesni_gcm_t *this, chunk_t plain, chunk_t assoc, chunk_t iv, + chunk_t *encr) +{ + u_char *out; + + if (!this->key || iv.len != IV_SIZE) + { + return FALSE; + } + out = plain.ptr; + if (encr) + { + *encr = chunk_alloc(plain.len + this->icv_size); + out = encr->ptr; + } + this->encrypt(this, plain.len, plain.ptr, out, iv.ptr, + assoc.len, assoc.ptr, out + plain.len); + return TRUE; +} + +METHOD(aead_t, decrypt, bool, + private_aesni_gcm_t *this, chunk_t encr, chunk_t assoc, chunk_t iv, + chunk_t *plain) +{ + u_char *out, icv[this->icv_size]; + + if (!this->key || iv.len != IV_SIZE || encr.len < this->icv_size) + { + return FALSE; + } + encr.len -= this->icv_size; + out = encr.ptr; + if (plain) + { + *plain = chunk_alloc(encr.len); + out = plain->ptr; + } + this->decrypt(this, encr.len, encr.ptr, out, iv.ptr, + assoc.len, assoc.ptr, icv); + return memeq_const(icv, encr.ptr + encr.len, this->icv_size); +} + +METHOD(aead_t, get_block_size, size_t, + private_aesni_gcm_t *this) +{ + return 1; +} + +METHOD(aead_t, get_icv_size, size_t, + private_aesni_gcm_t *this) +{ + return this->icv_size; +} + +METHOD(aead_t, get_iv_size, size_t, + private_aesni_gcm_t *this) +{ + return IV_SIZE; +} + +METHOD(aead_t, get_iv_gen, iv_gen_t*, + private_aesni_gcm_t *this) +{ + return this->iv_gen; +} + +METHOD(aead_t, get_key_size, size_t, + private_aesni_gcm_t *this) +{ + return this->key_size + SALT_SIZE; +} + +METHOD(aead_t, set_key, bool, + private_aesni_gcm_t *this, chunk_t key) +{ + u_int round; + __m128i *ks, h; + + if (key.len != this->key_size + SALT_SIZE) + { + return FALSE; + } + + memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE); + key.len -= SALT_SIZE; + + DESTROY_IF(this->key); + this->key = aesni_key_create(TRUE, key); + + ks = this->key->schedule; + h = _mm_xor_si128(_mm_setzero_si128(), ks[0]); + for (round = 1; round < this->key->rounds; round++) + { + h = _mm_aesenc_si128(h, ks[round]); + } + h = _mm_aesenclast_si128(h, ks[this->key->rounds]); + + this->h = h; + h = swap128(h); + this->hh = mult_block(h, this->h); + this->hhh = mult_block(h, this->hh); + this->hhhh = mult_block(h, this->hhh); + this->h = swap128(this->h); + this->hh = swap128(this->hh); + this->hhh = swap128(this->hhh); + this->hhhh = swap128(this->hhhh); + + return TRUE; +} + +METHOD(aead_t, destroy, void, + private_aesni_gcm_t *this) +{ + DESTROY_IF(this->key); + memwipe(&this->h, sizeof(this->h)); + memwipe(&this->hh, sizeof(this->hh)); + memwipe(&this->hhh, sizeof(this->hhh)); + memwipe(&this->hhhh, sizeof(this->hhhh)); + this->iv_gen->destroy(this->iv_gen); + free_align(this); +} + +/** + * See header + */ +aesni_gcm_t *aesni_gcm_create(encryption_algorithm_t algo, + size_t key_size, size_t salt_size) +{ + private_aesni_gcm_t *this; + size_t icv_size; + + switch (key_size) + { + case 0: + key_size = 16; + break; + case 16: + case 24: + case 32: + break; + default: + return NULL; + } + if (salt_size && salt_size != SALT_SIZE) + { + /* currently not supported */ + return NULL; + } + switch (algo) + { + case ENCR_AES_GCM_ICV8: + algo = ENCR_AES_CBC; + icv_size = 8; + break; + case ENCR_AES_GCM_ICV12: + algo = ENCR_AES_CBC; + icv_size = 12; + break; + case ENCR_AES_GCM_ICV16: + algo = ENCR_AES_CBC; + icv_size = 16; + break; + default: + return NULL; + } + + INIT_ALIGN(this, sizeof(__m128i), + .public = { + .aead = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_block_size = _get_block_size, + .get_icv_size = _get_icv_size, + .get_iv_size = _get_iv_size, + .get_iv_gen = _get_iv_gen, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .key_size = key_size, + .iv_gen = iv_gen_seq_create(), + .icv_size = icv_size, + ); + + switch (key_size) + { + case 16: + this->encrypt = encrypt_gcm128; + this->decrypt = decrypt_gcm128; + break; + case 24: + this->encrypt = encrypt_gcm192; + this->decrypt = decrypt_gcm192; + break; + case 32: + this->encrypt = encrypt_gcm256; + this->decrypt = decrypt_gcm256; + break; + } + + return &this->public; +} diff --git a/src/libstrongswan/plugins/aesni/aesni_gcm.h b/src/libstrongswan/plugins/aesni/aesni_gcm.h new file mode 100644 index 000000000..5a256c8db --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_gcm.h @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup aesni_gcm aesni_gcm + * @{ @ingroup aesni + */ + +#ifndef AESNI_GCM_H_ +#define AESNI_GCM_H_ + +#include + +typedef struct aesni_gcm_t aesni_gcm_t; + +/** + * GCM mode AEAD using AES-NI + */ +struct aesni_gcm_t { + + /** + * Implements aead_t interface + */ + aead_t aead; +}; + +/** + * Create a aesni_gcm instance. + * + * @param algo encryption algorithm, ENCR_AES_GCM* + * @param key_size AES key size, in bytes + * @param salt_size size of salt value + * @return AES-GCM AEAD, NULL if not supported + */ +aesni_gcm_t *aesni_gcm_create(encryption_algorithm_t algo, + size_t key_size, size_t salt_size); + +#endif /** AESNI_GCM_H_ @}*/ diff --git a/src/libstrongswan/plugins/aesni/aesni_key.c b/src/libstrongswan/plugins/aesni/aesni_key.c new file mode 100644 index 000000000..523266a30 --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_key.c @@ -0,0 +1,301 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "aesni_key.h" + +/** + * Rounds used for each AES key size + */ +#define AES128_ROUNDS 10 +#define AES192_ROUNDS 12 +#define AES256_ROUNDS 14 + +typedef struct private_aesni_key_t private_aesni_key_t; + +/** + * Private data of an aesni_key_t object. + */ +struct private_aesni_key_t { + + /** + * Public aesni_key_t interface. + */ + aesni_key_t public; +}; + +/** + * Invert round encryption keys to get a decryption key schedule + */ +static void reverse_key(aesni_key_t *this) +{ + __m128i t[this->rounds + 1]; + int i; + + for (i = 0; i <= this->rounds; i++) + { + t[i] = this->schedule[i]; + } + this->schedule[this->rounds] = t[0]; + for (i = 1; i < this->rounds; i++) + { + this->schedule[this->rounds - i] = _mm_aesimc_si128(t[i]); + } + this->schedule[0] = t[this->rounds]; + + memwipe(t, sizeof(t)); +} + +/** + * Assist in creating a 128-bit round key + */ +static __m128i assist128(__m128i a, __m128i b) +{ + __m128i c; + + b = _mm_shuffle_epi32(b ,0xff); + c = _mm_slli_si128(a, 0x04); + a = _mm_xor_si128(a, c); + c = _mm_slli_si128(c, 0x04); + a = _mm_xor_si128(a, c); + c = _mm_slli_si128(c, 0x04); + a = _mm_xor_si128(a, c); + a = _mm_xor_si128(a, b); + + return a; +} + +/** + * Expand a 128-bit key to encryption round keys + */ +static void expand128(__m128i *key, __m128i *schedule) +{ + __m128i t; + + schedule[0] = t = _mm_loadu_si128(key); + schedule[1] = t = assist128(t, _mm_aeskeygenassist_si128(t, 0x01)); + schedule[2] = t = assist128(t, _mm_aeskeygenassist_si128(t, 0x02)); + schedule[3] = t = assist128(t, _mm_aeskeygenassist_si128(t, 0x04)); + schedule[4] = t = assist128(t, _mm_aeskeygenassist_si128(t, 0x08)); + schedule[5] = t = assist128(t, _mm_aeskeygenassist_si128(t, 0x10)); + schedule[6] = t = assist128(t, _mm_aeskeygenassist_si128(t, 0x20)); + schedule[7] = t = assist128(t, _mm_aeskeygenassist_si128(t, 0x40)); + schedule[8] = t = assist128(t, _mm_aeskeygenassist_si128(t, 0x80)); + schedule[9] = t = assist128(t, _mm_aeskeygenassist_si128(t, 0x1b)); + schedule[10] = assist128(t, _mm_aeskeygenassist_si128(t, 0x36)); +} + +/** + * Assist in creating a 192-bit round key + */ +static __m128i assist192(__m128i b, __m128i c, __m128i *a) +{ + __m128i t; + + b = _mm_shuffle_epi32(b, 0x55); + t = _mm_slli_si128(*a, 0x04); + *a = _mm_xor_si128(*a, t); + t = _mm_slli_si128(t, 0x04); + *a = _mm_xor_si128(*a, t); + t = _mm_slli_si128(t, 0x04); + *a = _mm_xor_si128(*a, t); + *a = _mm_xor_si128(*a, b); + b = _mm_shuffle_epi32(*a, 0xff); + t = _mm_slli_si128(c, 0x04); + t = _mm_xor_si128(c, t); + t = _mm_xor_si128(t, b); + + return t; +} + +/** + * return a[63:0] | b[63:0] << 64 + */ +static __m128i _mm_shuffle_i00(__m128i a, __m128i b) +{ + return (__m128i)_mm_shuffle_pd((__m128d)a, (__m128d)b, 0); +} + +/** + * return a[127:64] >> 64 | b[63:0] << 64 + */ +static __m128i _mm_shuffle_i01(__m128i a, __m128i b) +{ + return (__m128i)_mm_shuffle_pd((__m128d)a, (__m128d)b, 1); +} + +/** + * Expand a 192-bit encryption key to round keys + */ +static void expand192(__m128i *key, __m128i *schedule) +{ + __m128i t1, t2, t3; + + schedule[0] = t1 = _mm_loadu_si128(key); + t2 = t3 = _mm_loadu_si128(key + 1); + + t2 = assist192(_mm_aeskeygenassist_si128(t2, 0x1), t2, &t1); + schedule[1] = _mm_shuffle_i00(t3, t1); + schedule[2] = _mm_shuffle_i01(t1, t2); + t2 = t3 = assist192(_mm_aeskeygenassist_si128(t2, 0x2), t2, &t1); + schedule[3] = t1; + + t2 = assist192(_mm_aeskeygenassist_si128(t2, 0x4), t2, &t1); + schedule[4] = _mm_shuffle_i00(t3, t1); + schedule[5] = _mm_shuffle_i01(t1, t2); + t2 = t3 = assist192(_mm_aeskeygenassist_si128(t2, 0x8), t2, &t1); + schedule[6] = t1; + + t2 = assist192(_mm_aeskeygenassist_si128 (t2,0x10), t2, &t1); + schedule[7] = _mm_shuffle_i00(t3, t1); + schedule[8] = _mm_shuffle_i01(t1, t2); + t2 = t3 = assist192(_mm_aeskeygenassist_si128 (t2,0x20), t2, &t1); + schedule[9] = t1; + + t2 = assist192(_mm_aeskeygenassist_si128(t2, 0x40), t2, &t1); + schedule[10] = _mm_shuffle_i00(t3, t1); + schedule[11] = _mm_shuffle_i01(t1, t2); + assist192(_mm_aeskeygenassist_si128(t2, 0x80), t2, &t1); + schedule[12] = t1; +} + +/** + * Assist in creating a 256-bit round key + */ +static __m128i assist256_1(__m128i a, __m128i b) +{ + __m128i x, y; + + b = _mm_shuffle_epi32(b, 0xff); + y = _mm_slli_si128(a, 0x04); + x = _mm_xor_si128(a, y); + y = _mm_slli_si128(y, 0x04); + x = _mm_xor_si128 (x, y); + y = _mm_slli_si128(y, 0x04); + x = _mm_xor_si128(x, y); + x = _mm_xor_si128(x, b); + + return x; +} + +/** + * Assist in creating a 256-bit round key + */ +static __m128i assist256_2(__m128i a, __m128i b) +{ + __m128i x, y, z; + + y = _mm_aeskeygenassist_si128(a, 0x00); + z = _mm_shuffle_epi32(y, 0xaa); + y = _mm_slli_si128(b, 0x04); + x = _mm_xor_si128(b, y); + y = _mm_slli_si128(y, 0x04); + x = _mm_xor_si128(x, y); + y = _mm_slli_si128(y, 0x04); + x = _mm_xor_si128(x, y); + x = _mm_xor_si128(x, z); + + return x; +} + +/** + * Expand a 256-bit encryption key to round keys + */ +static void expand256(__m128i *key, __m128i *schedule) +{ + __m128i t1, t2; + + schedule[0] = t1 = _mm_loadu_si128(key); + schedule[1] = t2 = _mm_loadu_si128(key + 1); + + schedule[2] = t1 = assist256_1(t1, _mm_aeskeygenassist_si128(t2, 0x01)); + schedule[3] = t2 = assist256_2(t1, t2); + + schedule[4] = t1 = assist256_1(t1, _mm_aeskeygenassist_si128(t2, 0x02)); + schedule[5] = t2 = assist256_2(t1, t2); + + schedule[6] = t1 = assist256_1(t1, _mm_aeskeygenassist_si128(t2, 0x04)); + schedule[7] = t2 = assist256_2(t1, t2); + + schedule[8] = t1 = assist256_1(t1, _mm_aeskeygenassist_si128(t2, 0x08)); + schedule[9] = t2 = assist256_2(t1, t2); + + schedule[10] = t1 = assist256_1(t1, _mm_aeskeygenassist_si128(t2, 0x10)); + schedule[11] = t2 = assist256_2(t1, t2); + + schedule[12] = t1 = assist256_1(t1, _mm_aeskeygenassist_si128(t2, 0x20)); + schedule[13] = t2 = assist256_2(t1, t2); + + schedule[14] = assist256_1(t1, _mm_aeskeygenassist_si128(t2, 0x40)); +} + +METHOD(aesni_key_t, destroy, void, + private_aesni_key_t *this) +{ + memwipe(this, sizeof(*this) + (this->public.rounds + 1) * AES_BLOCK_SIZE); + free_align(this); +} + +/** + * See header + */ +aesni_key_t *aesni_key_create(bool encrypt, chunk_t key) +{ + private_aesni_key_t *this; + int rounds; + + switch (key.len) + { + case 16: + rounds = AES128_ROUNDS; + break; + case 24: + rounds = AES192_ROUNDS; + break; + case 32: + rounds = AES256_ROUNDS; + break; + default: + return NULL; + } + + INIT_EXTRA_ALIGN(this, (rounds + 1) * AES_BLOCK_SIZE, sizeof(__m128i), + .public = { + .destroy = _destroy, + .rounds = rounds, + }, + ); + + switch (key.len) + { + case 16: + expand128((__m128i*)key.ptr, this->public.schedule); + break; + case 24: + expand192((__m128i*)key.ptr, this->public.schedule); + break; + case 32: + expand256((__m128i*)key.ptr, this->public.schedule); + break; + default: + break; + } + + if (!encrypt) + { + reverse_key(&this->public); + } + + return &this->public; +} diff --git a/src/libstrongswan/plugins/aesni/aesni_key.h b/src/libstrongswan/plugins/aesni/aesni_key.h new file mode 100644 index 000000000..12dcd221d --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_key.h @@ -0,0 +1,65 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup aesni_key aesni_key + * @{ @ingroup aesni + */ + +#ifndef AESNI_KEY_H_ +#define AESNI_KEY_H_ + +#include + +#include + +/** + * AES block size, in bytes + */ +#define AES_BLOCK_SIZE 16 + +typedef struct aesni_key_t aesni_key_t; + +/** + * Key schedule for encryption/decryption using on AES-NI. + */ +struct aesni_key_t { + + /** + * Destroy a aesni_key_t. + */ + void (*destroy)(aesni_key_t *this); + + /** + * Number of AES rounds (10, 12, 14) + */ + int rounds; + + /** + * Key schedule, for each round + the round 0 (whitening) + */ + __attribute__((aligned(sizeof(__m128i)))) __m128i schedule[]; +}; + +/** + * Create a AESNI key schedule instance. + * + * @param encrypt TRUE for encryption schedule, FALSE for decryption + * @param key non-expanded crypto key, 16, 24 or 32 bytes + * @return key schedule, NULL on invalid key size + */ +aesni_key_t *aesni_key_create(bool encrypt, chunk_t key); + +#endif /** AESNI_KEY_H_ @}*/ diff --git a/src/libstrongswan/plugins/aesni/aesni_plugin.c b/src/libstrongswan/plugins/aesni/aesni_plugin.c new file mode 100644 index 000000000..b92419dc4 --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_plugin.c @@ -0,0 +1,125 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "aesni_plugin.h" +#include "aesni_cbc.h" +#include "aesni_ctr.h" +#include "aesni_ccm.h" +#include "aesni_gcm.h" +#include "aesni_xcbc.h" +#include "aesni_cmac.h" + +#include + +#include +#include +#include + +typedef struct private_aesni_plugin_t private_aesni_plugin_t; +typedef enum cpuid_feature_t cpuid_feature_t; + +/** + * private data of aesni_plugin + */ +struct private_aesni_plugin_t { + + /** + * public functions + */ + aesni_plugin_t public; +}; + +METHOD(plugin_t, get_name, char*, + private_aesni_plugin_t *this) +{ + return "aesni"; +} + +METHOD(plugin_t, get_features, int, + private_aesni_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_REGISTER(CRYPTER, aesni_cbc_create), + PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 16), + PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 24), + PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 32), + PLUGIN_REGISTER(CRYPTER, aesni_ctr_create), + PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CTR, 16), + PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CTR, 24), + PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CTR, 32), + PLUGIN_REGISTER(AEAD, aesni_ccm_create), + PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV8, 16), + PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV12, 16), + PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV16, 16), + PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV8, 24), + PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV12, 24), + PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV16, 24), + PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV8, 32), + PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV12, 32), + PLUGIN_PROVIDE(AEAD, ENCR_AES_CCM_ICV16, 32), + PLUGIN_REGISTER(AEAD, aesni_gcm_create), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 16), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 16), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 24), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 24), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 32), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 32), + PLUGIN_REGISTER(PRF, aesni_xcbc_prf_create), + PLUGIN_PROVIDE(PRF, PRF_AES128_XCBC), + PLUGIN_REGISTER(SIGNER, aesni_xcbc_signer_create), + PLUGIN_PROVIDE(SIGNER, AUTH_AES_XCBC_96), + PLUGIN_REGISTER(PRF, aesni_cmac_prf_create), + PLUGIN_PROVIDE(PRF, PRF_AES128_CMAC), + PLUGIN_REGISTER(SIGNER, aesni_cmac_signer_create), + PLUGIN_PROVIDE(SIGNER, AUTH_AES_CMAC_96), + }; + + *features = f; + if (cpu_feature_available(CPU_FEATURE_AESNI | CPU_FEATURE_PCLMULQDQ)) + { + return countof(f); + } + return 0; +} + +METHOD(plugin_t, destroy, void, + private_aesni_plugin_t *this) +{ + free(this); +} + +/* + * see header file + */ +plugin_t *aesni_plugin_create() +{ + private_aesni_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .reload = (void*)return_false, + .destroy = _destroy, + }, + }, + ); + + return &this->public.plugin; +} diff --git a/src/libstrongswan/plugins/aesni/aesni_plugin.h b/src/libstrongswan/plugins/aesni/aesni_plugin.h new file mode 100644 index 000000000..2b0c92c25 --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup aesni aesni + * @ingroup plugins + * + * @defgroup aesni_plugin aesni_plugin + * @{ @ingroup aesni + */ + +#ifndef AESNI_PLUGIN_H_ +#define AESNI_PLUGIN_H_ + +#include + +typedef struct aesni_plugin_t aesni_plugin_t; + +/** + * Plugin providing crypto primitives based on Intel AES-NI instructions. + */ +struct aesni_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** AESNI_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/aesni/aesni_xcbc.c b/src/libstrongswan/plugins/aesni/aesni_xcbc.c new file mode 100644 index 000000000..24a75cec0 --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_xcbc.c @@ -0,0 +1,367 @@ +/* + * Copyright (C) 2008-2015 Martin Willi + * Copyright (C) 2012 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "aesni_xcbc.h" +#include "aesni_key.h" + +#include +#include + +typedef struct private_aesni_mac_t private_aesni_mac_t; + +/** + * Private data of a mac_t object. + */ +struct private_aesni_mac_t { + + /** + * Public mac_t interface. + */ + mac_t public; + + /** + * Key schedule for K1 + */ + aesni_key_t *k1; + + /** + * k2 + */ + __m128i k2; + + /** + * k3 + */ + __m128i k3; + + /** + * E + */ + __m128i e; + + /** + * remaining, unprocessed bytes in append mode + */ + u_char rem[AES_BLOCK_SIZE]; + + /** + * number of bytes used in remaining + */ + int rem_size; + + /** + * TRUE if we have zero bytes to xcbc in final() + */ + bool zero; +}; + +METHOD(mac_t, get_mac, bool, + private_aesni_mac_t *this, chunk_t data, u_int8_t *out) +{ + __m128i *ks, e, *bi; + u_int blocks, rem, i; + + if (!this->k1) + { + return FALSE; + } + + ks = this->k1->schedule; + + e = this->e; + + if (data.len) + { + this->zero = FALSE; + } + + if (this->rem_size + data.len > AES_BLOCK_SIZE) + { + /* (3) For each block M[i], where i = 1 ... n-1: + * XOR M[i] with E[i-1], then encrypt the result with Key K1, + * yielding E[i]. + */ + + /* append data to remaining bytes, process block M[1] */ + memcpy(this->rem + this->rem_size, data.ptr, + AES_BLOCK_SIZE - this->rem_size); + data = chunk_skip(data, AES_BLOCK_SIZE - this->rem_size); + + e = _mm_xor_si128(e, _mm_loadu_si128((__m128i*)this->rem)); + + e = _mm_xor_si128(e, ks[0]); + e = _mm_aesenc_si128(e, ks[1]); + e = _mm_aesenc_si128(e, ks[2]); + e = _mm_aesenc_si128(e, ks[3]); + e = _mm_aesenc_si128(e, ks[4]); + e = _mm_aesenc_si128(e, ks[5]); + e = _mm_aesenc_si128(e, ks[6]); + e = _mm_aesenc_si128(e, ks[7]); + e = _mm_aesenc_si128(e, ks[8]); + e = _mm_aesenc_si128(e, ks[9]); + e = _mm_aesenclast_si128(e, ks[10]); + + bi = (__m128i*)data.ptr; + rem = data.len % AES_BLOCK_SIZE; + blocks = data.len / AES_BLOCK_SIZE; + if (!rem && blocks) + { /* don't do last block */ + rem = AES_BLOCK_SIZE; + blocks--; + } + + /* process blocks M[2] ... M[n-1] */ + for (i = 0; i < blocks; i++) + { + e = _mm_xor_si128(e, _mm_loadu_si128(bi + i)); + + e = _mm_xor_si128(e, ks[0]); + e = _mm_aesenc_si128(e, ks[1]); + e = _mm_aesenc_si128(e, ks[2]); + e = _mm_aesenc_si128(e, ks[3]); + e = _mm_aesenc_si128(e, ks[4]); + e = _mm_aesenc_si128(e, ks[5]); + e = _mm_aesenc_si128(e, ks[6]); + e = _mm_aesenc_si128(e, ks[7]); + e = _mm_aesenc_si128(e, ks[8]); + e = _mm_aesenc_si128(e, ks[9]); + e = _mm_aesenclast_si128(e, ks[10]); + } + + /* store remaining bytes of block M[n] */ + memcpy(this->rem, data.ptr + data.len - rem, rem); + this->rem_size = rem; + } + else + { + /* no complete block, just copy into remaining */ + memcpy(this->rem + this->rem_size, data.ptr, data.len); + this->rem_size += data.len; + } + + if (out) + { + /* (4) For block M[n]: */ + if (this->rem_size == AES_BLOCK_SIZE && !this->zero) + { + /* a) If the blocksize of M[n] is 128 bits: + * XOR M[n] with E[n-1] and Key K2, then encrypt the result with + * Key K1, yielding E[n]. + */ + e = _mm_xor_si128(e, this->k2); + } + else + { + /* b) If the blocksize of M[n] is less than 128 bits: + * + * i) Pad M[n] with a single "1" bit, followed by the number of + * "0" bits (possibly none) required to increase M[n]'s + * blocksize to 128 bits. + */ + if (this->rem_size < AES_BLOCK_SIZE) + { + memset(this->rem + this->rem_size, 0, + AES_BLOCK_SIZE - this->rem_size); + this->rem[this->rem_size] = 0x80; + } + /* ii) XOR M[n] with E[n-1] and Key K3, then encrypt the result + * with Key K1, yielding E[n]. + */ + e = _mm_xor_si128(e, this->k3); + } + e = _mm_xor_si128(e, _mm_loadu_si128((__m128i*)this->rem)); + + e = _mm_xor_si128(e, ks[0]); + e = _mm_aesenc_si128(e, ks[1]); + e = _mm_aesenc_si128(e, ks[2]); + e = _mm_aesenc_si128(e, ks[3]); + e = _mm_aesenc_si128(e, ks[4]); + e = _mm_aesenc_si128(e, ks[5]); + e = _mm_aesenc_si128(e, ks[6]); + e = _mm_aesenc_si128(e, ks[7]); + e = _mm_aesenc_si128(e, ks[8]); + e = _mm_aesenc_si128(e, ks[9]); + e = _mm_aesenclast_si128(e, ks[10]); + _mm_storeu_si128((__m128i*)out, e); + + /* (2) Define E[0] = 0x00000000000000000000000000000000 */ + e = _mm_setzero_si128(); + this->rem_size = 0; + this->zero = TRUE; + } + this->e = e; + return TRUE; +} + +METHOD(mac_t, get_mac_size, size_t, + private_aesni_mac_t *this) +{ + return AES_BLOCK_SIZE; +} + +METHOD(mac_t, set_key, bool, + private_aesni_mac_t *this, chunk_t key) +{ + __m128i t1, t2, t3; + u_char k1[AES_BLOCK_SIZE]; + u_int round; + chunk_t k; + + /* reset state */ + this->e = _mm_setzero_si128(); + this->rem_size = 0; + this->zero = TRUE; + + /* Create RFC4434 variable keys if required */ + if (key.len == AES_BLOCK_SIZE) + { + k = key; + } + else if (key.len < AES_BLOCK_SIZE) + { /* pad short keys */ + k = chunk_alloca(AES_BLOCK_SIZE); + memset(k.ptr, 0, k.len); + memcpy(k.ptr, key.ptr, key.len); + } + else + { /* shorten key using XCBC */ + k = chunk_alloca(AES_BLOCK_SIZE); + memset(k.ptr, 0, k.len); + if (!set_key(this, k) || !get_mac(this, key, k.ptr)) + { + return FALSE; + } + } + + /* + * (1) Derive 3 128-bit keys (K1, K2 and K3) from the 128-bit secret + * key K, as follows: + * K1 = 0x01010101010101010101010101010101 encrypted with Key K + * K2 = 0x02020202020202020202020202020202 encrypted with Key K + * K3 = 0x03030303030303030303030303030303 encrypted with Key K + */ + + DESTROY_IF(this->k1); + this->k1 = aesni_key_create(TRUE, k); + if (!this->k1) + { + return FALSE; + } + + t1 = _mm_set1_epi8(0x01); + t2 = _mm_set1_epi8(0x02); + t3 = _mm_set1_epi8(0x03); + + t1 = _mm_xor_si128(t1, this->k1->schedule[0]); + t2 = _mm_xor_si128(t2, this->k1->schedule[0]); + t3 = _mm_xor_si128(t3, this->k1->schedule[0]); + + for (round = 1; round < this->k1->rounds; round++) + { + t1 = _mm_aesenc_si128(t1, this->k1->schedule[round]); + t2 = _mm_aesenc_si128(t2, this->k1->schedule[round]); + t3 = _mm_aesenc_si128(t3, this->k1->schedule[round]); + } + + t1 = _mm_aesenclast_si128(t1, this->k1->schedule[this->k1->rounds]); + t2 = _mm_aesenclast_si128(t2, this->k1->schedule[this->k1->rounds]); + t3 = _mm_aesenclast_si128(t3, this->k1->schedule[this->k1->rounds]); + + _mm_storeu_si128((__m128i*)k1, t1); + this->k2 = t2; + this->k3 = t3; + + this->k1->destroy(this->k1); + this->k1 = aesni_key_create(TRUE, chunk_from_thing(k1)); + + memwipe(k1, AES_BLOCK_SIZE); + return this->k1 != NULL; +} + +METHOD(mac_t, destroy, void, + private_aesni_mac_t *this) +{ + DESTROY_IF(this->k1); + memwipe(&this->k2, sizeof(this->k2)); + memwipe(&this->k3, sizeof(this->k3)); + free_align(this); +} + +/* + * Described in header + */ +mac_t *aesni_xcbc_create(encryption_algorithm_t algo, size_t key_size) +{ + private_aesni_mac_t *this; + + INIT_ALIGN(this, sizeof(__m128i), + .public = { + .get_mac = _get_mac, + .get_mac_size = _get_mac_size, + .set_key = _set_key, + .destroy = _destroy, + }, + ); + + return &this->public; +} + +/* + * Described in header. + */ +prf_t *aesni_xcbc_prf_create(pseudo_random_function_t algo) +{ + mac_t *xcbc; + + switch (algo) + { + case PRF_AES128_XCBC: + xcbc = aesni_xcbc_create(ENCR_AES_CBC, 16); + break; + default: + return NULL; + } + if (xcbc) + { + return mac_prf_create(xcbc); + } + return NULL; +} + +/* + * Described in header + */ +signer_t *aesni_xcbc_signer_create(integrity_algorithm_t algo) +{ + size_t trunc; + mac_t *xcbc; + + switch (algo) + { + case AUTH_AES_XCBC_96: + xcbc = aesni_xcbc_create(ENCR_AES_CBC, 16); + trunc = 12; + break; + default: + return NULL; + } + if (xcbc) + { + return mac_signer_create(xcbc, trunc); + } + return NULL; +} diff --git a/src/libstrongswan/plugins/aesni/aesni_xcbc.h b/src/libstrongswan/plugins/aesni/aesni_xcbc.h new file mode 100644 index 000000000..53f559feb --- /dev/null +++ b/src/libstrongswan/plugins/aesni/aesni_xcbc.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup aesni_xcbc aesni_xcbc + * @{ @ingroup aesni + */ + +#ifndef AESNI_XCBC_H_ +#define AESNI_XCBC_H_ + +#include +#include +#include + +/** + * Create a generic mac_t object using AESNI XCBC + * + * @param algo underlying encryption algorithm + * @param key_size size of encryption key, in bytes + */ +mac_t *aesni_xcbc_create(encryption_algorithm_t algo, size_t key_size); + +/** + * Creates a new prf_t object based AESNI XCBC. + * + * @param algo algorithm to implement + * @return prf_t object, NULL if not supported + */ +prf_t *aesni_xcbc_prf_create(pseudo_random_function_t algo); + +/** + * Creates a new signer_t object based on AESNI XCBC. + * + * @param algo algorithm to implement + * @return signer_t, NULL if not supported + */ +signer_t *aesni_xcbc_signer_create(integrity_algorithm_t algo); + +#endif /** AESNI_XCBC_H_ @}*/ diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.c b/src/libstrongswan/plugins/af_alg/af_alg_signer.c index 9ad01103a..1403144ab 100644 --- a/src/libstrongswan/plugins/af_alg/af_alg_signer.c +++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.c @@ -138,7 +138,7 @@ METHOD(signer_t, verify_signature, bool, { return FALSE; } - return memeq(signature.ptr, sig, signature.len); + return memeq_const(signature.ptr, sig, signature.len); } METHOD(signer_t, get_key_size, size_t, diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.c b/src/libstrongswan/plugins/ccm/ccm_aead.c index 6d4b2e13c..676d67681 100644 --- a/src/libstrongswan/plugins/ccm/ccm_aead.c +++ b/src/libstrongswan/plugins/ccm/ccm_aead.c @@ -256,7 +256,7 @@ static bool verify_icv(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc, char buf[this->icv_size]; return create_icv(this, plain, assoc, iv, buf) && - memeq(buf, icv, this->icv_size); + memeq_const(buf, icv, this->icv_size); } METHOD(aead_t, encrypt, bool, diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.c b/src/libstrongswan/plugins/fips_prf/fips_prf.c index 25accf996..92977909e 100644 --- a/src/libstrongswan/plugins/fips_prf/fips_prf.c +++ b/src/libstrongswan/plugins/fips_prf/fips_prf.c @@ -15,8 +15,6 @@ #include "fips_prf.h" -#include - #include typedef struct private_fips_prf_t private_fips_prf_t; diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.c b/src/libstrongswan/plugins/gcm/gcm_aead.c index 4ab17017f..6e1694a34 100644 --- a/src/libstrongswan/plugins/gcm/gcm_aead.c +++ b/src/libstrongswan/plugins/gcm/gcm_aead.c @@ -276,7 +276,7 @@ static bool verify_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt, char tmp[this->icv_size]; return create_icv(this, assoc, crypt, j, tmp) && - memeq(tmp, icv, this->icv_size); + memeq_const(tmp, icv, this->icv_size); } METHOD(aead_t, encrypt, bool, diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c index 744ec0bbf..cee25ea74 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c @@ -145,6 +145,24 @@ METHOD(diffie_hellman_t, get_my_public_value, bool, return TRUE; } +METHOD(diffie_hellman_t, set_private_value, bool, + private_gcrypt_dh_t *this, chunk_t value) +{ + gcry_error_t err; + gcry_mpi_t xa; + + err = gcry_mpi_scan(&xa, GCRYMPI_FMT_USG, value.ptr, value.len, NULL); + if (!err) + { + gcry_mpi_release(this->xa); + this->xa = xa; + gcry_mpi_powm(this->ya, this->g, this->xa, this->p); + gcry_mpi_release(this->zz); + this->zz = NULL; + } + return !err; +} + METHOD(diffie_hellman_t, get_shared_secret, bool, private_gcrypt_dh_t *this, chunk_t *secret) { @@ -191,6 +209,7 @@ gcrypt_dh_t *create_generic(diffie_hellman_group_t group, size_t exp_len, .get_shared_secret = _get_shared_secret, .set_other_public_value = _set_other_public_value, .get_my_public_value = _get_my_public_value, + .set_private_value = _set_private_value, .get_dh_group = _get_dh_group, .destroy = _destroy, }, diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c index 480c083c0..04f1f43ef 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c @@ -158,6 +158,9 @@ plugin_t *gcrypt_plugin_create() } gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); + /* initialize static allocations we want to exclude from leak-detective */ + gcry_create_nonce(NULL, 0); + INIT(this, .public = { .plugin = { diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c index 4fcb168fa..b7ee94ee0 100644 --- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c +++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c @@ -162,6 +162,15 @@ METHOD(diffie_hellman_t, get_my_public_value, bool, return TRUE; } +METHOD(diffie_hellman_t, set_private_value, bool, + private_gmp_diffie_hellman_t *this, chunk_t value) +{ + mpz_import(this->xa, value.len, 1, 1, 1, 0, value.ptr); + mpz_powm(this->ya, this->g, this->xa, this->p); + this->computed = FALSE; + return TRUE; +} + METHOD(diffie_hellman_t, get_shared_secret, bool, private_gmp_diffie_hellman_t *this, chunk_t *secret) { @@ -212,6 +221,7 @@ static gmp_diffie_hellman_t *create_generic(diffie_hellman_group_t group, .get_shared_secret = _get_shared_secret, .set_other_public_value = _set_other_public_value, .get_my_public_value = _get_my_public_value, + .set_private_value = _set_private_value, .get_dh_group = _get_dh_group, .destroy = _destroy, }, diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c index ad659e4d7..e738908e2 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c @@ -187,7 +187,7 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this, " %u bytes", em.len, data.len); goto end; } - success = memeq(em.ptr, data.ptr, data.len); + success = memeq_const(em.ptr, data.ptr, data.len); } else { /* IKEv2 and X.509 certificate signatures */ @@ -258,7 +258,7 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this, goto end_parser; } hasher->destroy(hasher); - success = memeq(object.ptr, hash.ptr, hash.len); + success = memeq_const(object.ptr, hash.ptr, hash.len); free(hash.ptr); break; } @@ -500,4 +500,3 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args) return &this->public; } - diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c index c2478a4ed..26f4700b8 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crypter.c +++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c @@ -226,10 +226,12 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo, return NULL; } break; +#ifndef OPENSSL_NO_DES case ENCR_DES_ECB: key_size = 8; this->cipher = EVP_des_ecb(); break; +#endif default: { char* name; diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c index 2615d60a2..cac442fc0 100644 --- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c @@ -112,6 +112,18 @@ METHOD(diffie_hellman_t, set_other_public_value, bool, return TRUE; } +METHOD(diffie_hellman_t, set_private_value, bool, + private_openssl_diffie_hellman_t *this, chunk_t value) +{ + if (BN_bin2bn(value.ptr, value.len, this->dh->priv_key)) + { + chunk_clear(&this->shared_secret); + this->computed = FALSE; + return DH_generate_key(this->dh); + } + return FALSE; +} + METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t, private_openssl_diffie_hellman_t *this) { @@ -160,6 +172,7 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create( .get_shared_secret = _get_shared_secret, .set_other_public_value = _set_other_public_value, .get_my_public_value = _get_my_public_value, + .set_private_value = _set_private_value, .get_dh_group = _get_dh_group, .destroy = _destroy, }, diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c index 550a5432f..a1af500e2 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c @@ -248,6 +248,49 @@ METHOD(diffie_hellman_t, get_my_public_value, bool, return TRUE; } +METHOD(diffie_hellman_t, set_private_value, bool, + private_openssl_ec_diffie_hellman_t *this, chunk_t value) +{ + EC_POINT *pub = NULL; + BIGNUM *priv = NULL; + bool ret = FALSE; + + priv = BN_bin2bn(value.ptr, value.len, NULL); + if (!priv) + { + goto error; + } + pub = EC_POINT_new(EC_KEY_get0_group(this->key)); + if (!pub) + { + goto error; + } + if (EC_POINT_mul(this->ec_group, pub, priv, NULL, NULL, NULL) != 1) + { + goto error; + } + if (EC_KEY_set_private_key(this->key, priv) != 1) + { + goto error; + } + if (EC_KEY_set_public_key(this->key, pub) != 1) + { + goto error; + } + ret = TRUE; + +error: + if (pub) + { + EC_POINT_free(pub); + } + if (priv) + { + BN_free(priv); + } + return ret; +} + METHOD(diffie_hellman_t, get_shared_secret, bool, private_openssl_ec_diffie_hellman_t *this, chunk_t *secret) { @@ -558,6 +601,7 @@ openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_gro .get_shared_secret = _get_shared_secret, .set_other_public_value = _set_other_public_value, .get_my_public_value = _get_my_public_value, + .set_private_value = _set_private_value, .get_dh_group = _get_dh_group, .destroy = _destroy, }, diff --git a/src/libstrongswan/plugins/openssl/openssl_hmac.c b/src/libstrongswan/plugins/openssl/openssl_hmac.c index 4f0bcc7c3..065187a8c 100644 --- a/src/libstrongswan/plugins/openssl/openssl_hmac.c +++ b/src/libstrongswan/plugins/openssl/openssl_hmac.c @@ -69,15 +69,26 @@ struct private_mac_t { * Current HMAC context */ HMAC_CTX hmac; + + /** + * Key set on HMAC_CTX? + */ + bool key_set; }; METHOD(mac_t, set_key, bool, private_mac_t *this, chunk_t key) { #if OPENSSL_VERSION_NUMBER >= 0x10000000L - return HMAC_Init_ex(&this->hmac, key.ptr, key.len, this->hasher, NULL); + if (HMAC_Init_ex(&this->hmac, key.ptr, key.len, this->hasher, NULL)) + { + this->key_set = TRUE; + return TRUE; + } + return FALSE; #else /* OPENSSL_VERSION_NUMBER < 1.0 */ HMAC_Init_ex(&this->hmac, key.ptr, key.len, this->hasher, NULL); + this->key_set = TRUE; return TRUE; #endif } @@ -85,6 +96,10 @@ METHOD(mac_t, set_key, bool, METHOD(mac_t, get_mac, bool, private_mac_t *this, chunk_t data, u_int8_t *out) { + if (!this->key_set) + { + return FALSE; + } #if OPENSSL_VERSION_NUMBER >= 0x10000000L if (!HMAC_Update(&this->hmac, data.ptr, data.len)) { @@ -153,11 +168,6 @@ static mac_t *hmac_create(hash_algorithm_t algo) } HMAC_CTX_init(&this->hmac); - if (!set_key(this, chunk_empty)) - { - destroy(this); - return NULL; - } return &this->public; } diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs7.c b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c index 9c3c4040c..891e829ae 100644 --- a/src/libstrongswan/plugins/openssl/openssl_pkcs7.c +++ b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c @@ -305,7 +305,7 @@ static bool verify_digest(CMS_ContentInfo *cms, CMS_SignerInfo *si, int hash_oid } hasher->destroy(hasher); - if (!chunk_equals(digest, hash)) + if (!chunk_equals_const(digest, hash)) { free(hash.ptr); DBG1(DBG_LIB, "invalid messageDigest"); diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c index 9748e28f2..aa54d3bbd 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c @@ -74,7 +74,7 @@ static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t *this, RSA_PKCS1_PADDING); if (len != -1) { - valid = chunk_equals(data, chunk_create(buf, len)); + valid = chunk_equals_const(data, chunk_create(buf, len)); } free(buf); } diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c index 2005ef648..9ce210961 100644 --- a/src/libstrongswan/plugins/padlock/padlock_plugin.c +++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c @@ -23,31 +23,12 @@ #include #include +#include #include typedef struct private_padlock_plugin_t private_padlock_plugin_t; typedef enum padlock_feature_t padlock_feature_t; -/** - * Feature flags of padlock, received via cpuid() - */ -enum padlock_feature_t { - PADLOCK_RESERVED_1 = (1<<0), - PADLOCK_RESERVED_2 = (1<<1), - PADLOCK_RNG_AVAILABLE = (1<<2), - PADLOCK_RNG_ENABLED = (1<<3), - PADLOCK_RESERVED_3 = (1<<4), - PADLOCK_RESERVED_4 = (1<<5), - PADLOCK_ACE_AVAILABLE = (1<<6), - PADLOCK_ACE_ENABLED = (1<<7), - PADLOCK_ACE2_AVAILABLE = (1<<8), - PADLOCK_ACE2_ENABLED = (1<<9), - PADLOCK_PHE_AVAILABLE = (1<<10), - PADLOCK_PHE_ENABLED = (1<<11), - PADLOCK_PMM_AVAILABLE = (1<<12), - PADLOCK_PMM_ENABLED = (1<<13), -}; - /** * private data of aes_plugin */ @@ -61,48 +42,9 @@ struct private_padlock_plugin_t { /** * features supported by Padlock */ - padlock_feature_t features; + cpu_feature_t features; }; -/** - * Get cpuid for info, return eax, ebx, ecx and edx. -fPIC requires to save ebx. - */ -#define cpuid(op, a, b, c, d)\ - asm (\ - "pushl %%ebx \n\t"\ - "cpuid \n\t"\ - "movl %%ebx, %1 \n\t"\ - "popl %%ebx \n\t"\ - : "=a" (a), "=r" (b), "=c" (c), "=d" (d) \ - : "a" (op)); - -/** - * Get features supported by Padlock - */ -static padlock_feature_t get_padlock_features() -{ - char vendor[3 * sizeof(int) + 1]; - int a, b, c, d; - - cpuid(0, a, b, c, d); - /* VendorID string is in b-d-c (yes, in this order) */ - snprintf(vendor, sizeof(vendor), "%.4s%.4s%.4s", &b, &d, &c); - - /* check if we have a VIA chip */ - if (streq(vendor, "CentaurHauls")) - { - cpuid(0xC0000000, a, b, c, d); - /* check Centaur Extended Feature Flags */ - if (a >= 0xC0000001) - { - cpuid(0xC0000001, a, b, c, d); - return d; - } - } - DBG1(DBG_LIB, "Padlock not found, CPU is %s", vendor); - return 0; -} - METHOD(plugin_t, get_name, char*, private_padlock_plugin_t *this) { @@ -132,15 +74,15 @@ METHOD(plugin_t, get_features, int, if (!count) { /* initialize only once */ - if (this->features & PADLOCK_RNG_ENABLED) + if (this->features & CPU_FEATURE_PADLOCK_RNG_ENABLED) { plugin_features_add(f, f_rng, countof(f_rng), &count); } - if (this->features & PADLOCK_ACE2_ENABLED) + if (this->features & CPU_FEATURE_PADLOCK_ACE2_ENABLED) { plugin_features_add(f, f_aes, countof(f_aes), &count); } - if (this->features & PADLOCK_PHE_ENABLED) + if (this->features & CPU_FEATURE_PADLOCK_PHE_ENABLED) { plugin_features_add(f, f_sha1, countof(f_sha1), &count); } @@ -170,25 +112,20 @@ plugin_t *padlock_plugin_create() .destroy = _destroy, }, }, - .features = get_padlock_features(), + .features = cpu_feature_get_all(), ); - if (!this->features) - { - free(this); - return NULL; - } - DBG1(DBG_LIB, "Padlock found, supports:%s%s%s%s%s, enabled:%s%s%s%s%s", - this->features & PADLOCK_RNG_AVAILABLE ? " RNG" : "", - this->features & PADLOCK_ACE_AVAILABLE ? " ACE" : "", - this->features & PADLOCK_ACE2_AVAILABLE ? " ACE2" : "", - this->features & PADLOCK_PHE_AVAILABLE ? " PHE" : "", - this->features & PADLOCK_PMM_AVAILABLE ? " PMM" : "", - this->features & PADLOCK_RNG_ENABLED ? " RNG" : "", - this->features & PADLOCK_ACE_ENABLED ? " ACE" : "", - this->features & PADLOCK_ACE2_ENABLED ? " ACE2" : "", - this->features & PADLOCK_PHE_ENABLED ? " PHE" : "", - this->features & PADLOCK_PMM_ENABLED ? " PMM" : ""); + DBG1(DBG_LIB, "Padlock features supported:%s%s%s%s%s, enabled:%s%s%s%s%s", + this->features & CPU_FEATURE_PADLOCK_RNG_AVAILABLE ? " RNG" : "", + this->features & CPU_FEATURE_PADLOCK_ACE_AVAILABLE ? " ACE" : "", + this->features & CPU_FEATURE_PADLOCK_ACE2_AVAILABLE ? " ACE2" : "", + this->features & CPU_FEATURE_PADLOCK_PHE_AVAILABLE ? " PHE" : "", + this->features & CPU_FEATURE_PADLOCK_PMM_AVAILABLE ? " PMM" : "", + this->features & CPU_FEATURE_PADLOCK_RNG_ENABLED ? " RNG" : "", + this->features & CPU_FEATURE_PADLOCK_ACE_ENABLED ? " ACE" : "", + this->features & CPU_FEATURE_PADLOCK_ACE2_ENABLED ? " ACE2" : "", + this->features & CPU_FEATURE_PADLOCK_PHE_ENABLED ? " PHE" : "", + this->features & CPU_FEATURE_PADLOCK_PMM_ENABLED ? " PMM" : ""); return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/pkcs12/pkcs12_decode.c b/src/libstrongswan/plugins/pkcs12/pkcs12_decode.c index 379f24796..4441b278f 100644 --- a/src/libstrongswan/plugins/pkcs12/pkcs12_decode.c +++ b/src/libstrongswan/plugins/pkcs12/pkcs12_decode.c @@ -356,7 +356,7 @@ static bool verify_mac(hash_algorithm_t hash, chunk_t salt, { break; } - if (chunk_equals(mac, calculated)) + if (chunk_equals_const(mac, calculated)) { success = TRUE; break; diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c index 48fb5e6a4..d224ef3aa 100644 --- a/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c +++ b/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c @@ -269,7 +269,7 @@ METHOD(enumerator_t, enumerate, bool, hasher->destroy(hasher); DBG3(DBG_LIB, "hash: %B", &hash); - valid = chunk_equals(chunk, hash); + valid = chunk_equals_const(chunk, hash); free(hash.ptr); if (!valid) { diff --git a/src/libstrongswan/plugins/plugin_feature.c b/src/libstrongswan/plugins/plugin_feature.c index 65cdbe9d9..2d0ce8a4c 100644 --- a/src/libstrongswan/plugins/plugin_feature.c +++ b/src/libstrongswan/plugins/plugin_feature.c @@ -437,10 +437,12 @@ bool plugin_feature_load(plugin_t *plugin, plugin_feature_t *feature, { case FEATURE_CRYPTER: lib->crypto->add_crypter(lib->crypto, feature->arg.crypter.alg, + feature->arg.crypter.key_size, name, reg->arg.reg.f); break; case FEATURE_AEAD: lib->crypto->add_aead(lib->crypto, feature->arg.aead.alg, + feature->arg.aead.key_size, name, reg->arg.reg.f); break; case FEATURE_SIGNER: diff --git a/src/libstrongswan/plugins/rdrand/rdrand_plugin.c b/src/libstrongswan/plugins/rdrand/rdrand_plugin.c index b416c872f..b63bc2f43 100644 --- a/src/libstrongswan/plugins/rdrand/rdrand_plugin.c +++ b/src/libstrongswan/plugins/rdrand/rdrand_plugin.c @@ -20,6 +20,7 @@ #include #include +#include typedef struct private_rdrand_plugin_t private_rdrand_plugin_t; typedef enum cpuid_feature_t cpuid_feature_t; @@ -35,56 +36,6 @@ struct private_rdrand_plugin_t { rdrand_plugin_t public; }; -/** - * CPU feature flags, returned via cpuid(1) - */ -enum cpuid_feature_t { - CPUID_RDRAND = (1<<30), -}; - -/** - * Get cpuid for info, return eax, ebx, ecx and edx. - * -fPIC requires to save ebx on IA-32. - */ -static void cpuid(u_int op, u_int *a, u_int *b, u_int *c, u_int *d) -{ -#ifdef __x86_64__ - asm("cpuid" : "=a" (*a), "=b" (*b), "=c" (*c), "=d" (*d) : "a" (op)); -#else /* __i386__ */ - asm("pushl %%ebx;" - "cpuid;" - "movl %%ebx, %1;" - "popl %%ebx;" - : "=a" (*a), "=r" (*b), "=c" (*c), "=d" (*d) : "a" (op)); -#endif /* __x86_64__ / __i386__*/ -} - -/** - * Check if we have RDRAND instruction - */ -static bool have_rdrand() -{ - char vendor[3 * sizeof(u_int32_t) + 1]; - u_int a, b, c, d; - - cpuid(0, &a, &b, &c, &d); - /* VendorID string is in b-d-c (yes, in this order) */ - snprintf(vendor, sizeof(vendor), "%.4s%.4s%.4s", &b, &d, &c); - - /* check if we have an Intel CPU */ - if (streq(vendor, "GenuineIntel")) - { - cpuid(1, &a, &b, &c, &d); - if (c & CPUID_RDRAND) - { - DBG2(DBG_LIB, "detected RDRAND support on %s CPU", vendor); - return TRUE; - } - } - DBG2(DBG_LIB, "no RDRAND support on %s CPU, disabled", vendor); - return FALSE; -} - METHOD(plugin_t, get_name, char*, private_rdrand_plugin_t *this) { @@ -102,10 +53,12 @@ METHOD(plugin_t, get_features, int, PLUGIN_DEPENDS(CRYPTER, ENCR_AES_CBC, 16), }; *features = f; - if (have_rdrand()) + if (cpu_feature_available(CPU_FEATURE_RDRAND)) { + DBG2(DBG_LIB, "detected RDRAND support, enabled"); return countof(f); } + DBG2(DBG_LIB, "no RDRAND support detected, disabled"); return 0; } diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c index ec1ca1404..0a35e3017 100644 --- a/src/libstrongswan/plugins/sqlite/sqlite_database.c +++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c @@ -68,6 +68,18 @@ typedef struct { } transaction_t; +/** + * Check if the SQLite library is thread safe + */ +static bool is_threadsave() +{ +#if SQLITE_VERSION_NUMBER >= 3005000 + return sqlite3_threadsafe() > 0; +#endif + /* sqlite connections prior to 3.5 may be used by a single thread only */ + return FALSE; +} + /** * Create and run a sqlite stmt using a sql string and args */ @@ -168,9 +180,10 @@ typedef struct { static void sqlite_enumerator_destroy(sqlite_enumerator_t *this) { sqlite3_finalize(this->stmt); -#if SQLITE_VERSION_NUMBER < 3005000 - this->database->mutex->unlock(this->database->mutex); -#endif + if (!is_threadsave()) + { + this->database->mutex->unlock(this->database->mutex); + } free(this->columns); free(this); } @@ -248,10 +261,10 @@ METHOD(database_t, query, enumerator_t*, sqlite_enumerator_t *enumerator = NULL; int i; -#if SQLITE_VERSION_NUMBER < 3005000 - /* sqlite connections prior to 3.5 may be used by a single thread only, */ - this->mutex->lock(this->mutex); -#endif + if (!is_threadsave()) + { + this->mutex->lock(this->mutex); + } va_start(args, sql); stmt = run(this, sql, &args); diff --git a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c index f554a9e4f..7f46aced7 100644 --- a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c +++ b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c @@ -16,6 +16,7 @@ #include "sqlite_plugin.h" #include +#include #include "sqlite_database.h" typedef struct private_sqlite_plugin_t private_sqlite_plugin_t; @@ -60,6 +61,7 @@ METHOD(plugin_t, destroy, void, plugin_t *sqlite_plugin_create() { private_sqlite_plugin_t *this; + int threadsave = 0; INIT(this, .public = { @@ -71,6 +73,11 @@ plugin_t *sqlite_plugin_create() }, ); +#if SQLITE_VERSION_NUMBER >= 3005000 + threadsave = sqlite3_threadsafe(); +#endif + DBG2(DBG_LIB, "using SQLite %s, thread safety %d", + sqlite3_libversion(), threadsave); + return &this->public.plugin; } - diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am index 85f86726b..bde27b873 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.am +++ b/src/libstrongswan/plugins/test_vectors/Makefile.am @@ -40,6 +40,10 @@ libstrongswan_test_vectors_la_SOURCES = \ test_vectors/sha2.c \ test_vectors/sha2_hmac.c \ test_vectors/fips_prf.c \ + test_vectors/modp.c \ + test_vectors/modpsub.c \ + test_vectors/ecp.c \ + test_vectors/ecpbp.c \ test_vectors/rng.c libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index 8980ec46c..e98119b85 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -143,7 +143,8 @@ am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \ test_vectors/md5_hmac.lo test_vectors/sha1.lo \ test_vectors/sha1_hmac.lo test_vectors/sha2.lo \ test_vectors/sha2_hmac.lo test_vectors/fips_prf.lo \ - test_vectors/rng.lo + test_vectors/modp.lo test_vectors/modpsub.lo \ + test_vectors/ecp.lo test_vectors/ecpbp.lo test_vectors/rng.lo libstrongswan_test_vectors_la_OBJECTS = \ $(am_libstrongswan_test_vectors_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) @@ -481,6 +482,10 @@ libstrongswan_test_vectors_la_SOURCES = \ test_vectors/sha2.c \ test_vectors/sha2_hmac.c \ test_vectors/fips_prf.c \ + test_vectors/modp.c \ + test_vectors/modpsub.c \ + test_vectors/ecp.c \ + test_vectors/ecpbp.c \ test_vectors/rng.c libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version @@ -626,6 +631,14 @@ test_vectors/sha2_hmac.lo: test_vectors/$(am__dirstamp) \ test_vectors/$(DEPDIR)/$(am__dirstamp) test_vectors/fips_prf.lo: test_vectors/$(am__dirstamp) \ test_vectors/$(DEPDIR)/$(am__dirstamp) +test_vectors/modp.lo: test_vectors/$(am__dirstamp) \ + test_vectors/$(DEPDIR)/$(am__dirstamp) +test_vectors/modpsub.lo: test_vectors/$(am__dirstamp) \ + test_vectors/$(DEPDIR)/$(am__dirstamp) +test_vectors/ecp.lo: test_vectors/$(am__dirstamp) \ + test_vectors/$(DEPDIR)/$(am__dirstamp) +test_vectors/ecpbp.lo: test_vectors/$(am__dirstamp) \ + test_vectors/$(DEPDIR)/$(am__dirstamp) test_vectors/rng.lo: test_vectors/$(am__dirstamp) \ test_vectors/$(DEPDIR)/$(am__dirstamp) @@ -654,12 +667,16 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/camellia_xcbc.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/cast.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/des.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/ecp.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/ecpbp.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/fips_prf.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/idea.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/md2.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/md4.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/md5.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/md5_hmac.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/modp.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/modpsub.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/null.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/rc2.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/rc5.Plo@am__quote@ diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h index 33c13d9f4..f7450aa9e 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors.h +++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h @@ -86,6 +86,11 @@ TEST_VECTOR_AEAD(aes_ccm8) TEST_VECTOR_AEAD(aes_ccm9) TEST_VECTOR_AEAD(aes_ccm10) TEST_VECTOR_AEAD(aes_ccm11) +TEST_VECTOR_AEAD(aes_ccm12) +TEST_VECTOR_AEAD(aes_ccm13) +TEST_VECTOR_AEAD(aes_ccm14) +TEST_VECTOR_AEAD(aes_ccm15) +TEST_VECTOR_AEAD(aes_ccm16) TEST_VECTOR_AEAD(aes_gcm1) TEST_VECTOR_AEAD(aes_gcm2) TEST_VECTOR_AEAD(aes_gcm3_1) @@ -100,6 +105,13 @@ TEST_VECTOR_AEAD(aes_gcm13) TEST_VECTOR_AEAD(aes_gcm14) TEST_VECTOR_AEAD(aes_gcm15) TEST_VECTOR_AEAD(aes_gcm16) +TEST_VECTOR_AEAD(aes_gcm17) +TEST_VECTOR_AEAD(aes_gcm18) +TEST_VECTOR_AEAD(aes_gcm19) +TEST_VECTOR_AEAD(aes_gcm20) +TEST_VECTOR_AEAD(aes_gcm21) +TEST_VECTOR_AEAD(aes_gcm22) +TEST_VECTOR_AEAD(aes_gcm23) TEST_VECTOR_SIGNER(aes_xcbc_s1) TEST_VECTOR_SIGNER(aes_xcbc_s2) @@ -228,3 +240,23 @@ TEST_VECTOR_RNG(rng_runs_1) TEST_VECTOR_RNG(rng_runs_2) TEST_VECTOR_RNG(rng_runs_3) +TEST_VECTOR_DH(modp768) +TEST_VECTOR_DH(modp1024) +TEST_VECTOR_DH(modp1536) +TEST_VECTOR_DH(modp2048) +TEST_VECTOR_DH(modp3072) +TEST_VECTOR_DH(modp4096) +TEST_VECTOR_DH(modp6144) +TEST_VECTOR_DH(modp8192) +TEST_VECTOR_DH(modp1024_160) +TEST_VECTOR_DH(modp2048_224) +TEST_VECTOR_DH(modp2048_256) +TEST_VECTOR_DH(ecp192) +TEST_VECTOR_DH(ecp224) +TEST_VECTOR_DH(ecp256) +TEST_VECTOR_DH(ecp384) +TEST_VECTOR_DH(ecp521) +TEST_VECTOR_DH(ecp224bp) +TEST_VECTOR_DH(ecp256bp) +TEST_VECTOR_DH(ecp384bp) +TEST_VECTOR_DH(ecp512bp) diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c index 95c41ecbc..cb45254ea 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c @@ -166,3 +166,82 @@ aead_test_vector_t aes_ccm11 = { "\x66\xca\x61\x1e\x96\x7a\x61\xb3\x1c\x16\x45\x52\xba\x04\x9c\x9f" "\xb1\xd2\x40\xbc\x52\x7c\x6f\xb1", }; + +/** + * The vectors below are defined by ourself + */ +aead_test_vector_t aes_ccm12 = { + .alg = ENCR_AES_CCM_ICV8, .key_size = 24, .salt_size = 3, + .len = 32, .alen = 27, + .key = "\x58\x5d\xa0\x96\x65\x1a\x04\xd7\x96\xe5\xc5\x68\xaa\x95\x35\xe0" + "\x29\xa0\xba\x9e\x48\x78\xd1\xba\xee\x49\x83", + .iv = "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e", + .adata = "\x44\xa6\x2c\x05\xe9\xe1\x43\xb1\x58\x7c\xf2\x5c\x6d\x39\x0a\x64" + "\xa4\xf0\x13\x05\xd1\x77\x99\x67\x11\xc4\xc6", + .plain = "\x85\x34\x66\x42\xc8\x92\x0f\x36\x58\xe0\x6b\x91\x3c\x98\x5c\xbb" + "\x0a\x85\xcc\x02\xad\x7a\x96\xe9\x65\x43\xa4\xc3\x0f\xdc\x55\x81", + .cipher = "\xfb\xe5\x5d\x34\xbe\xe5\xe8\xe7\x5a\xef\x2f\xbf\x1f\x7f\xd4\xb2" + "\x66\xca\x61\x1e\x96\x7a\x61\xb3\x1c\x16\x45\x52\xba\x04\x9c\x9f" + "\x24\x0e\xd1\xa5\x40\x74\xc8\x4e", +}; + +aead_test_vector_t aes_ccm13 = { + .alg = ENCR_AES_CCM_ICV8, .key_size = 24, .salt_size = 3, + .len = 27, .alen = 32, + .key = "\x58\x5d\xa0\x96\x65\x1a\x04\xd7\x96\xe5\xc5\x68\xaa\x95\x35\xe0" + "\x29\xa0\xba\x9e\x48\x78\xd1\xba\xee\x49\x83", + .iv = "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e", + .adata = "\x44\xa6\x2c\x05\xe9\xe1\x43\xb1\x58\x7c\xf2\x5c\x6d\x39\x0a\x64" + "\xa4\xf0\x13\x05\xd1\x77\x99\x67\x11\xc4\xc6\xdb\x00\x56\x36\x61", + .plain = "\x85\x34\x66\x42\xc8\x92\x0f\x36\x58\xe0\x6b\x91\x3c\x98\x5c\xbb" + "\x0a\x85\xcc\x02\xad\x7a\x96\xe9\x65\x43\xa4", + .cipher = "\xfb\xe5\x5d\x34\xbe\xe5\xe8\xe7\x5a\xef\x2f\xbf\x1f\x7f\xd4\xb2" + "\x66\xca\x61\x1e\x96\x7a\x61\xb3\x1c\x16\x45\xa6\xe9\x3c\xa8\x50" + "\x4e\x62\x97", +}; + +aead_test_vector_t aes_ccm14 = { + .alg = ENCR_AES_CCM_ICV8, .key_size = 24, .salt_size = 3, + .len = 27, .alen = 27, + .key = "\x58\x5d\xa0\x96\x65\x1a\x04\xd7\x96\xe5\xc5\x68\xaa\x95\x35\xe0" + "\x29\xa0\xba\x9e\x48\x78\xd1\xba\xee\x49\x83", + .iv = "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e", + .adata = "\x44\xa6\x2c\x05\xe9\xe1\x43\xb1\x58\x7c\xf2\x5c\x6d\x39\x0a\x64" + "\xa4\xf0\x13\x05\xd1\x77\x99\x67\x11\xc4\xc6", + .plain = "\x85\x34\x66\x42\xc8\x92\x0f\x36\x58\xe0\x6b\x91\x3c\x98\x5c\xbb" + "\x0a\x85\xcc\x02\xad\x7a\x96\xe9\x65\x43\xa4", + .cipher = "\xfb\xe5\x5d\x34\xbe\xe5\xe8\xe7\x5a\xef\x2f\xbf\x1f\x7f\xd4\xb2" + "\x66\xca\x61\x1e\x96\x7a\x61\xb3\x1c\x16\x45\x11\x03\x16\x48\xfb" + "\xb7\xde\xf1", +}; + +aead_test_vector_t aes_ccm15 = { + .alg = ENCR_AES_CCM_ICV12, .key_size = 16, .salt_size = 3, + .len = 32, .alen = 32, + .key = "\x7c\xc8\x18\x3b\x8d\x99\xe0\x7c\x45\x41\xb8\xbd\x5c\xa7\xc2\x32" + "\x8a\xb8\x02\x59\xa4\xfe\xa9\x2c\x09\x75\x9a\x9b\x3c\x9b\x27\x39" + "\xf9\xd9\x4e", + .iv = "\x63\xb5\x3d\x9d\x43\xf6\x1e\x50", + .adata = "\x57\xf5\x6b\x8b\x57\x5c\x3d\x3b\x13\x02\x01\x0c\x83\x4c\x96\x35" + "\x8e\xd6\x39\xcf\x7d\x14\x9b\x94\xb0\x39\x36\xe6\x8f\x57\xe0\x13", + .plain = "\x3b\x6c\x29\x36\xb6\xef\x07\xa6\x83\x72\x07\x4f\xcf\xfa\x66\x89" + "\x5f\xca\xb1\xba\xd5\x8f\x2c\x27\x30\xdb\x75\x09\x93\xd4\x65\xe4", + .cipher = "\x2b\x94\x71\x1a\xd3\x28\x21\xe5\xe2\xeb\x75\xe8\x09\x98\x9c\x0a" + "\xc9\xea\x3e\xe4\x3a\xf9\x71\x4c\x4f\x16\x73\x1d\xa5\x10\x93\x5b" + "\x83\xcd\xdd\x30\xb9\x3f\x86\xb3\x14\xbb\x7d\x81", +}; + +aead_test_vector_t aes_ccm16 = { + .alg = ENCR_AES_CCM_ICV12, .key_size = 24, .salt_size = 3, + .len = 32, .alen = 32, + .key = "\x7c\xc8\x18\x3b\x8d\x99\xe0\x7c\x45\x41\xb8\xbd\x5c\xa7\xc2\x32" + "\x8a\xb8\x02\x59\xa4\xfe\xa9\x2c\xf9\xd9\x4e", + .iv = "\x63\xb5\x3d\x9d\x43\xf6\x1e\x50", + .adata = "\x57\xf5\x6b\x8b\x57\x5c\x3d\x3b\x13\x02\x01\x0c\x83\x4c\x96\x35" + "\x8e\xd6\x39\xcf\x7d\x14\x9b\x94\xb0\x39\x36\xe6\x8f\x57\xe0\x13", + .plain = "\x3b\x6c\x29\x36\xb6\xef\x07\xa6\x83\x72\x07\x4f\xcf\xfa\x66\x89" + "\x5f\xca\xb1\xba\xd5\x8f\x2c\x27\x30\xdb\x75\x09\x93\xd4\x65\xe4", + .cipher = "\x48\x19\x60\xbb\x65\xa8\x00\xb8\x26\xf1\x7f\x16\x1f\x3c\xfc\x6d" + "\x86\x62\x10\xc5\x51\xcf\xef\x74\xac\xc6\xdf\x28\xac\x36\x6f\xa0" + "\x3a\x38\x24\x50\x68\x0f\x40\x1e\xaf\xea\x42\x16", +}; diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c index 1f33bcbd5..f348cd4d1 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c @@ -220,3 +220,153 @@ aead_test_vector_t aes_gcm16 = { "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a\xbc\xc9\xf6\x62\x76\xfc\x6e\xce" "\x0f\x4e\x17\x68\xcd\xdf\x88\x53\xbb\x2d\x55\x1b", }; + +/** + * Some self made vectors for AES-192/256 with ICV8/12 + */ +aead_test_vector_t aes_gcm17 = { + .alg = ENCR_AES_GCM_ICV8, .key_size = 24, .salt_size = 4, + .len = 70, .alen = 0, + .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xfe\xff\xe9\x92\x86\x65\x73\x1c\xca\xfe\xba\xbe", + .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", + .plain = "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a" + "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\xb1\x6a\xed\xf5\xaa\x0d", + .cipher = "\x39\x80\xca\x0b\x3c\x00\xe8\x41\xeb\x06\xfa\xc4\x87\x2a\x27\x57" + "\x85\x9e\x1c\xea\xa6\xef\xd9\x84\x62\x85\x93\xb4\x0c\xa1\xe1\x9c" + "\x7d\x77\x3d\x00\xc1\x44\xc5\x25\xac\x61\x9d\x18\xc8\x4a\x3f\x47" + "\xb5\xb4\xa5\xeb\x10\x86\xcb\xdd\x59\x76\x52\x0d\xff\xa4\x85\x26" + "\x4b\x54\x22\xa0\xc6\x65\x4d\xa8\x46\x73\xec\xc0\x61\x68", +}; +aead_test_vector_t aes_gcm18 = { + .alg = ENCR_AES_GCM_ICV12, .key_size = 24, .salt_size = 4, + .len = 70, .alen = 0, + .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xfe\xff\xe9\x92\x86\x65\x73\x1c\xca\xfe\xba\xbe", + .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", + .plain = "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a" + "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\xb1\x6a\xed\xf5\xaa\x0d", + .cipher = "\x39\x80\xca\x0b\x3c\x00\xe8\x41\xeb\x06\xfa\xc4\x87\x2a\x27\x57" + "\x85\x9e\x1c\xea\xa6\xef\xd9\x84\x62\x85\x93\xb4\x0c\xa1\xe1\x9c" + "\x7d\x77\x3d\x00\xc1\x44\xc5\x25\xac\x61\x9d\x18\xc8\x4a\x3f\x47" + "\xb5\xb4\xa5\xeb\x10\x86\xcb\xdd\x59\x76\x52\x0d\xff\xa4\x85\x26" + "\x4b\x54\x22\xa0\xc6\x65\x4d\xa8\x46\x73\xec\xc0\x61\x68\x0f\x00" + "\x0c\x32", +}; +aead_test_vector_t aes_gcm19 = { + .alg = ENCR_AES_GCM_ICV8, .key_size = 32, .salt_size = 4, + .len = 70, .alen = 0, + .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xca\xfe\xba\xbe", + .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", + .plain = "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a" + "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\xb1\x6a\xed\xf5\xaa\x0d", + .cipher = "\x52\x2d\xc1\xf0\x99\x56\x7d\x07\xf4\x7f\x37\xa3\x2a\x84\x42\x7d" + "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9\x75\x98\xa2\xbd\x25\x55\xd1\xaa" + "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d\xa7\xb0\x8b\x10\x56\x82\x88\x38" + "\x68\xa0\xff\x03\xac\xdf\x95\x0e\x29\x65\x83\x7f\xda\x89\x72\xdd" + "\xd5\xc5\x96\xa3\x4a\xe0\xe6\x2f\x1e\xe2\x04\x80\xd7\xb7", +}; +aead_test_vector_t aes_gcm20 = { + .alg = ENCR_AES_GCM_ICV12, .key_size = 32, .salt_size = 4, + .len = 70, .alen = 0, + .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xca\xfe\xba\xbe", + .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", + .plain = "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a" + "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\xb1\x6a\xed\xf5\xaa\x0d", + .cipher = "\x52\x2d\xc1\xf0\x99\x56\x7d\x07\xf4\x7f\x37\xa3\x2a\x84\x42\x7d" + "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9\x75\x98\xa2\xbd\x25\x55\xd1\xaa" + "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d\xa7\xb0\x8b\x10\x56\x82\x88\x38" + "\x68\xa0\xff\x03\xac\xdf\x95\x0e\x29\x65\x83\x7f\xda\x89\x72\xdd" + "\xd5\xc5\x96\xa3\x4a\xe0\xe6\x2f\x1e\xe2\x04\x80\xd7\xb7\x5b\x65" + "\x9a\xad", +}; + +/** + * Some self-made vectors using more associated data + */ +aead_test_vector_t aes_gcm21 = { + .alg = ENCR_AES_GCM_ICV16, .key_size = 16, .salt_size = 4, + .len = 70, .alen = 69, + .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xca\xfe\xba\xbe", + .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", + .adata = "\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xed\xfa\xce\xde\xad\xbe\xef" + "\xab\xad\xda\xd2\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xed\xfa\xce" + "\xde\xad\xbe\xef\xda\xd2\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xda" + "\xd2\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xda\xd2\xfe\xed\xfa\xce" + "\xde\xad\xbe\xef\xfe", + .plain = "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a" + "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\xb1\x6a\xed\xf5\xaa\x0d", + .cipher = "\x42\x83\x1e\xc2\x21\x77\x74\x24\x4b\x72\x21\xb7\x84\xd0\xd4\x9c" + "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0\x35\xc1\x7e\x23\x29\xac\xa1\x2e" + "\x21\xd5\x14\xb2\x54\x66\x93\x1c\x7d\x8f\x6a\x5a\xac\x84\xaa\x05" + "\xb6\xf5\xea\x59\x55\x6f\x43\x93\xa8\xf4\x95\x8c\x14\x36\x3e\xf5" + "\x6c\xc2\x8a\x31\x64\xff\xe9\x24\x77\xc3\xaf\x6b\x64\xc7\x8b\xb9" + "\xec\xb9\x48\x84\xa2\xdb", +}; +aead_test_vector_t aes_gcm22 = { + .alg = ENCR_AES_GCM_ICV16, .key_size = 24, .salt_size = 4, + .len = 70, .alen = 69, + .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xfe\xff\xe9\x92\x86\x65\x73\x1c\xca\xfe\xba\xbe", + .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", + .adata = "\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xed\xfa\xce\xde\xad\xbe\xef" + "\xab\xad\xda\xd2\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xed\xfa\xce" + "\xde\xad\xbe\xef\xda\xd2\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xda" + "\xd2\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xda\xd2\xfe\xed\xfa\xce" + "\xde\xad\xbe\xef\xfe", + .plain = "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a" + "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\xb1\x6a\xed\xf5\xaa\x0d", + .cipher = "\x39\x80\xca\x0b\x3c\x00\xe8\x41\xeb\x06\xfa\xc4\x87\x2a\x27\x57" + "\x85\x9e\x1c\xea\xa6\xef\xd9\x84\x62\x85\x93\xb4\x0c\xa1\xe1\x9c" + "\x7d\x77\x3d\x00\xc1\x44\xc5\x25\xac\x61\x9d\x18\xc8\x4a\x3f\x47" + "\xb5\xb4\xa5\xeb\x10\x86\xcb\xdd\x59\x76\x52\x0d\xff\xa4\x85\x26" + "\x4b\x54\x22\xa0\xc6\x65\x82\x33\xf3\x2d\x00\xe5\x03\x29\x8f\x7f" + "\x70\x74\xe6\xfe\x60\x75", +}; +aead_test_vector_t aes_gcm23 = { + .alg = ENCR_AES_GCM_ICV16, .key_size = 32, .salt_size = 4, + .len = 70, .alen = 69, + .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xca\xfe\xba\xbe", + .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", + .adata = "\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xed\xfa\xce\xde\xad\xbe\xef" + "\xab\xad\xda\xd2\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xed\xfa\xce" + "\xde\xad\xbe\xef\xda\xd2\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xda" + "\xd2\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xda\xd2\xfe\xed\xfa\xce" + "\xde\xad\xbe\xef\xfe", + .plain = "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a" + "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\xb1\x6a\xed\xf5\xaa\x0d", + .cipher = "\x52\x2d\xc1\xf0\x99\x56\x7d\x07\xf4\x7f\x37\xa3\x2a\x84\x42\x7d" + "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9\x75\x98\xa2\xbd\x25\x55\xd1\xaa" + "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d\xa7\xb0\x8b\x10\x56\x82\x88\x38" + "\x68\xa0\xff\x03\xac\xdf\x95\x0e\x29\x65\x83\x7f\xda\x89\x72\xdd" + "\xd5\xc5\x96\xa3\x4a\xe0\xa8\xb6\x0f\xfe\xd5\xe5\x33\xf4\x37\x74" + "\x83\x93\xf8\xaf\x80\x43", +}; diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/ecp.c b/src/libstrongswan/plugins/test_vectors/test_vectors/ecp.c new file mode 100644 index 000000000..b3c94b2de --- /dev/null +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/ecp.c @@ -0,0 +1,134 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the Licenseor (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be usefulbut + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +/** + * Test vectors from RFC5114 + */ + +dh_test_vector_t ecp192 = { + .group = ECP_192_BIT, .priv_len = 24, .pub_len = 48, .shared_len = 24, + .priv_a = "\x32\x3f\xa3\x16\x9d\x8e\x9c\x65\x93\xf5\x94\x76\xbc\x14\x20\x00" + "\xab\x5b\xe0\xe2\x49\xc4\x34\x26", + .priv_b = "\x63\x1f\x95\xbb\x4a\x67\x63\x2c\x9c\x47\x6e\xee\x9a\xb6\x95\xab" + "\x24\x0a\x04\x99\x30\x7f\xcf\x62", + .pub_a = "\xcd\x46\x48\x9e\xcf\xd6\xc1\x05\xe7\xb3\xd3\x25\x66\xe2\xb1\x22" + "\xe2\x49\xab\xaa\xdd\x87\x06\x12\x68\x88\x7b\x48\x77\xdf\x51\xdd" + "\x4d\xc3\xd6\xfd\x11\xf0\xa2\x6f\x8f\xd3\x84\x43\x17\x91\x6e\x9a", + .pub_b = "\x51\x9a\x12\x16\x80\xe0\x04\x54\x66\xba\x21\xdf\x2e\xee\x47\xf5" + "\x97\x3b\x50\x05\x77\xef\x13\xd5\xff\x61\x3a\xb4\xd6\x4c\xee\x3a" + "\x20\x87\x5b\xdb\x10\xf9\x53\xf6\xb3\x0c\xa0\x72\xc6\x0a\xa5\x7f", + .shared = "\xad\x42\x01\x82\x63\x3f\x85\x26\xbf\xe9\x54\xac\xda\x37\x6f\x05" + "\xe5\xff\x4f\x83\x7f\x54\xfe\xbe", +}; + +dh_test_vector_t ecp224 = { + .group = ECP_224_BIT, .priv_len = 28, .pub_len = 56, .shared_len = 28, + .priv_a = "\xb5\x58\xeb\x6c\x28\x8d\xa7\x07\xbb\xb4\xf8\xfb\xae\x2a\xb9\xe9" + "\xcb\x62\xe3\xbc\x5c\x75\x73\xe2\x2e\x26\xd3\x7f", + .priv_b = "\xac\x3b\x1a\xdd\x3d\x97\x70\xe6\xf6\xa7\x08\xee\x9f\x3b\x8e\x0a" + "\xb3\xb4\x80\xe9\xf2\x7f\x85\xc8\x8b\x5e\x6d\x18", + .pub_a = "\x49\xdf\xef\x30\x9f\x81\x48\x8c\x30\x4c\xff\x5a\xb3\xee\x5a\x21" + "\x54\x36\x7d\xc7\x83\x31\x50\xe0\xa5\x1f\x3e\xeb\x4f\x2b\x5e\xe4" + "\x57\x62\xc4\xf6\x54\xc1\xa0\xc6\x7f\x54\xcf\x88\xb0\x16\xb5\x1b" + "\xce\x3d\x7c\x22\x8d\x57\xad\xb4", + .pub_b = "\x6b\x3a\xc9\x6a\x8d\x0c\xde\x6a\x55\x99\xbe\x80\x32\xed\xf1\x0c" + "\x16\x2d\x0a\x8a\xd2\x19\x50\x6d\xcd\x42\xa2\x07\xd4\x91\xbe\x99" + "\xc2\x13\xa7\xd1\xca\x37\x06\xde\xbf\xe3\x05\xf3\x61\xaf\xcb\xb3" + "\x3e\x26\x09\xc8\xb1\x61\x8a\xd5", + .shared = "\x52\x27\x2f\x50\xf4\x6f\x4e\xdc\x91\x51\x56\x90\x92\xf4\x6d\xf2" + "\xd9\x6e\xcc\x3b\x6d\xc1\x71\x4a\x4e\xa9\x49\xfa", +}; + +dh_test_vector_t ecp256 = { + .group = ECP_256_BIT, .priv_len = 32, .pub_len = 64, .shared_len = 32, + .priv_a = "\x81\x42\x64\x14\x5f\x2f\x56\xf2\xe9\x6a\x8e\x33\x7a\x12\x84\x99" + "\x3f\xaf\x43\x2a\x5a\xbc\xe5\x9e\x86\x7b\x72\x91\xd5\x07\xa3\xaf", + .priv_b = "\x2c\xe1\x78\x8e\xc1\x97\xe0\x96\xdb\x95\xa2\x00\xcc\x0a\xb2\x6a" + "\x19\xce\x6b\xcc\xad\x56\x2b\x8e\xee\x1b\x59\x37\x61\xcf\x7f\x41", + .pub_a = "\x2a\xf5\x02\xf3\xbe\x89\x52\xf2\xc9\xb5\xa8\xd4\x16\x0d\x09\xe9" + "\x71\x65\xbe\x50\xbc\x42\xae\x4a\x5e\x8d\x3b\x4b\xa8\x3a\xeb\x15" + "\xeb\x0f\xaf\x4c\xa9\x86\xc4\xd3\x86\x81\xa0\xf9\x87\x2d\x79\xd5" + "\x67\x95\xbd\x4b\xff\x6e\x6d\xe3\xc0\xf5\x01\x5e\xce\x5e\xfd\x85", + .pub_b = "\xb1\x20\xde\x4a\xa3\x64\x92\x79\x53\x46\xe8\xde\x6c\x2c\x86\x46" + "\xae\x06\xaa\xea\x27\x9f\xa7\x75\xb3\xab\x07\x15\xf6\xce\x51\xb0" + "\x9f\x1b\x7e\xec\xe2\x0d\x7b\x5e\xd8\xec\x68\x5f\xa3\xf0\x71\xd8" + "\x37\x27\x02\x70\x92\xa8\x41\x13\x85\xc3\x4d\xde\x57\x08\xb2\xb6", + .shared = "\xdd\x0f\x53\x96\x21\x9d\x1e\xa3\x93\x31\x04\x12\xd1\x9a\x08\xf1" + "\xf5\x81\x1e\x9d\xc8\xec\x8e\xea\x7f\x80\xd2\x1c\x82\x0c\x27\x88", +}; + +dh_test_vector_t ecp384 = { + .group = ECP_384_BIT, .priv_len = 48, .pub_len = 96, .shared_len = 48, + .priv_a = "\xd2\x73\x35\xea\x71\x66\x4a\xf2\x44\xdd\x14\xe9\xfd\x12\x60\x71" + "\x5d\xfd\x8a\x79\x65\x57\x1c\x48\xd7\x09\xee\x7a\x79\x62\xa1\x56" + "\xd7\x06\xa9\x0c\xbc\xb5\xdf\x29\x86\xf0\x5f\xea\xdb\x93\x76\xf1", + .priv_b = "\x52\xd1\x79\x1f\xdb\x4b\x70\xf8\x9c\x0f\x00\xd4\x56\xc2\xf7\x02" + "\x3b\x61\x25\x26\x2c\x36\xa7\xdf\x1f\x80\x23\x11\x21\xcc\xe3\xd3" + "\x9b\xe5\x2e\x00\xc1\x94\xa4\x13\x2c\x4a\x6c\x76\x8b\xcd\x94\xd2", + .pub_a = "\x79\x31\x48\xf1\x78\x76\x34\xd5\xda\x4c\x6d\x90\x74\x41\x7d\x05" + "\xe0\x57\xab\x62\xf8\x20\x54\xd1\x0e\xe6\xb0\x40\x3d\x62\x79\x54" + "\x7e\x6a\x8e\xa9\xd1\xfd\x77\x42\x7d\x01\x6f\xe2\x7a\x8b\x8c\x66" + "\xc6\xc4\x12\x94\x33\x1d\x23\xe6\xf4\x80\xf4\xfb\x4c\xd4\x05\x04" + "\xc9\x47\x39\x2e\x94\xf4\xc3\xf0\x6b\x8f\x39\x8b\xb2\x9e\x42\x36" + "\x8f\x7a\x68\x59\x23\xde\x3b\x67\xba\xce\xd2\x14\xa1\xa1\xd1\x28", + .pub_b = "\x5c\xd4\x2a\xb9\xc4\x1b\x53\x47\xf7\x4b\x8d\x4e\xfb\x70\x8b\x3d" + "\x5b\x36\xdb\x65\x91\x53\x59\xb4\x4a\xbc\x17\x64\x7b\x6b\x99\x99" + "\x78\x9d\x72\xa8\x48\x65\xae\x2f\x22\x3f\x12\xb5\xa1\xab\xc1\x20" + "\xe1\x71\x45\x8f\xea\xa9\x39\xaa\xa3\xa8\xbf\xac\x46\xb4\x04\xbd" + "\x8f\x6d\x5b\x34\x8c\x0f\xa4\xd8\x0c\xec\xa1\x63\x56\xca\x93\x32" + "\x40\xbd\xe8\x72\x34\x15\xa8\xec\xe0\x35\xb0\xed\xf3\x67\x55\xde", + .shared = "\x5e\xa1\xfc\x4a\xf7\x25\x6d\x20\x55\x98\x1b\x11\x05\x75\xe0\xa8" + "\xca\xe5\x31\x60\x13\x7d\x90\x4c\x59\xd9\x26\xeb\x1b\x84\x56\xe4" + "\x27\xaa\x8a\x45\x40\x88\x4c\x37\xde\x15\x9a\x58\x02\x8a\xbc\x0e", +}; + +dh_test_vector_t ecp521 = { + .group = ECP_521_BIT, .priv_len = 66, .pub_len = 132, .shared_len = 66, + .priv_a = "\x01\x13\xf8\x2d\xa8\x25\x73\x5e\x3d\x97\x27\x66\x83\xb2\xb7\x42" + "\x77\xba\xd2\x73\x35\xea\x71\x66\x4a\xf2\x43\x0c\xc4\xf3\x34\x59" + "\xb9\x66\x9e\xe7\x8b\x3f\xfb\x9b\x86\x83\x01\x5d\x34\x4d\xcb\xfe" + "\xf6\xfb\x9a\xf4\xc6\xc4\x70\xbe\x25\x45\x16\xcd\x3c\x1a\x1f\xb4" + "\x73\x62", + .priv_b = "\x00\xce\xe3\x48\x0d\x86\x45\xa1\x7d\x24\x9f\x27\x76\xd2\x8b\xae" + "\x61\x69\x52\xd1\x79\x1f\xdb\x4b\x70\xf7\xc3\x37\x87\x32\xaa\x1b" + "\x22\x92\x84\x48\xbc\xd1\xdc\x24\x96\xd4\x35\xb0\x10\x48\x06\x6e" + "\xbe\x4f\x72\x90\x3c\x36\x1b\x1a\x9d\xc1\x19\x3d\xc2\xc9\xd0\x89" + "\x1b\x96", + .pub_a = "\x01\xeb\xb3\x4d\xd7\x57\x21\xab\xf8\xad\xc9\xdb\xed\x17\x88\x9c" + "\xbb\x97\x65\xd9\x0a\x7c\x60\xf2\xce\xf0\x07\xbb\x0f\x2b\x26\xe1" + "\x48\x81\xfd\x44\x42\xe6\x89\xd6\x1c\xb2\xdd\x04\x6e\xe3\x0e\x3f" + "\xfd\x20\xf9\xa4\x5b\xbd\xf6\x41\x3d\x58\x3a\x2d\xbf\x59\x92\x4f" + "\xd3\x5c\x00\xf6\xb6\x32\xd1\x94\xc0\x38\x8e\x22\xd8\x43\x7e\x55" + "\x8c\x55\x2a\xe1\x95\xad\xfd\x15\x3f\x92\xd7\x49\x08\x35\x1b\x2f" + "\x8c\x4e\xda\x94\xed\xb0\x91\x6d\x1b\x53\xc0\x20\xb5\xee\xca\xed" + "\x1a\x5f\xc3\x8a\x23\x3e\x48\x30\x58\x7b\xb2\xee\x34\x89\xb3\xb4" + "\x2a\x5a\x86\xa4", + .pub_b = "\x01\x0e\xbf\xaf\xc6\xe8\x5e\x08\xd2\x4b\xff\xfc\xc1\xa4\x51\x1d" + "\xb0\xe6\x34\xbe\xeb\x1b\x6d\xec\x8c\x59\x39\xae\x44\x76\x62\x01" + "\xaf\x62\x00\x43\x0b\xa9\x7c\x8a\xc6\xa0\xe9\xf0\x8b\x33\xce\x7e" + "\x9f\xee\xb5\xba\x4e\xe5\xe0\xd8\x15\x10\xc2\x42\x95\xb8\xa0\x8d" + "\x02\x35\x00\xa4\xa6\xec\x30\x0d\xf9\xe2\x57\xb0\x37\x2b\x5e\x7a" + "\xbf\xef\x09\x34\x36\x71\x9a\x77\x88\x7e\xbb\x0b\x18\xcf\x80\x99" + "\xb9\xf4\x21\x2b\x6e\x30\xa1\x41\x9c\x18\xe0\x29\xd3\x68\x63\xcc" + "\x9d\x44\x8f\x4d\xba\x4d\x2a\x0e\x60\x71\x1b\xe5\x72\x91\x5f\xbd" + "\x4f\xef\x26\x95", + .shared = "\x00\xcd\xea\x89\x62\x1c\xfa\x46\xb1\x32\xf9\xe4\xcf\xe2\x26\x1c" + "\xde\x2d\x43\x68\xeb\x56\x56\x63\x4c\x7c\xc9\x8c\x7a\x00\xcd\xe5" + "\x4e\xd1\x86\x6a\x0d\xd3\xe6\x12\x6c\x9d\x2f\x84\x5d\xaf\xf8\x2c" + "\xeb\x1d\xa0\x8f\x5d\x87\x52\x1b\xb0\xeb\xec\xa7\x79\x11\x16\x9c" + "\x20\xcc", +}; diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/ecpbp.c b/src/libstrongswan/plugins/test_vectors/test_vectors/ecpbp.c new file mode 100644 index 000000000..de4399868 --- /dev/null +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/ecpbp.c @@ -0,0 +1,113 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the Licenseor (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be usefulbut + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +/** + * Test vectors from RFC6923/RFC7027 + */ + +dh_test_vector_t ecp224bp = { + .group = ECP_224_BP, .priv_len = 28, .pub_len = 56, .shared_len = 28, + .priv_a = "\x7c\x4b\x7a\x2c\x8a\x4b\xad\x1f\xbb\x7d\x79\xcc\x09\x55\xdb\x7c" + "\x6a\x46\x60\xca\x64\xcc\x47\x78\x15\x9b\x49\x5e", + .priv_b = "\x63\x97\x6d\x4a\xae\x6c\xd0\xf6\xdd\x18\xde\xfe\xf5\x5d\x96\x56" + "\x9d\x05\x07\xc0\x3e\x74\xd6\x48\x6f\xfa\x28\xfb", + .pub_a = "\xb1\x04\xa6\x7a\x6f\x6e\x85\xe1\x4e\xc1\x82\x5e\x15\x39\xe8\xec" + "\xdb\xbf\x58\x49\x22\x36\x7d\xd8\x8c\x6b\xdc\xf2\x46\xd7\x82\xe7" + "\xfd\xb5\xf6\x0c\xd8\x40\x43\x01\xac\x59\x49\xc5\x8e\xdb\x26\xbc" + "\x68\xba\x07\x69\x5b\x75\x0a\x94", + .pub_b = "\x2a\x97\x08\x9a\x92\x96\x14\x7b\x71\xb2\x1a\x4b\x57\x4e\x12\x78" + "\x24\x5b\x53\x6f\x14\xd8\xc2\xb9\xd0\x7a\x87\x4e\x9b\x90\x0d\x7c" + "\x77\xa7\x09\xa7\x97\x27\x6b\x8c\xa1\xba\x61\xbb\x95\xb5\x46\xfc" + "\x29\xf8\x62\xe4\x4d\x59\xd2\x5b", + .shared = "\x31\x2d\xfd\x98\x78\x3f\x9f\xb7\x7b\x97\x04\x94\x5a\x73\xbe\xb6" + "\xdc\xcb\xe3\xb6\x5d\x0f\x96\x7d\xca\xb5\x74\xeb", +}; + +dh_test_vector_t ecp256bp = { + .group = ECP_256_BP, .priv_len = 32, .pub_len = 64, .shared_len = 32, + .priv_a = "\x81\xdb\x1e\xe1\x00\x15\x0f\xf2\xea\x33\x8d\x70\x82\x71\xbe\x38" + "\x30\x0c\xb5\x42\x41\xd7\x99\x50\xf7\x7b\x06\x30\x39\x80\x4f\x1d", + .priv_b = "\x55\xe4\x0b\xc4\x1e\x37\xe3\xe2\xad\x25\xc3\xc6\x65\x45\x11\xff" + "\xa8\x47\x4a\x91\xa0\x03\x20\x87\x59\x38\x52\xd3\xe7\xd7\x6b\xd3", + .pub_a = "\x44\x10\x6e\x91\x3f\x92\xbc\x02\xa1\x70\x5d\x99\x53\xa8\x41\x4d" + "\xb9\x5e\x1a\xaa\x49\xe8\x1d\x9e\x85\xf9\x29\xa8\xe3\x10\x0b\xe5" + "\x8a\xb4\x84\x6f\x11\xca\xcc\xb7\x3c\xe4\x9c\xbd\xd1\x20\xf5\xa9" + "\x00\xa6\x9f\xd3\x2c\x27\x22\x23\xf7\x89\xef\x10\xeb\x08\x9b\xdc", + .pub_b = "\x8d\x2d\x68\x8c\x6c\xf9\x3e\x11\x60\xad\x04\xcc\x44\x29\x11\x7d" + "\xc2\xc4\x18\x25\xe1\xe9\xfc\xa0\xad\xdd\x34\xe6\xf1\xb3\x9f\x7b" + "\x99\x0c\x57\x52\x08\x12\xbe\x51\x26\x41\xe4\x70\x34\x83\x21\x06" + "\xbc\x7d\x3e\x8d\xd0\xe4\xc7\xf1\x13\x6d\x70\x06\x54\x7c\xec\x6a", + .shared = "\x89\xaf\xc3\x9d\x41\xd3\xb3\x27\x81\x4b\x80\x94\x0b\x04\x25\x90" + "\xf9\x65\x56\xec\x91\xe6\xae\x79\x39\xbc\xe3\x1f\x3a\x18\xbf\x2b", +}; + +dh_test_vector_t ecp384bp = { + .group = ECP_384_BP, .priv_len = 48, .pub_len = 96, .shared_len = 48, + .priv_a = "\x1e\x20\xf5\xe0\x48\xa5\x88\x6f\x1f\x15\x7c\x74\xe9\x1b\xde\x2b" + "\x98\xc8\xb5\x2d\x58\xe5\x00\x3d\x57\x05\x3f\xc4\xb0\xbd\x65\xd6" + "\xf1\x5e\xb5\xd1\xee\x16\x10\xdf\x87\x07\x95\x14\x36\x27\xd0\x42", + .priv_b = "\x03\x26\x40\xbc\x60\x03\xc5\x92\x60\xf7\x25\x0c\x3d\xb5\x8c\xe6" + "\x47\xf9\x8e\x12\x60\xac\xce\x4a\xcd\xa3\xdd\x86\x9f\x74\xe0\x1f" + "\x8b\xa5\xe0\x32\x43\x09\xdb\x6a\x98\x31\x49\x7a\xba\xc9\x66\x70", + .pub_a = "\x68\xb6\x65\xdd\x91\xc1\x95\x80\x06\x50\xcd\xd3\x63\xc6\x25\xf4" + "\xe7\x42\xe8\x13\x46\x67\xb7\x67\xb1\xb4\x76\x79\x35\x88\xf8\x85" + "\xab\x69\x8c\x85\x2d\x4a\x6e\x77\xa2\x52\xd6\x38\x0f\xca\xf0\x68" + "\x55\xbc\x91\xa3\x9c\x9e\xc0\x1d\xee\x36\x01\x7b\x7d\x67\x3a\x93" + "\x12\x36\xd2\xf1\xf5\xc8\x39\x42\xd0\x49\xe3\xfa\x20\x60\x74\x93" + "\xe0\xd0\x38\xff\x2f\xd3\x0c\x2a\xb6\x7d\x15\xc8\x5f\x7f\xaa\x59", + .pub_b = "\x4d\x44\x32\x6f\x26\x9a\x59\x7a\x5b\x58\xbb\xa5\x65\xda\x55\x56" + "\xed\x7f\xd9\xa8\xa9\xeb\x76\xc2\x5f\x46\xdb\x69\xd1\x9d\xc8\xce" + "\x6a\xd1\x8e\x40\x4b\x15\x73\x8b\x20\x86\xdf\x37\xe7\x1d\x1e\xb4" + "\x62\xd6\x92\x13\x6d\xe5\x6c\xbe\x93\xbf\x5f\xa3\x18\x8e\xf5\x8b" + "\xc8\xa3\xa0\xec\x6c\x1e\x15\x1a\x21\x03\x8a\x42\xe9\x18\x53\x29" + "\xb5\xb2\x75\x90\x3d\x19\x2f\x8d\x4e\x1f\x32\xfe\x9c\xc7\x8c\x48", + .shared = "\x0b\xd9\xd3\xa7\xea\x0b\x3d\x51\x9d\x09\xd8\xe4\x8d\x07\x85\xfb" + "\x74\x4a\x6b\x35\x5e\x63\x04\xbc\x51\xc2\x29\xfb\xbc\xe2\x39\xbb" + "\xad\xf6\x40\x37\x15\xc3\x5d\x4f\xb2\xa5\x44\x4f\x57\x5d\x4f\x42", +}; + +dh_test_vector_t ecp512bp = { + .group = ECP_512_BP, .priv_len = 64, .pub_len = 128, .shared_len = 64, + .priv_a = "\x16\x30\x2f\xf0\xdb\xbb\x5a\x8d\x73\x3d\xab\x71\x41\xc1\xb4\x5a" + "\xcb\xc8\x71\x59\x39\x67\x7f\x6a\x56\x85\x0a\x38\xbd\x87\xbd\x59" + "\xb0\x9e\x80\x27\x96\x09\xff\x33\x3e\xb9\xd4\xc0\x61\x23\x1f\xb2" + "\x6f\x92\xee\xb0\x49\x82\xa5\xf1\xd1\x76\x4c\xad\x57\x66\x54\x22", + .priv_b = "\x23\x0e\x18\xe1\xbc\xc8\x8a\x36\x2f\xa5\x4e\x4e\xa3\x90\x20\x09" + "\x29\x2f\x7f\x80\x33\x62\x4f\xd4\x71\xb5\xd8\xac\xe4\x9d\x12\xcf" + "\xab\xbc\x19\x96\x3d\xab\x8e\x2f\x1e\xba\x00\xbf\xfb\x29\xe4\xd7" + "\x2d\x13\xf2\x22\x45\x62\xf4\x05\xcb\x80\x50\x36\x66\xb2\x54\x29", + .pub_a = "\x0a\x42\x05\x17\xe4\x06\xaa\xc0\xac\xdc\xe9\x0f\xcd\x71\x48\x77" + "\x18\xd3\xb9\x53\xef\xd7\xfb\xec\x5f\x7f\x27\xe2\x8c\x61\x49\x99" + "\x93\x97\xe9\x1e\x02\x9e\x06\x45\x7d\xb2\xd3\xe6\x40\x66\x8b\x39" + "\x2c\x2a\x7e\x73\x7a\x7f\x0b\xf0\x44\x36\xd1\x16\x40\xfd\x09\xfd" + "\x72\xe6\x88\x2e\x8d\xb2\x8a\xad\x36\x23\x7c\xd2\x5d\x58\x0d\xb2" + "\x37\x83\x96\x1c\x8d\xc5\x2d\xfa\x2e\xc1\x38\xad\x47\x2a\x0f\xce" + "\xf3\x88\x7c\xf6\x2b\x62\x3b\x2a\x87\xde\x5c\x58\x83\x01\xea\x3e" + "\x5f\xc2\x69\xb3\x73\xb6\x07\x24\xf5\xe8\x2a\x6a\xd1\x47\xfd\xe7", + .pub_b = "\x9d\x45\xf6\x6d\xe5\xd6\x7e\x2e\x6d\xb6\xe9\x3a\x59\xce\x0b\xb4" + "\x81\x06\x09\x7f\xf7\x8a\x08\x1d\xe7\x81\xcd\xb3\x1f\xce\x8c\xcb" + "\xaa\xea\x8d\xd4\x32\x0c\x41\x19\xf1\xe9\xcd\x43\x7a\x2e\xab\x37" + "\x31\xfa\x96\x68\xab\x26\x8d\x87\x1d\xed\xa5\x5a\x54\x73\x19\x9f" + "\x2f\xdc\x31\x30\x95\xbc\xdd\x5f\xb3\xa9\x16\x36\xf0\x7a\x95\x9c" + "\x8e\x86\xb5\x63\x6a\x1e\x93\x0e\x83\x96\x04\x9c\xb4\x81\x96\x1d" + "\x36\x5c\xc1\x14\x53\xa0\x6c\x71\x98\x35\x47\x5b\x12\xcb\x52\xfc" + "\x3c\x38\x3b\xce\x35\xe2\x7e\xf1\x94\x51\x2b\x71\x87\x62\x85\xfa", + .shared = "\xa7\x92\x70\x98\x65\x5f\x1f\x99\x76\xfa\x50\xa9\xd5\x66\x86\x5d" + "\xc5\x30\x33\x18\x46\x38\x1c\x87\x25\x6b\xaf\x32\x26\x24\x4b\x76" + "\xd3\x64\x03\xc0\x24\xd7\xbb\xf0\xaa\x08\x03\xea\xff\x40\x5d\x3d" + "\x24\xf1\x1a\x9b\x5c\x0b\xef\x67\x9f\xe1\x45\x4b\x21\xc4\xcd\x1f", +}; diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/modp.c b/src/libstrongswan/plugins/test_vectors/test_vectors/modp.c new file mode 100644 index 000000000..482e41c36 --- /dev/null +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/modp.c @@ -0,0 +1,731 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the Licenseor (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be usefulbut + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +/** + * As I couldn't find any test vectors for common MODP diffie hellman groups + * these have been generated. + */ + +dh_test_vector_t modp768 = { + .group = MODP_768_BIT, .priv_len = 32, .pub_len = 96, .shared_len = 96, + .priv_a = "\x60\x91\xff\xc6\xde\x28\xc1\xcc\xc7\xc6\x5d\xa6\x11\xab\xfa\xe8" + "\x6a\x10\x74\xb2\x22\x43\xe3\x70\x6c\xb6\xde\x2f\xe2\x9d\x11\x42", + .priv_b = "\x76\xe0\x2f\xc3\xea\xbe\x6a\x0f\xce\xd6\xc3\x1e\x59\x45\xd1\x67" + "\xfa\xd0\x02\x00\xb4\xaf\x12\xcd\x6f\xc6\xd7\xe3\x81\x48\x62\x78", + .pub_a = "\xd7\xa2\x54\x62\x99\x01\xc8\x89\x53\x2c\x3e\x44\xda\x3d\x0b\x7e" + "\x92\x27\x37\x70\xc6\x26\xc3\x91\x90\x52\x2d\xab\x67\x07\xca\xff" + "\x36\x59\x10\x9f\x2f\x43\x24\xa4\x17\xeb\x7d\xc4\x56\x3a\x09\xba" + "\x04\xcd\x3c\x9b\x27\xd3\xc1\x22\x7e\xb1\x9d\xcb\x69\xfe\xf3\xb6" + "\xe2\xaa\x13\x81\x23\x24\x06\x64\x2d\xd1\x50\x78\x57\x07\xf4\x7c" + "\x3d\x74\x8a\x3d\x6b\x96\xd0\x00\xc5\x2c\x99\xd1\x0b\x65\xf2\xd1", + .pub_b = "\xf0\xe9\xdc\x78\x10\x4c\x97\x99\xb6\x70\x74\xb0\x7d\x8f\x09\x7a" + "\xa8\x82\xbd\xe4\x64\xc8\xeb\x9a\x0a\xcd\xef\x13\x86\x19\x4f\x49" + "\xc0\x63\xc6\x7d\x68\xf1\x4c\x5e\x3b\x04\x19\x57\x67\x8e\xa7\xcb" + "\x39\x7d\x87\x07\x20\x81\x9e\xa1\x08\x5a\x28\xd8\x13\xe3\x73\x9a" + "\x64\x00\x6f\x24\x66\xe8\x6c\x09\xe0\xc6\x9c\x2c\xa4\xf1\x0a\x04" + "\xc4\x9b\xb3\x01\x86\xbd\xfa\xb5\x4d\xf4\x20\x83\x14\xd9\x3c\x52", + .shared = "\x29\xcb\x14\x7d\x2a\x2b\x0d\x02\x59\x4d\xb0\x7b\xf0\x44\x70\x5c" + "\xb1\x44\x89\xd0\xf0\xa9\x32\xcc\x87\xf6\x04\x05\x1d\x1c\xb6\xe2" + "\xbe\x90\x39\x16\xe2\x5c\x65\x39\x93\xc8\x05\x5e\xd4\x37\x6c\xa4" + "\xdb\xa8\x40\x12\x39\x1a\x92\xa3\xf3\x42\x64\xaf\x64\x1f\xd8\x18" + "\xe1\xba\x4e\x99\x34\x30\x09\x97\xd7\x32\xd7\x0d\x0d\x73\x73\xcd" + "\x3d\xaa\xad\x22\xe8\x68\xb7\xe2\x50\x02\x9d\x30\x7e\xe5\x41\x48", +}; + +dh_test_vector_t modp1024 = { + .group = MODP_1024_BIT, .priv_len = 32, .pub_len = 128, .shared_len = 128, + .priv_a = "\xe5\x3c\x20\x5d\xa0\xd8\xe4\xbf\xb4\x17\x49\x44\x32\x0f\xc6\xe4" + "\xea\x66\xfe\x44\xe3\xc9\x31\xac\x5d\xa1\x45\x0a\xea\x47\xeb\xcf", + .priv_b = "\x7f\x9a\xf7\x21\xeb\x7c\xd2\xa9\x00\xa3\x6e\x39\x9e\xbc\x5c\x65" + "\xee\xcc\xe6\x62\x9c\x8e\x1c\x5a\x7f\xf3\x32\x93\x64\x5f\xd3\xe3", + .pub_a = "\x66\x61\x7c\x9b\xbe\x91\xee\x99\x00\xd8\x06\x41\x5b\x73\x84\xec" + "\xb0\xb6\xb8\x0a\x39\xbd\x5b\x07\x03\x96\xee\x32\x37\x5a\x8f\x68" + "\x37\x6b\x35\x2b\x97\xba\xf3\x2f\x95\xc4\xd1\x8c\x06\xab\x96\xbf" + "\xe3\xf3\x75\x2d\xf1\xe3\xc5\x57\x41\xb6\xf4\x24\x41\x17\xee\xbd" + "\xa1\x01\x59\x83\xc6\xba\x00\x8f\xe8\x9f\xe5\x1c\xf4\xc9\x69\x25" + "\x92\xeb\xf7\x42\x43\x6c\x39\x3d\xf6\x1a\x60\xcc\xc6\x4f\xd7\x90" + "\x7a\x6d\x26\x26\x7c\x0f\x15\x56\x23\x0c\x3e\x33\x2b\x2e\x11\xd1" + "\x18\xa6\x98\x25\x89\x79\x3a\x2f\x6d\x66\xb8\x66\x76\xba\xe4\x7a", + .pub_b = "\x7b\x90\x10\x60\x9e\xbf\x2c\x49\x70\x17\x45\x8a\xfa\xab\x42\x02" + "\x88\x5d\x25\xde\x7b\x5e\x5c\xe9\xb0\x5b\xd4\x42\xa3\xe9\x7b\x52" + "\xce\xa7\x60\xd7\xdb\xcb\x21\xdd\x71\xd8\x0c\xd4\x34\x7c\xaa\x9e" + "\xdf\xbc\x2d\xf4\xc1\xcd\xc1\x66\x9b\x8a\xd2\x44\xeb\x34\x5b\x33" + "\x1d\x87\x54\x92\x88\x3d\xf0\x4a\x3d\x0b\x1a\x8b\x89\x27\xd5\x09" + "\x91\xfe\x03\xe7\x35\x7e\xb6\xbd\xfc\xe3\xd8\xc6\x84\xc9\x86\x1b" + "\xc5\xce\x03\x96\x2f\xfb\x87\xbf\x05\xda\xbd\x5a\x37\x27\x99\x4d" + "\xde\xe5\xd3\xc6\xec\xc5\x89\x85\x99\x91\xb9\x32\x55\x76\x1f\xd5", + .shared = "\x95\x79\x0f\x5c\x46\xae\x7c\xa1\xa4\x71\xdd\x78\x6a\xa8\xe4\x44" + "\x07\x3e\xce\xc9\x69\x5d\x00\x46\x20\xcd\x7c\x9d\x36\x09\xa6\x97" + "\x3c\x89\xa2\x30\x75\x09\x35\x63\x8b\x86\xd1\xe6\x5b\x27\xb7\x84" + "\x88\x81\xf9\x01\x3a\xbd\x03\x62\x80\xd1\x86\x2b\xb0\x3c\xa6\x0b" + "\xa9\x0b\x70\xf9\xae\x7e\xdf\x71\xff\x80\xf5\xa7\xee\xfb\xe2\x67" + "\x29\xb5\xbb\xb1\xbb\x1f\xeb\x0d\x24\x0e\x53\xc9\xd7\x4b\x4f\xe9" + "\xd2\x62\xb5\x3b\xd5\xd8\xa7\x38\x3f\x90\xf0\x1e\x35\x96\x47\xd0" + "\x48\x02\xd7\x4a\x4f\x75\x3b\x29\x4a\x96\x50\x3f\x26\x05\xd3\xf1", +}; + +dh_test_vector_t modp1536 = { + .group = MODP_1536_BIT, .priv_len = 32, .pub_len = 192, .shared_len = 192, + .priv_a = "\x22\xd9\xdc\xc7\x30\x79\x93\x6a\x85\x8c\x07\xaa\x85\xed\x07\xb3" + "\xd1\xe8\xb6\x70\xe7\xca\xaf\xa1\x92\x83\x76\x96\x07\x0f\xef\x29", + .priv_b = "\x32\x34\x74\xde\x77\x88\xe0\x03\x6b\x30\x95\x49\x56\x0b\x00\x0d" + "\x81\xf8\x2f\xdb\x69\x78\xf3\xc0\x3b\x70\x16\x80\xde\x6e\x28\x10", + .pub_a = "\x3d\x7d\x1d\xd1\xbc\xa7\x13\x7a\x64\x23\x73\xd5\xd9\xb8\x6e\xf9" + "\x95\x84\x9e\xa5\x1c\xb6\xcd\x51\xa6\xb9\x3e\x83\xb3\x4f\x96\x7d" + "\xbf\x7d\x66\xbc\x7c\xe5\xd9\x58\xbf\x01\x90\x2b\x60\xf1\xc3\x07" + "\x6c\xfe\x14\x7b\xeb\x45\xf0\x83\x97\xcf\xf4\xc3\xa8\x02\x7c\xaa" + "\xe1\x84\x78\x8e\xf3\xeb\x0d\xd5\x6e\x14\xc6\xdd\x2c\xe9\x54\xe3" + "\xd5\xcc\x80\xdb\x84\xde\xb5\x34\xce\x38\x24\x45\xe7\xa4\x41\xdb" + "\x97\x12\x30\x02\x0a\x1a\x45\xca\x00\x70\xd6\x94\xf0\x93\xc7\x16" + "\xd8\x07\x68\x33\x6e\x61\xb5\x6f\xf7\x8b\x35\x09\x39\xfe\x4e\x9e" + "\x03\x2c\x85\xbb\x58\x81\xc4\xc8\xd7\xdb\xd5\x30\xa6\xfc\x50\x13" + "\x00\xf7\xe9\xe6\x5b\xff\xb9\x83\x34\x8a\xd0\x5c\xc5\x6e\x2c\x19" + "\xf5\x97\xa9\x9f\xb9\x68\x91\x4b\xe9\xb5\x7a\xcf\x91\x11\xe7\x5b" + "\x57\x6a\x61\x37\x67\x15\x76\x57\x90\x0d\xcf\x22\xf4\x20\x0c\x3d", + .pub_b = "\xd6\x32\x58\xd5\x54\x35\x3d\x6b\x2b\xcc\x0b\x53\x53\xfa\x80\x00" + "\xb3\xa3\x54\xa2\x41\x1d\x7f\x17\xab\xca\x69\x1d\xe8\x22\x7c\xd7" + "\xd4\x3e\x7f\xef\x8b\x3e\xe7\xa0\xa9\x1a\x66\x3d\x30\xc5\x4f\x3c" + "\x5f\x4b\x95\xc9\xfe\x38\xc6\xcf\x19\x39\xb4\x80\x2b\xb6\xf0\xa9" + "\x51\x12\x8f\xdc\x39\x1d\x90\xfa\x8b\x40\x48\x4f\x45\xb6\xda\x02" + "\xc7\x6c\xf9\x1b\x43\x31\xc4\xcf\x78\x51\xe5\x50\xa2\xd1\xc0\x25" + "\x53\x14\x03\xe0\x40\x3a\xf4\x72\xb3\x83\x41\xdc\x56\x2b\xe9\x8d" + "\x1a\xa2\x80\x49\x4d\x62\x64\x31\x6a\x6f\x77\x4c\xe0\xee\xd4\x01" + "\x57\xb6\x37\xc5\x4e\x69\x50\x3b\xec\xb8\xf0\xd7\x57\xb2\x86\xe4" + "\xd8\x43\xc2\x24\x21\x9a\x92\x3f\x73\xab\x57\x83\x15\xaf\x44\x5a" + "\xfa\xd9\x56\x9d\xf2\x5a\xcf\xca\x3a\x9f\x7c\x93\xd3\x03\xf4\xef" + "\x24\x32\xbf\x62\xce\x52\x5c\x8a\x56\xba\xbd\x2f\xfb\x54\x38\x32", + .shared = "\x6e\x3d\xf6\xe2\x52\xba\x11\x53\xca\x45\xe9\xa8\xbb\xe5\x48\x33" + "\x7b\x69\x57\x2a\xff\x4e\x61\xb4\x6e\xc9\x86\xb8\x70\xa8\x63\xd3" + "\x85\x3a\xb9\xa5\x4d\x9c\x63\x2a\x09\x48\xce\x8c\x65\xf1\xa2\x9b" + "\x06\x7a\x14\x51\x19\x8d\xab\x9f\x24\x77\x6e\x86\x42\x5a\x06\xbd" + "\xaa\x9f\x26\xdc\xe9\xe8\x9e\x36\x8d\x0e\x16\x70\x27\x74\x01\x5a" + "\x14\x30\xaa\xa1\xe8\x33\x22\x7f\x9d\xea\x7a\x58\x18\xce\x47\x43" + "\x20\xb3\x9c\xe8\x67\xca\x79\xa4\x9b\x31\xe6\xab\xce\xa6\xc8\xda" + "\xff\x00\xb8\x06\x4e\x2a\x75\x73\x72\xd4\x0d\x58\xa5\x92\xe7\xa2" + "\xde\xb1\xf9\xa0\xd9\xab\xab\x1f\xc0\x81\x2e\xe1\xff\xa6\x2a\x20" + "\xff\x68\xce\x4d\x02\xac\xb8\x4a\x1a\x03\x3d\x03\xe4\xf0\x5e\x97" + "\xa4\xfa\xd8\x9e\xc2\x3a\xee\x34\x9e\x26\x4e\xfa\x61\xae\x59\xe9" + "\x38\x1b\x1e\x5b\x7a\xa5\xd0\x9a\xb6\x6b\x74\x99\x7c\xba\xed\x20", +}; + +dh_test_vector_t modp2048 = { + .group = MODP_2048_BIT, .priv_len = 48, .pub_len = 256, .shared_len = 256, + .priv_a = "\xaf\x3b\xfd\x38\x62\xca\xa1\x17\x74\xce\x2b\x74\x84\x08\x07\xc1" + "\xde\x5c\xd6\xa7\x61\x9b\xb3\xa0\xc7\xaf\x39\xee\xda\xa6\xeb\x89" + "\xe2\xe9\xc1\x44\xb3\x62\x5b\x27\x31\x87\x9c\xb5\x8f\xa3\x76\x6d", + .priv_b = "\x77\xa4\x8e\x47\x72\xe2\x3e\x28\x4c\xe4\xaf\x81\x39\x9d\xcd\x58" + "\x9b\xeb\x7c\xef\xbc\xc9\xd1\x96\xf0\x6d\xcf\xdf\xc3\xa8\x8e\x3b" + "\x4c\x1c\x82\xbe\xfe\xc0\xe6\x4b\xa4\x95\xcc\xde\x32\x99\x36\xce", + .pub_a = "\x1a\x27\xc5\xa7\x23\x7a\xe8\xfe\x0a\x71\xc0\xaf\x64\x94\xfa\xec" + "\xcd\xd4\xa5\x03\x1d\x47\xa1\xa6\xb7\x16\x2d\xfc\xdf\x03\xbb\x17" + "\xb7\xbb\x08\x9b\xd6\x52\xa5\xf3\x1b\x36\x61\xbb\x11\x4d\x7c\x48" + "\xd8\x3d\x24\x4f\x46\xdb\x64\x87\x0c\x9c\x83\x27\xf1\xa8\x30\xab" + "\xf5\x31\xe5\x18\xdd\x52\x1a\x2e\x94\xe7\x06\x1e\x94\x42\x09\xba" + "\x53\x31\x01\x2b\x3d\xff\x00\x84\x9e\xaa\xb5\x8c\x7c\x7a\xf1\x52" + "\x65\x21\x0f\xbc\xf0\xf8\x7b\x9d\xd9\x32\xf8\xba\x4e\x9a\x9f\x91" + "\xb6\x32\x94\x53\x0a\x12\x00\xb8\x8b\x3a\x03\xe1\xa0\xc7\xfd\x34" + "\xde\xec\x6f\xad\x50\x1e\xde\x06\xce\x7e\xc9\xe2\x91\xd4\x7b\x69" + "\xb3\xa4\xb6\x1b\xb0\x87\x63\xb6\xd4\x6b\xfb\xda\xb9\x7b\xde\xce" + "\xa0\xff\x09\xa8\x72\x22\x1f\xb4\xb6\xcc\xca\x6b\x5c\x6f\xaa\xd8" + "\xeb\x87\x3b\x9a\x2f\x39\xb6\x3e\x62\xcf\xad\xd4\x76\x07\xe6\x8e" + "\x2c\x29\x05\x83\xf7\x26\x8f\xb4\x3f\xc0\x0a\x7d\xc8\x81\x0e\xcd" + "\xac\x1a\x59\xbd\x1b\x47\x7a\xaf\x41\xcb\x4b\x24\xad\xa3\xe5\xf7" + "\xb8\xcb\x98\x6f\x1a\xe4\x76\xaf\xc7\x67\x7a\xa6\x25\x70\xa1\xb1" + "\x83\x8d\xda\x26\xbe\x78\x63\xee\x2f\x40\xb5\xe5\x38\xa4\xe1\x81", + .pub_b = "\x66\x72\x82\x31\x8d\x65\xcb\x05\xcd\x32\x3c\x25\x09\x1e\x66\x4c" + "\xc7\x5a\x3a\x20\xc0\x14\xb2\xf6\x38\x9d\x3b\x27\xf5\xc1\xe9\x08" + "\xe0\xd4\x0f\xf8\x55\x2b\xd5\x87\x75\x25\x50\x30\x22\x85\xb4\x9f" + "\x75\xf8\xff\xae\xc9\x37\xfb\x2e\x69\xc8\x15\x0f\x88\xd6\x50\x8b" + "\xf0\xfb\x1f\x16\xe9\x67\x6f\x5e\xcf\x71\x8f\x87\x4f\x3d\x8d\xe3" + "\xc8\x68\x87\x49\xdb\xcf\x1a\xff\xd4\xd6\x2f\xf9\xea\x5d\x9e\x30" + "\x35\xb2\xce\x4a\x6e\xae\x28\x1c\x40\x8f\xc8\x08\x4a\xe2\x35\xd9" + "\x98\xa0\x37\x61\x0a\x8c\xb4\x8c\x87\x8c\xd0\x63\x5f\xa1\x36\x9f" + "\xc9\x0b\x86\x4c\x53\x23\x67\x38\x45\x97\xfd\xee\xfd\xb6\x74\x2b" + "\x00\x6a\xde\xda\xe2\x01\x5b\xc4\xce\x2f\x9c\x54\x51\xc9\x63\x6a" + "\x16\xed\x7d\x10\xb4\xe4\x0d\x82\x5b\x50\xaa\x76\x33\xa0\xe8\xfb" + "\x81\x3b\xeb\xc0\x49\xf7\xff\x6a\x71\xec\xfb\x14\xe8\x80\xf5\x09" + "\xd3\x8b\x57\x1a\x80\x98\x08\xa4\x96\xb4\x51\xb5\xb5\x56\x7a\x36" + "\x08\xb0\x1a\x22\xe4\x99\x83\x55\xf1\x81\xb8\x79\xde\x26\x23\x04" + "\xf2\x9d\xe1\x42\xff\x5e\x52\xcc\x56\x4f\x3a\x2d\x1e\x84\xa0\xc3" + "\x3d\x8f\x3d\xa7\xbf\x64\x12\xb3\xf0\x18\xe0\x0d\x90\xfa\x5b\x94", + .shared = "\x26\xf9\xe8\x45\x7c\xf2\xd7\xd5\x6d\xd8\x19\xc2\xa8\x67\xd7\xc3" + "\xa9\x0a\xa2\xb9\x44\xe2\x0b\x8b\xde\xd3\xa5\xbf\x91\xaa\x1f\xf8" + "\x1a\x7e\xa8\x9d\x52\x4c\x36\x5f\x38\x23\x51\x08\x35\xcd\x86\x44" + "\xc4\xd5\xda\xcf\x89\x3e\x61\x0d\x2c\x1a\x14\x06\x16\xd1\xc8\xc1" + "\xd3\x5f\x46\xde\x2c\x5f\xaa\xd9\xae\xce\xc6\xb6\x77\xac\xd9\x84" + "\x09\x81\x42\xa8\xaa\x0c\x85\x42\xe9\xac\x98\xb3\xbc\x7b\x57\x7c" + "\x59\xb8\xec\x53\x34\x6e\x15\x67\xa9\x00\x39\xac\x92\xb2\x24\x63" + "\x5a\xb2\x16\x73\x1b\x06\x35\x39\x25\x64\x2c\x33\x0a\x20\x1b\xa4" + "\xb3\x12\x84\xa9\x51\x58\x60\xf3\x5e\x93\x08\xf5\x51\x5a\x77\x99" + "\x84\xfb\xd9\xf5\xce\x41\x77\xdb\x78\xd1\xcb\x03\x84\xb6\x3c\x73" + "\x9c\x6d\x74\x4a\xd7\xa7\x00\xb9\x5a\x53\x1b\x29\xf3\xb7\x44\xed" + "\x38\xe6\x9a\xee\x67\x07\x2c\x45\xa9\x1c\xee\x6b\x14\x21\x5e\x04" + "\xf2\x7c\x31\x35\x8c\x86\xdc\xe4\x48\xd6\x0a\x22\x3b\xdc\x55\x4e" + "\xda\xa3\xe4\x07\x2e\xf6\x03\xa0\xf4\x61\x9f\x8d\xb3\x9c\xec\x29" + "\x1c\x86\x01\x74\x15\x5d\x8a\xbf\x9e\x10\x82\x93\x1d\xf5\x8e\xd9" + "\xee\x9c\x12\x15\xdd\x23\x93\xde\x02\xf5\xc1\x76\x7f\x07\x0e\x28", +}; + +dh_test_vector_t modp3072 = { + .group = MODP_3072_BIT, .priv_len = 48, .pub_len = 384, .shared_len = 384, + .priv_a = "\x51\xf8\xaa\xb6\x63\x20\x1e\xb2\x86\xba\xd2\x99\x32\xb2\xe5\x8a" + "\x92\x96\xbf\x2a\xa7\x78\x79\xcc\x8c\x64\x29\xd5\xa6\x68\xad\xf7" + "\x60\x57\xad\xc3\x77\xcc\x75\xfd\x86\x47\x96\xb8\xfa\x7b\x42\x8c", + .priv_b = "\xaf\x7f\x44\x29\x0b\xaa\xc8\x81\x5e\x70\x75\x9b\x6b\x27\x42\x27" + "\x12\x22\x50\xea\x8d\x5a\x12\xef\x4b\x0a\x82\xcf\xe9\x1d\x52\x98" + "\x9d\x96\xc1\xa8\x40\x89\x2a\x9f\xfa\x9f\x3a\x65\xc7\x7c\x8c\xd9", + .pub_a = "\xae\x98\x27\xa0\x7a\x37\x2e\x16\x01\x67\x20\x63\x72\xc5\x5b\x61" + "\x5c\xd4\x9e\x8c\x43\xf7\x1a\x6e\x6b\x22\x83\x8c\x0f\x9b\x9d\x90" + "\x3a\xe5\x97\x97\xf3\x95\xc9\xca\x7c\x78\x0f\xa8\x8d\x79\x27\xa3" + "\xac\x48\xf1\xb5\x05\xe6\x7a\x0d\xb1\xeb\xad\x57\x8e\xb1\x57\x2b" + "\x86\x52\x5e\x84\x0c\x4c\xe2\x43\x5e\xd4\xcd\xe1\x75\x68\xa2\xcb" + "\x27\x08\x85\xc9\xd3\xa7\x24\xf8\x73\x46\xe5\x19\xa9\x47\x84\xee" + "\x88\xaf\xec\x27\x86\x68\x9f\x0b\xc1\x23\xe0\xe4\x65\x79\x57\xb4" + "\xf7\x5f\x24\xb5\x2d\xd4\x80\x39\x09\x3a\xe8\xeb\x5d\xa4\x0d\x1e" + "\x31\xfc\x53\xfd\x98\xa0\x58\xb0\x38\x9b\xd5\xc7\xaf\x5b\x0d\xf4" + "\x49\xd6\x13\x90\x1c\xa2\x71\xb5\x8e\x47\x0f\x88\xd3\x45\x93\x1f" + "\x3f\x64\xe8\x1f\x03\x1d\xe9\x5a\xda\xef\x78\xf6\x0e\x64\x5e\xca" + "\x7d\xd5\x61\x8a\xa6\xed\xd3\x9f\xa8\x91\x22\x46\x39\xa9\xae\x42" + "\xa8\xa9\x37\x4d\x68\x3f\xd3\xf4\x82\x6b\x97\x4c\x8d\x00\x39\x2f" + "\x31\x12\x45\xa7\x1c\x86\xdb\x4e\xb5\xef\xc4\x78\x34\xce\x6b\xaf" + "\xb2\x08\xaa\xba\xc6\x8c\x35\xe3\x4f\x79\x15\x78\x40\x1c\x7b\x75" + "\x01\x15\xb1\x6e\x5c\x3a\xc3\x62\x42\xf4\xa9\x0a\x99\x73\x4c\x08" + "\x36\x8d\x48\xab\x5d\x50\xec\x92\xf3\xf1\x26\x7e\x54\xb9\x33\x34" + "\xa5\x0b\x00\xd7\x57\x1d\x1c\xeb\x1e\x66\x21\x58\xd5\x66\x36\x20" + "\xd1\xf0\x22\x8a\x64\xf4\x92\xea\x8e\x1f\xe1\x81\x7e\x35\x83\x57" + "\x7f\x1e\x48\xa5\x84\x91\xc1\x0d\x98\xff\xa0\xea\xa8\x64\x05\xd0" + "\x2c\x94\xb4\x9f\x99\xfd\xdc\x6a\x3b\x7b\xd6\xe3\xbc\xe2\x26\x1e" + "\xa3\xcb\xbd\x82\x1f\x49\x5a\x2a\xa7\x1a\xe9\x09\xb3\xcd\x0d\x2c" + "\x9b\xec\x0b\x06\x8b\xa7\x26\x20\xff\x06\x32\x4c\xdb\x80\x0b\xf8" + "\x56\x5e\x4b\x78\x21\x84\x61\x0e\xf0\x77\xbc\x4e\x8f\xc5\x17\xf7", + .pub_b = "\x2b\x27\x0c\x8e\x66\x74\x09\x31\x45\xef\x84\xab\x0c\x34\x56\x0f" + "\x5c\x4f\x94\x82\xa5\x0f\x2f\x44\x72\xfd\xe9\x87\xb4\x6e\xb8\x40" + "\x34\x02\x03\xd6\x31\x10\x2f\x2c\x7f\x9e\xb4\x8d\x20\x74\x44\xfb" + "\x21\x71\x7d\xaf\x76\xf6\x60\x04\xa7\x9e\xa8\xee\xe7\x7c\xc9\x80" + "\x19\xba\x12\x34\xf1\x6f\xbf\xf7\xdd\xa9\x45\xa4\x46\x81\x1d\x28" + "\x5d\x31\xaf\xd3\x31\xdf\xa8\x0c\x87\x0e\xfb\x19\x96\x68\xbb\x38" + "\x76\x18\xe1\x16\x21\xf5\x32\x92\x90\x8f\xd3\x29\xaa\xdb\x91\x63" + "\x5e\x47\x5f\x33\x00\x4d\x9e\xff\xca\x65\xe7\x3f\xdf\xe5\x58\xf3" + "\x4b\xa9\xee\xf3\xcf\x96\x1d\xab\x56\x5c\x5a\x72\x2a\xfb\x22\x8c" + "\x26\xbf\x38\xd3\x9c\x84\xf7\xca\x70\xf8\x51\xbf\x21\x8a\x7e\x2c" + "\x2d\xb5\xd3\x56\x93\x7a\x01\x5a\x65\x50\x31\x13\xf6\xc0\xd5\x2d" + "\x3b\x2a\x21\x21\xa0\xca\x42\xc6\xcc\xde\xbb\x0b\x2c\xfc\x68\xaa" + "\x66\x2f\x3e\x08\xdd\x69\x82\x42\x7a\x0a\x11\xb2\xe1\x44\xe0\xf1" + "\xa3\x47\xd1\xd2\x7f\xf8\x96\xee\x56\xf5\xd9\xfb\x25\xf7\x40\xb5" + "\xc7\x09\x88\xfc\xdc\x91\x12\xdf\xce\xa2\xde\x11\x7c\x12\x87\xd3" + "\x2d\xa8\x42\x70\x49\xce\xef\x09\x7b\xf4\x57\x81\x84\x6a\x02\x1d" + "\x38\x3e\x73\x1a\xa6\xe5\xc3\xdc\x0a\x46\x22\x6e\x54\xc5\xa6\x36" + "\x7a\xd8\x90\x0b\x8e\xad\xba\x54\x09\x3e\xc6\xf7\x1c\x29\x74\x4a" + "\xdc\x73\x02\xe8\x11\x85\xed\x80\xdb\x14\xb3\xe4\x3f\x29\x36\x1a" + "\xf4\xe6\x1c\x33\x1e\x5d\x77\x4d\x76\x17\xbf\x31\x55\x71\x3b\x0d" + "\x4f\x90\x38\x97\x6f\x2f\xf8\x51\x99\xc1\xd7\x0d\xcb\x3e\xfa\x2b" + "\x63\xe0\xc7\x7c\xee\x78\x9f\xa0\x05\x8f\xdf\x52\x67\xc6\xb1\xbd" + "\xed\xc1\xd1\xef\x47\xca\x08\x22\x2a\x9a\x27\xe6\x5f\x89\x2e\xef" + "\xde\x06\x12\xf4\x6b\x51\xbe\x1a\x14\x77\x4d\x45\x14\xd7\xe7\xca", + .shared = "\x45\x3c\xaf\x89\xd6\xbf\xf3\x9b\xda\xe1\x85\x46\x17\x61\xd6\xde" + "\xf5\x89\xa5\x82\x66\x9c\x1a\xc8\x6b\x0b\x7e\xe4\x69\x56\xc9\xf9" + "\x4d\x74\x77\xdd\xd8\x1c\xde\x12\x75\x76\xda\xeb\xd3\x52\x95\x15" + "\xf0\x6a\xa7\xdf\x5e\xb1\x31\x27\x67\x5c\xe1\xb4\xdc\xa2\xac\xb6" + "\x47\xe3\x55\x76\xb9\x40\x50\xbc\xc3\x85\xb3\xb4\x89\x44\xdd\x1e" + "\xca\xbe\x6c\x76\x70\x45\xcd\xcd\xdd\x3a\x1d\x65\x83\x8c\xcc\xb0" + "\x82\xf5\x44\xf0\xfd\x9b\xe6\xc3\xd4\xff\xe7\x55\xe4\xd5\x6d\xfb" + "\xb4\x20\x93\x52\x3f\x45\xd2\x41\x5e\xad\xf3\x6a\x18\x5c\x87\xa6" + "\xe0\x14\x27\xbb\xcc\x98\x95\x68\xa2\x93\x66\xb1\xc6\x91\x72\x4d" + "\x81\x0e\x99\xfb\x05\x83\x00\x26\x72\xa5\x3e\x49\x9f\xf2\x30\x4a" + "\x4b\xcc\x10\xa3\xb8\x0b\xf4\x8a\x9e\x31\x5b\xe9\x98\xbf\x17\x0c" + "\xe9\x0e\xc4\xeb\x87\x05\x57\x0e\x5e\xc4\x80\xc2\x1c\x4d\xd0\xa5" + "\x3a\x1c\xb2\x06\xa3\x42\x45\x2e\xa8\xa6\x84\xd5\x69\xd8\x10\xf8" + "\xe9\x8f\xea\xd7\x03\x9c\x64\xef\xef\x59\x35\x24\xf5\x07\x5c\xb8" + "\x7e\x75\x63\xa4\x2a\xd1\xb5\x78\x19\xc7\xb0\x19\x96\x3d\x07\x0b" + "\x4c\xef\xe2\x2c\x59\x6b\x3a\x96\xa8\xba\x41\xbd\xab\xe0\x54\xa9" + "\xa9\xb4\xd1\xc4\x27\x8a\x83\x64\xea\xd9\x96\xa0\x39\xe8\xbd\xdc" + "\x00\x60\x1e\xcf\x10\x2d\x20\xd6\xab\xce\xd2\xff\x19\x29\x49\xf5" + "\xf8\x1c\x36\xfb\x47\x96\x44\x39\xcd\x44\x03\x6a\x23\xac\x30\x86" + "\x8c\xa5\x23\x25\x84\x7b\x31\x00\xd3\xd4\x28\x16\x76\xbf\x94\x84" + "\xa0\x05\x66\xf1\x3b\x6a\xe8\x9c\x57\xb7\x73\x2f\x8e\x60\x43\x4e" + "\x8e\x48\x85\xcb\x1b\xf9\x47\xce\xd1\x4d\x31\x53\xe1\xb6\xc8\x1b" + "\x33\x12\x0f\xfb\xd8\x45\x94\x91\xd2\xc5\x78\xaa\xb0\xa9\x7e\x83" + "\xdc\x87\x87\x5b\xe5\x88\xc0\xcd\xee\xee\xfd\x19\xcc\x4f\x1d\x40", +}; + +dh_test_vector_t modp4096 = { + .group = MODP_4096_BIT, .priv_len = 64, .pub_len = 512, .shared_len = 512, + .priv_a = "\xab\x69\xbc\xe9\x61\xf9\x8a\xa9\xd5\x91\xe3\xfd\x9a\xbc\x46\xc8" + "\x0d\xde\x39\x02\x84\xf1\x91\x42\xe8\x81\x5a\xb0\x80\x54\x72\x2b" + "\xbd\x2e\x14\x1e\x27\x9e\xc7\xfd\x30\xaa\xfa\xca\x66\x40\x93\x73" + "\x1e\xcc\x75\xa2\xbd\x07\xe4\xa5\x88\x3f\x56\x08\x93\xc8\x33\x50", + .priv_b = "\xef\x3e\xcb\x88\xf4\xf9\x88\xf7\x2a\xcd\x5a\xa2\x2e\xbe\xbf\x19" + "\x0f\xde\x7e\x8e\x4d\x0d\x50\xcc\xde\x80\xf9\x41\xb3\xbb\xd6\xa2" + "\xf9\xa1\x2a\xee\x9b\xb3\xe5\xc5\x80\x3f\x67\xaf\xfe\x27\xc8\x0d" + "\x05\x46\x9b\x52\x54\xeb\x1f\x32\x6c\x18\x73\x1f\xd3\x4a\xc2\xcd", + .pub_a = "\x3e\xc6\x3c\x0c\x68\x32\x05\xc3\x9d\x4b\x97\x72\x39\xfe\x7f\x96" + "\x17\x56\x0b\x1a\x56\xc4\x7f\xd9\x07\x02\x6a\xd8\x09\x0a\xa4\x4b" + "\xcc\x29\xd3\xc2\xb3\x8d\x34\xe1\x5c\x9e\x14\xc8\x05\x81\xa5\xc4" + "\x83\x2f\x5c\xd8\x8e\x43\x73\xbf\x59\x0e\xad\x63\x6f\x68\xc8\x99" + "\x59\xdf\xeb\xc4\x33\x03\x48\x97\x4e\xc4\x80\x7c\xa4\x4f\xb7\xd4" + "\x4f\x02\xb7\x97\x70\x9e\x16\x0e\x3c\x0e\xc4\x06\x1f\x75\x9a\xec" + "\x63\xd9\x96\xd2\x37\x7a\x18\xdc\xc5\x94\xc2\x08\xfa\x83\x7a\xeb" + "\xc1\x68\x9d\x5c\x0a\xb4\x30\x5c\x1b\xbe\x86\xb1\xd4\xa1\x6f\x4c" + "\xb5\x25\xfc\xcc\xf1\x00\x6e\x21\x23\xc7\x76\xb1\xff\xd1\xfe\xa2" + "\x97\x7b\x1e\xac\x82\xd1\xee\xec\x4c\x46\x73\xa5\x17\xdb\xc4\x2e" + "\x0f\x89\x30\xdb\x28\xd8\xc8\xe8\xb4\x0f\x8a\x49\x8d\xa5\x83\x05" + "\x5c\x9c\x12\x35\x34\xcc\x2c\x53\x34\xd0\xbe\xbe\xa3\x76\x26\x78" + "\xd1\xf5\x34\xba\x64\x6f\x75\x22\xf2\x68\x57\xa0\xff\x28\x8f\x7e" + "\xfc\x38\xc1\xdf\xa0\xa6\x4c\x3e\xb5\x31\x64\xc1\x8f\x6c\x2a\x4e" + "\x51\x5c\x13\xc1\xb7\x39\x35\xd9\xbd\xb4\x58\x27\x33\x55\x34\x29" + "\x67\xa8\x54\xc7\x8b\x16\x8b\x58\x90\xf7\xfe\x08\xd0\x8c\x2e\x4a" + "\x6f\x16\x63\x32\x2e\x7b\x52\xef\x02\x17\xc8\x15\x13\x72\x2f\x34" + "\xc0\x95\x48\x02\xe4\x2c\xfb\x6c\x9e\xe9\xd2\xc3\x98\x68\x71\x1f" + "\x1a\xfc\x4e\x47\x78\x52\x2d\x9c\x45\x09\x0b\x26\x23\xf4\xaf\xa3" + "\x88\x42\x6b\x89\x75\x64\x05\x93\xbe\x79\x2b\xb8\xa7\x15\xbe\xf2" + "\xc4\x6c\x2c\x50\xa6\x8a\xa6\x30\x13\x8a\xb2\x6d\xf9\xda\xe2\xb0" + "\xe2\xc4\xeb\xc1\x0a\x86\x36\xda\xd9\xbe\x2f\xfb\x79\x19\xcd\x52" + "\x78\x85\x84\x3c\xb7\x6c\x71\xf2\x8e\x71\xf6\xf8\x23\xd9\x9c\x2f" + "\xe3\x1a\xd7\xfb\xcc\x9a\xbb\x24\xef\x26\x66\xa1\x21\xcc\xf2\x1f" + "\x88\x1f\xa6\x6a\xb7\x18\xba\xf9\x2b\xef\x5c\xec\xaa\xcf\x4c\x92" + "\x9c\x9c\xb5\x44\x24\xd1\x7a\xb7\x73\x8c\xa6\x80\x7b\x4e\xfa\x49" + "\x36\x0a\x3d\xb6\x52\x7c\x72\x4c\x45\x31\x62\x9e\x9d\xb1\x84\x5c" + "\x6a\x1e\xb4\x63\x2e\x0c\x07\xab\x6c\x31\x37\x7c\x80\x83\x70\x49" + "\x46\x44\xa3\x5b\xd4\x78\x5f\x49\x5f\x60\x63\x8b\x98\x81\x71\xde" + "\xce\x5d\x5c\x44\x90\x35\x7d\x02\x89\xb3\x94\x4b\xc9\xf7\x85\x4d" + "\xb8\x06\x97\xd5\xf6\x3b\xf3\xe3\x1d\xb4\x4e\xfb\x9a\x43\xe1\xdc" + "\x9d\x17\xee\x47\x01\x2d\xfb\xac\xfd\xaf\x4d\xeb\xfe\xf0\x8b\x5c", + .pub_b = "\x20\xb7\xb4\x5f\x69\xe2\xc3\x0b\xcc\xf8\x41\xca\xe8\x04\x2c\x36" + "\x35\x37\x25\x42\x05\x99\x33\x5f\xa2\xe8\x7b\xbe\x59\xce\xbb\xc7" + "\xa7\xd3\xf6\x1e\xb6\x69\x82\x50\x3a\x75\x76\xc3\x47\x63\xdf\xef" + "\x6a\x6b\x18\x0a\x93\xaf\x66\xe4\xf7\x2f\x12\xd5\x8c\x93\x84\x6d" + "\x16\x05\x58\xb0\xd3\x16\x03\x9f\x6b\xa9\x9e\xa6\x4f\x00\x5b\xa1" + "\x1e\x59\xf3\xa9\xcb\x99\x3d\x28\x27\x1a\x4f\xb8\x30\xc3\xf6\xc4" + "\xce\xb9\xb0\x16\x2c\xcc\xa1\x97\xff\x65\x15\x78\x9d\x43\x6c\x94" + "\x7e\xb5\xd8\x01\x09\x74\xeb\xcd\x36\x6b\xc4\x76\x83\x41\x09\x0a" + "\x6f\xb5\x5c\xa8\x4e\x31\xd2\x48\x9e\x35\x27\xa2\x60\x77\x6f\x9b" + "\x8a\x58\x57\x7b\xdc\xd6\x89\xd8\xe4\xb7\x25\x14\xcf\x15\xee\xa5" + "\xa4\x96\x29\xa2\xf2\xc4\x86\xc5\x1b\x5d\x14\xd4\x9b\x11\x93\x09" + "\xbf\xe9\xc9\x32\xb6\x04\xc6\xf1\xc0\xe9\x2c\x44\x8d\xc1\x9f\x54" + "\xf4\x21\x11\x2f\x28\x87\x23\x8c\x91\x37\xc5\x59\xb6\x9a\x93\xac" + "\xf3\x6c\xc1\xf0\xbd\xfe\x4c\xca\x0b\x60\x47\x71\xee\x2a\xf1\x7c" + "\x34\x04\x5d\x42\x29\xb2\xb8\x0a\xcd\xfb\x7f\x56\xe4\xea\xee\x81" + "\xed\x6c\x88\x5a\x2e\x45\xaf\xc9\x8d\xe1\x21\x2e\x5f\x71\x4f\x5f" + "\x00\x88\x12\xd7\x17\x06\x89\x6d\x2d\x5e\xd8\x59\x0c\xee\x66\x41" + "\x08\x79\xdc\x31\x95\xa9\x21\xef\xe0\x85\xdb\x41\xd6\x87\xec\x2d" + "\xe9\x06\xa8\x10\x33\x6f\xa7\x57\x0d\x43\x11\x2d\xec\xf9\xff\xa4" + "\xae\x50\xf5\x4f\xad\x3e\xec\x2b\xb3\xed\x86\xdd\xa3\x66\x2b\xc0" + "\xfc\x1c\x28\x94\xd4\xde\x7d\xa9\x26\x0f\x74\x73\xbe\x67\x6d\xbf" + "\x60\x90\x33\x32\x0d\xba\xa4\x91\x72\x0c\xe2\xd3\x5d\x07\x8d\xbd" + "\xde\x84\x5b\x4a\x49\x5a\xd2\xec\xc2\xe6\xda\x5f\x1c\x0c\x89\x20" + "\xe4\xea\x0e\xcc\xa0\xe0\x77\xda\xc5\x9b\x97\xf0\xe9\x4b\x6c\xca" + "\xd3\xf4\x2a\x34\xb6\x63\x4e\xde\x83\xb2\x9d\x9c\x76\x15\xf7\x41" + "\x90\xdf\x33\xb2\x0e\x7d\x69\x08\xd6\x63\x69\x8a\xdb\x8a\x2d\xac" + "\xd9\x79\xf1\xca\x13\xf2\xcc\x84\x02\xf8\xf6\xcb\xf9\x11\x92\xf1" + "\x11\xdd\xf5\xad\x29\x39\x05\x95\x54\xac\x47\xb4\x78\x74\x7b\x78" + "\xa2\x71\x92\x97\xae\xda\x20\xe3\xd8\x53\x38\x26\x9b\x30\x80\xfc" + "\x3f\xd7\x8d\xe4\xac\xf3\x4e\x09\x47\x7a\x61\xca\xc7\xc1\xb7\xdc" + "\x76\x94\xed\x14\x1a\x51\x48\x0e\x6b\x2b\x43\xc0\x25\x56\xe8\xa8" + "\x49\x7c\x4f\xca\x56\xf7\xfd\x56\xc8\xeb\x36\xa1\xf8\xc3\xd1\x24", + .shared = "\x23\xb0\x6f\x49\x39\x60\x9b\x0f\x67\x08\x85\x2d\x4f\x87\xb3\x56" + "\x98\x8f\xb4\x5b\x1e\x4c\x95\x1b\x0b\x1d\x59\xbb\xa8\xca\x8b\x60" + "\xc2\x55\xa1\x8f\x37\x55\xa6\xdb\x05\xe4\x28\x5f\xe8\xf1\xf9\xd2" + "\x6a\xdd\x24\x14\x19\xf0\xfc\xa9\x82\x37\xfd\x7a\x5e\x52\x6d\x57" + "\xab\x5a\xd0\x69\xc3\xf1\x89\xf3\xc2\x91\x50\x11\x44\xa6\x55\x14" + "\xa5\x66\xb7\x4d\x0d\xc6\x41\x9c\x13\x06\xcf\xbf\xf3\x5d\xbe\xb4" + "\x3a\xbd\x5e\xd3\x9c\xe1\x37\x53\xb2\x8a\xe5\xe1\x05\xf7\x19\x1b" + "\xc6\xd7\x0a\xc3\x55\x2c\x82\x37\x3c\x6b\xd9\xdb\x8e\xd5\xee\x15" + "\x46\xfd\xb5\x49\x9a\xe7\x0a\x6b\xcb\xd1\x85\x9a\x31\xec\x43\xdc" + "\xcf\x05\x52\x5e\xe4\x0c\x94\x98\x87\xdd\x81\x68\xae\x29\xcc\x53" + "\x7a\x6f\x57\xa5\x26\xf4\x25\xdd\x07\x5f\x39\xd6\xee\x71\xcb\x49" + "\x7a\x57\x1f\xe5\x79\x58\xc7\xde\x32\x1d\x64\xf4\xe4\x89\x22\x43" + "\xe7\x8f\xef\x47\xb3\x31\xa6\x76\x84\x49\x89\x19\x1f\x97\xad\xf7" + "\x91\x32\x60\x7a\x14\x8f\x19\x3c\x7d\xd5\xe6\xd5\x99\x25\x7e\x1b" + "\xf1\x21\x93\x24\x68\xdb\xbe\x21\x60\xc9\x7a\xf0\x3f\x9d\x1b\x19" + "\xb1\x6b\x4f\x8f\xec\x5d\xcb\xc7\x98\x34\x4a\x87\xdb\xd4\x02\xa6" + "\x26\x6e\x10\xc0\xe8\xa7\x22\xfe\x9f\x67\xe8\x63\x6c\xb0\xa7\x3e" + "\x22\x4d\x53\x23\xde\x9b\x7f\xa7\xc6\x6c\x62\xa1\xf4\x00\x42\x04" + "\x1c\xba\xde\xf2\x4b\x4f\xaa\xfd\xa9\x14\x79\xec\x91\x97\x64\xb0" + "\xf4\x8b\x95\x9e\x67\x99\xf0\x94\x96\x6d\x24\x61\x27\xc0\x0e\x9c" + "\xc7\xd8\xf5\xa8\x43\xd1\xa4\xd6\x1c\x5c\x0a\x64\xb6\xb1\x6c\xa7" + "\x32\x44\x93\x75\xd9\xcf\x5d\x32\xd3\x99\xf6\x56\xfd\x51\x4f\xbf" + "\xe6\x6e\xea\x82\xe4\x79\xfc\x73\x18\x0b\x72\x1d\xd4\xc5\xbb\x20" + "\xd4\x50\xc5\xa1\x95\x9e\x1f\x8f\xed\x9d\xd2\x8c\x97\x05\x12\x72" + "\xf6\x64\x00\xcd\xd4\x13\x45\x7d\xdd\xe6\x9a\xc7\x43\x5e\xe4\xa4" + "\xf7\x2a\x37\x02\x49\x82\xb4\xa7\xf6\xf5\x5e\x03\x07\x03\x82\xb8" + "\x3b\x2c\xed\xb7\x75\x25\x17\xf0\x48\xb7\xc6\x91\xd1\xf1\xd7\xb8" + "\x52\xa5\xb7\xcd\x3b\x2b\xde\x97\x62\x0e\x9b\x2c\xd9\xc7\x7f\xd8" + "\xcc\xb6\x92\x5a\xde\xf7\x06\xa6\x77\x0a\x2e\xfb\x62\x1c\x93\xf1" + "\xca\x24\xf0\x9a\x68\x6e\x8b\x86\x05\x81\x49\x47\x39\x92\x15\x33" + "\x9a\x1f\x29\xfb\x57\xac\xf9\xce\x9e\xba\x2c\xbd\x49\x69\xc8\x9e" + "\x4f\xb9\x39\x02\x12\xb9\xb2\xa3\x5d\x4a\xfa\x17\xb3\xee\xc0\x8a", +}; + +dh_test_vector_t modp6144 = { + .group = MODP_6144_BIT, .priv_len = 64, .pub_len = 768, .shared_len = 768, + .priv_a = "\xab\x36\xf0\x65\x7c\x4f\xba\xdc\x2a\x3b\x07\xed\xd1\xc8\xaf\xcb" + "\x42\xaf\xcd\x7f\xf9\x1c\x57\x01\x37\x25\x50\x0d\x89\x42\x9f\x34" + "\x79\x8f\x99\xf5\xde\x53\xd1\x08\x8f\xd9\xf6\x60\xa1\xa5\x2b\xe4" + "\x54\xf9\x63\x4d\x15\xbb\x4e\x4c\xe0\x9e\x5a\x69\xe0\xf9\x9d\x59", + .priv_b = "\x59\xa5\x52\xa4\x0d\x17\x80\xaf\x64\x33\xbc\x9e\x8a\x9b\x6d\x48" + "\x30\xdd\xd3\x57\x53\x07\x40\x9a\x90\xc9\x2b\xda\x40\x4b\xb7\x99" + "\xf0\x09\x3e\xfe\x21\xbe\xad\x85\xf1\x6a\x23\x7b\x05\x90\xc3\x35" + "\x6d\x96\x8c\xc0\x9d\xcd\x5b\x2d\x96\x86\x07\xd6\xd1\xbf\x70\xc2", + .pub_a = "\x0a\x78\x01\x5c\x3e\x0d\x36\x2a\xff\xe5\xd9\x3a\x9c\x2d\xf2\xdf" + "\x5b\xb9\x6b\x7f\xf2\xfc\xc2\xdd\x96\x6c\x53\x9d\x1d\x4c\xdb\xac" + "\xec\xe2\x6d\x16\xab\x6d\x3d\xe8\x24\xe0\x75\x87\x29\x12\xeb\xa0" + "\x44\x33\x66\x11\x0e\x0d\x7e\x17\x27\x4b\x95\x78\xaf\x12\x46\x63" + "\xe6\x55\x17\x0b\xf7\xb7\xb2\xbd\xb4\xbf\xe4\x7a\x88\x97\x68\x95" + "\x6a\x98\xf1\xce\x1a\xc8\xc6\xc7\xc4\x8e\x13\xa3\x6c\x16\x1c\x82" + "\x00\x7c\x98\x35\xb2\x2e\x7b\x47\x99\x38\x92\xa1\x71\x2b\x27\x5d" + "\xdc\x84\x54\xf4\x33\x0b\xd1\xfc\x08\xab\xfc\x48\x8e\x71\x8b\x43" + "\xa6\x21\x3a\x09\xc5\x68\x74\xce\xef\xb3\xa9\xfa\xe7\xe1\x11\xc0" + "\x0a\x10\x43\x3f\x4b\x23\x75\xef\xab\x04\x2b\xd5\xc1\xc2\x9a\xaf" + "\x97\x0c\xeb\xae\xb5\x7f\x10\xf0\x10\x6e\xa6\x3d\x25\x72\x59\x93" + "\x0a\xf5\xb3\x3b\xc2\x64\x27\xe6\xef\x47\x32\xde\x43\xdc\xea\x0a" + "\x88\x72\x9b\x93\x7e\x6a\x9a\xfc\xf2\x92\xa2\x9f\x8b\xe9\x9b\x71" + "\x88\xd8\x2d\xfc\x13\x7e\x69\x19\x9a\x53\x5d\x92\xdc\x61\x37\x60" + "\x03\x38\x67\x1e\x6d\x46\x76\x31\xff\xc2\xbd\x69\x59\x42\xcd\x7e" + "\xbb\x40\x2c\x54\xea\x39\x1b\x9a\x02\xde\x1f\x28\x99\xfe\xd5\xbd" + "\xb7\x1f\x27\xab\x71\x0b\xba\xaa\x32\xb2\xc2\xe0\xec\x8d\x4b\xd4" + "\xca\x6c\xc5\x07\xd9\x72\x0b\x20\xaf\x9c\xce\xcd\x7f\x4e\x88\xed" + "\x55\x0a\xea\xbc\x43\xdd\x0b\x3d\xc0\x20\xdb\x3e\x14\x89\x76\xc7" + "\x61\xf5\x44\x21\x8a\x79\xb7\x3b\x37\x77\x24\x99\xf3\x61\xba\x0b" + "\x1d\x3c\xf2\x10\x23\x75\x36\xfb\x89\xd8\x57\x86\x51\xed\x67\x51" + "\xd1\xe8\x10\x95\x61\x2b\x0f\xcf\x65\x36\xbc\xb0\xff\x17\x2c\x3d" + "\x54\xdc\x07\x13\x19\x99\xd4\x11\x98\xf9\x7e\xa8\x32\x9a\xbb\x04" + "\xc3\x75\x3f\x83\xe1\xfd\x3b\x92\x78\x72\x3c\x98\x67\xf4\xc1\xff" + "\x19\xe1\xd2\xad\x7d\x34\x65\xf0\xb8\xc2\xdd\x9d\x4c\xcd\x36\x1a" + "\xbd\xf8\x56\x66\xd6\xfe\x04\x2c\x98\x04\x2b\xec\xa9\x4b\x66\x4b" + "\x71\xcf\x78\x07\x56\xe5\xba\x9c\x8a\x72\xb8\xc9\xe4\x82\xd6\x59" + "\x22\x59\x39\x75\xd6\xdd\x00\xf3\x16\xc7\xb2\x0c\x81\xeb\x67\x4f" + "\x0b\xbe\xa8\x1e\xed\xe6\x7b\xbf\xf1\x17\x38\x3f\xf4\x86\x0b\x97" + "\x75\xa7\x81\x86\x14\xb8\x6d\x48\x5e\x88\x98\xa9\x2f\x54\xfd\x7f" + "\x05\x45\xb4\x32\xcd\x5f\xab\xec\x2e\xa8\x42\xd8\x3b\x51\xc2\x18" + "\x91\x7a\xb6\x10\x5e\x26\x8b\xc8\x50\x08\x2c\x79\xa1\xd0\x74\x12" + "\xce\xc4\xd2\x3c\xb0\x04\x54\xa8\x87\x2b\x9f\xb3\x05\x4a\x89\x64" + "\xb5\xaf\x7f\x64\x4b\x45\xcd\xd7\xf2\xb8\xa8\x8c\xd8\x7c\x6e\xe6" + "\x19\xd9\xaf\x59\xb5\x2b\x07\x37\x1b\x8f\xb0\x57\xe7\x05\x9f\x21" + "\x52\x6d\xc4\x89\x4a\xff\xce\xda\xc8\x5b\x73\xf3\xd4\x07\xc7\x29" + "\x02\x7e\xa6\x79\x82\xd3\x01\xba\x93\x0e\x37\x17\x3d\xfc\x38\xd3" + "\x25\x7e\x52\xd2\x53\xba\x20\xe8\xe9\xef\xa2\x96\x38\x49\x14\xd2" + "\x83\x8b\x2c\x62\xb0\x27\xc6\x5d\x36\x34\xd4\x58\x14\x25\x6e\xc1" + "\xcf\xd0\x2d\x21\xa3\xc0\x9c\x9b\x14\x20\x83\xec\x1a\xeb\x14\x2a" + "\xd3\x97\x40\xad\xd0\xeb\x51\x8f\xa2\x10\x62\xb4\x50\x94\xff\x35" + "\x43\xc2\x29\x88\x0e\xf6\xb9\x4c\x85\x80\x13\xed\x2f\x56\x15\xdc" + "\x0f\x09\xd2\xe5\x40\x11\x70\x34\x76\x2c\xed\xb1\xac\xe5\x82\x77" + "\x45\x42\x3e\x8e\x8d\x08\x6e\x5b\xbe\x34\xf9\x93\x0f\x8a\x43\xec" + "\xa6\x9f\x7c\x56\xe6\x95\x31\x85\x9d\xb1\x97\xaf\x2d\xac\x76\x81" + "\x1f\xfb\x4d\x53\xfe\x04\xe2\x48\xbe\xac\x50\xe2\xb3\x74\x77\x5f" + "\x48\xec\x26\xd0\x9b\xb9\xa3\x28\x23\xa9\x2c\xc2\x0a\xb7\xd3\x80" + "\x87\x03\xa2\x3b\x74\x07\xaf\xa5\x5f\x2b\x9b\x90\xa2\xf8\x89\x3c", + .pub_b = "\x75\x3a\x06\x23\x48\x41\x6e\x90\x3b\x5b\x3b\x25\x89\x38\xf1\xa4" + "\x3f\xe0\x96\x2a\xcb\x3c\xd2\x7a\x71\xb3\xed\x8a\xd4\xa5\x62\x77" + "\x4b\x6f\xf4\xf2\x29\x31\x2a\xfc\xb4\x7b\x34\xfe\x9c\xb0\x83\x62" + "\xe7\x45\xc9\x93\x19\x89\xdb\x90\x99\xc5\x77\x85\x06\x97\xa6\x2f" + "\xde\x6d\x98\x01\xbc\x4f\x51\x92\x94\x6f\x10\x3a\x7a\x56\x14\x48" + "\xad\x7d\x1d\x15\x0c\x8c\xda\xc9\x01\xf1\x3b\xfd\x27\x09\x2e\xf7" + "\xec\x0f\x82\x1e\x0e\xa6\xb9\x1b\x63\x90\xc3\x3e\x7e\xf1\xad\x5c" + "\xaf\x6f\x6d\x9d\x3f\x25\x4f\xe9\x53\xaf\x03\x6e\xdc\x24\xf3\x2c" + "\x65\x67\xc7\x08\x61\x80\x18\x7c\x19\x97\x44\x56\x5e\xf0\xa2\x94" + "\x7c\x59\x01\x94\x5b\x46\xa8\x0b\x28\x6c\xa0\xfc\xa0\xad\xe4\x4a" + "\x2c\x87\x77\x7b\x44\x28\x25\xd4\xa2\x24\x70\x69\x9a\x83\xf7\x65" + "\xde\xe3\xeb\x03\x14\x00\x4c\xba\x87\x87\xf2\x47\x4c\x3e\x44\x67" + "\x66\x85\x48\xb4\x12\xa6\x15\x22\x0d\x39\x02\x07\x66\x59\x07\x3a" + "\x64\x9e\xba\x6e\xc4\xdc\x29\x07\x5b\x67\xff\x42\xca\xe0\x1d\xcd" + "\x39\x08\xff\x63\x03\xb1\x76\xc4\xa3\xdc\x81\x33\xfb\x4c\x28\xa1" + "\xe4\x7e\xbe\x5f\x73\x24\x92\x7a\x40\x8d\x75\xc5\x94\x13\x26\x91" + "\xef\x9a\xee\x45\xaa\xff\xfc\xae\x61\x34\xdb\x20\x96\x99\xe9\x18" + "\x30\x95\x37\x23\xaf\x3d\x2f\x3b\x03\x69\x4b\xfa\x92\x92\x57\x8e" + "\x66\xe2\x89\xf0\x62\xe5\x2b\x2c\x23\xca\xcd\x8d\xdd\x88\x92\xb4" + "\xc9\x8e\x9d\x57\x62\x69\x3e\xd1\xd7\xc8\x7e\x99\xac\x4e\x7c\x65" + "\xaf\xea\x99\xfa\x69\xd8\x46\xb2\xc7\x1f\x76\xf1\x3e\x99\xb7\x23" + "\x2c\x7c\x80\x8b\x3a\x5e\x86\x2c\x50\x5a\x36\x48\x0a\x23\x23\xdf" + "\x69\x95\xa0\x1b\xfd\x1f\x4e\x06\xc5\x0b\x17\x3c\x62\xce\x5a\x63" + "\x82\xcd\x14\x64\xb8\x60\x36\xb9\x74\x9c\xa4\xe1\xa5\x0c\xc0\x77" + "\x05\x41\x46\xac\x16\xdb\xb5\x16\x71\x71\x6e\x62\x93\x17\xd6\xdc" + "\xbb\xbd\xb3\x01\x5f\x08\xa9\x71\x91\x97\x92\xb1\x1d\xa8\x0a\xf9" + "\xc3\xaa\x4c\xc2\x63\x48\xd1\xae\x21\xbb\xf3\xb7\xda\x04\x5e\x6e" + "\x82\x89\x5d\xdc\xfb\xae\x76\xaf\x50\x42\x71\x06\x8b\x0c\xfd\xb9" + "\x0f\x00\x24\x97\xe0\x0c\x9f\xf2\x95\x11\x63\x6f\xcf\x59\xfb\xd2" + "\xcc\x10\xec\xaa\xef\x89\xff\x1b\x48\xc9\xce\x78\x22\x50\xf6\x31" + "\x47\x78\x38\x3b\xae\x32\xed\xf6\xaa\xa9\x7a\x53\x71\xc6\xbd\x10" + "\xcf\x17\xf4\x1b\x1e\xb0\x90\x4d\xd1\xd2\xa2\x9b\x5c\x37\xd3\x9c" + "\x31\xb2\xb8\x5b\x8c\xa2\xde\x11\xf7\x97\x03\xea\x45\x38\xc5\x5c" + "\x22\x8e\x3d\x60\x4a\xc7\x32\xaa\xee\x7a\x67\x9a\xa5\x85\x1f\x64" + "\xb1\x45\xe7\xe1\x69\x68\x5c\x65\x1e\x0a\xf3\xf3\x11\x26\x98\x7b" + "\xf8\x27\x23\xad\xf4\x25\x6f\xab\x83\x48\xc4\x5e\xba\xea\x73\x6a" + "\x2b\x82\x66\x02\xf5\x21\x5a\xbc\xf5\xbf\xf1\xa4\x72\x1c\xd9\x9d" + "\xb6\x46\xe9\xb5\x61\xbe\xe5\x59\x8a\xf9\x8e\xfa\x79\x2e\xa6\x02" + "\xad\x22\xea\x06\x2c\x42\x66\xb9\x0c\x6d\x4b\x2b\x8b\xd9\xa3\x8b" + "\x60\xe2\x63\xe0\x44\x54\x02\x2f\x75\xb7\x41\x81\x9c\xe7\xce\xc4" + "\x3e\x82\x05\x5e\x0e\x4c\x16\x0a\x59\xfa\xb1\x13\x02\x87\xb8\xd8" + "\xa7\xbc\x15\xb2\x5a\xb5\xea\x50\x76\x76\x73\xa1\xf4\xc2\x71\x88" + "\x5d\x0c\x8c\xbe\x32\x3d\x60\x15\xdb\xad\xde\x37\xf8\x8e\xb8\xd2" + "\x24\xc3\x3c\x97\xe7\x9c\xc6\xdc\xcd\xcd\x43\x93\x06\xd8\x64\x9f" + "\xca\x07\x15\x47\xca\x13\x39\x8d\xd6\x75\xe0\x61\x7f\x7f\x15\x28" + "\x8f\xe8\x4d\x19\xb6\x41\x20\x93\x17\x03\xaf\x1b\x16\x13\x07\xc7" + "\x50\xfe\xeb\x97\x7c\xe3\x72\x32\x9b\x87\xab\xab\x2d\x47\xa0\x93" + "\xc3\xc9\x17\x58\xc6\x2c\x8a\xa8\x78\x6e\x6c\x30\x6c\xbf\x3f\x66", + .shared = "\xfc\xe8\xe5\xeb\xf2\xb0\x07\xfc\x46\x60\x17\xa8\xed\xf0\xf1\xa6" + "\x9f\x5a\xf2\xea\x49\x2a\x09\xd8\x08\xd2\x84\xc2\x2d\x9b\x3d\x07" + "\x2b\x9f\x89\x1b\x0c\x0f\x09\xe4\x67\xd1\x6e\x33\x8d\x2e\x6d\xd1" + "\xf5\x1b\xdb\xc4\xe8\x64\x61\xf5\x49\x47\xd0\x07\x0f\xbe\xc1\xfc" + "\xe3\xe4\xf3\xd8\xa6\xeb\x73\x8c\xb1\xd5\xcf\xc6\x54\x6d\xe2\x07" + "\xba\x55\x17\xe8\x2b\x39\xc2\xab\x30\x8d\x2d\x48\xe1\xe7\x3f\x7f" + "\x5c\xf8\x4a\xfa\x7b\x71\xb3\xf2\x4c\x52\x45\x5d\xfd\xa0\x94\x98" + "\xe9\xde\x3f\x14\x52\x7f\xa5\xd6\xf7\xa4\x67\x27\x4d\x84\x4e\xaf" + "\x7f\x20\xef\xc6\xaf\x5d\xac\xaf\xd7\xe1\x52\x02\x6f\xd4\x84\x73" + "\x15\x7b\x74\x89\x65\xcd\xa7\xb8\xd5\x8d\x54\x94\x44\x88\xf6\xd2" + "\xa9\x7f\xa9\x12\xd1\x19\xa7\x75\x2f\xcf\x3c\xb9\xc2\xc7\x66\x18" + "\x91\x83\xd9\xa1\x69\xe2\x09\xc0\x38\x7f\x7b\xff\x5e\x44\x9d\x34" + "\x3c\xef\xb3\xbc\x86\x57\xaa\x28\x22\x09\x7a\xa1\x64\xad\xf0\x16" + "\xcb\x15\x8f\xaf\x9e\xb8\x0f\x9f\x53\x1c\x8a\xf9\xf3\x2d\xee\xf7" + "\x31\xa8\xcd\x44\x6a\x5f\xea\x66\x95\x81\x96\x49\x83\xd7\x1d\x54" + "\xaf\x34\x81\x5d\x3c\x4e\x4e\xc5\xe6\x5c\x04\x4d\x7a\x5c\x4b\x7b" + "\x54\x14\xa1\x19\x31\xe3\xda\x28\x4f\x8a\x3a\x99\x12\x3c\x22\xb5" + "\xce\xe7\x8b\x1c\xf0\x3a\xdf\x88\x5b\xe5\xdb\x0a\x88\xcd\x84\x9d" + "\x41\xdd\xf1\x63\x00\xf3\x6c\x23\xa4\x4b\x81\x04\x74\xd1\x35\x8f" + "\xef\x99\x9d\xf9\x46\x7f\x96\x98\x15\xbc\xa6\x25\x39\x6e\x32\xd1" + "\x7f\xa0\xcc\xe9\x60\x41\xc7\xcf\x0d\xd3\x16\x99\xee\xb7\x63\xbb" + "\xb2\x4c\x93\x7f\x50\xd0\xfe\x90\x39\x33\x87\xc6\x17\x97\x44\x83" + "\xad\x3c\x20\x2f\xd5\xc0\x30\xf4\xfa\xde\xdf\x42\x43\x16\x46\x6a" + "\x6b\x36\x59\xcd\xf1\x8c\x39\x82\xba\x54\xf6\x34\x3f\x6b\xf2\xf2" + "\x1f\x58\x58\xea\xdb\x8f\x80\xa2\x4d\x01\xe8\x2d\x70\x0c\x58\xf9" + "\x56\x4f\x6e\xea\xe2\x98\x0c\xc7\x01\x74\x40\x25\x24\xcc\x87\x16" + "\x98\x67\x5a\x7e\x95\x87\xa1\x41\x0e\xa6\x22\x89\x13\x26\x0f\x6f" + "\x81\xdc\xd5\x3d\x75\xe0\xd6\x71\xe7\xde\x0a\x6c\x62\x3b\x64\xab" + "\x2f\x67\xa0\xad\xdc\x32\x70\x1c\xa1\xfa\xe9\x08\xed\x5d\x90\x09" + "\xad\x42\x74\x5d\xcd\x12\x24\xfb\x14\xe8\xb9\x89\xa4\x4f\x0b\x07" + "\xa9\x4a\x7a\x27\xce\x19\x8d\x32\x6f\x74\x9a\xc5\x10\x91\xf1\xfc" + "\x03\xfa\x1c\x87\xe8\x70\x5c\x36\xa8\xef\x2c\xc7\xb6\xe4\x47\xac" + "\xb7\x3d\x0e\x44\x12\xbd\xa2\xf9\xdb\x49\x5f\xc5\xe6\xdf\x7a\x37" + "\x87\x32\x73\xb3\x6d\x08\xac\xef\xb8\xa3\x0a\x14\xb6\xd7\x7f\x76" + "\x0f\x02\x9b\x93\x45\x7b\xee\xd4\x92\x53\x40\x6c\x9e\xe1\x52\xe4" + "\x22\x31\xcf\xcb\xc5\x30\x11\xe0\xb6\xe4\x17\xad\x03\xe9\x8d\xaf" + "\x2e\xc8\x5a\x2c\x89\x49\x9d\xde\x67\xc4\x03\x1d\x91\x8f\x30\x7d" + "\x11\xd1\x93\x8c\x7b\xb9\x17\x71\x7c\x3b\x14\x34\x03\xba\x76\x8a" + "\x4b\xe0\xd0\x93\xc9\x25\x59\xce\x3f\xcc\x5d\x38\xfe\x18\xfa\xbb" + "\x0d\xde\xe0\xd4\x17\x3e\x18\x27\x58\x73\x86\x89\x71\xa0\x7f\xcd" + "\xd4\x8e\x54\xcc\x3f\x63\x1e\x44\x3d\xb9\x39\x77\x4c\xb8\xaa\x57" + "\x5f\x7b\xd2\xa9\x86\x9c\x15\xbe\xa7\xf1\xea\xa9\xdf\x95\x32\x2c" + "\xbf\x93\xb0\x31\xaf\x6e\x74\xe0\x37\x7c\x94\xf0\x4f\x6c\x44\x3c" + "\xd9\x1c\x3b\x48\x24\x8b\x28\x2f\x65\x54\xce\x69\xf4\x5b\xb6\x11" + "\xef\xab\xec\x45\x4d\x10\x58\xa7\xf2\xa7\xc7\x1a\x9f\xfa\xdc\xcd" + "\x54\xfa\x0d\xe8\x96\xbc\x0d\x55\x0a\x49\xf1\x2a\x31\x28\x15\x26" + "\x56\xf2\xa0\x6c\x84\x51\xbd\x6b\xee\x20\xc5\xd6\x4b\x36\x5f\x7b" + "\xb8\xd0\xeb\x41\xb6\x7c\xfb\x9d\x9d\xfd\x62\x0e\xb7\x99\xca\x17", +}; + +dh_test_vector_t modp8192 = { + .group = MODP_8192_BIT, .priv_len = 64, .pub_len = 1024, .shared_len = 1024, + .priv_a = "\xa6\x48\x81\x47\x45\xfe\x1e\xd1\x98\x9b\x75\xba\x6d\xd5\x01\xe4" + "\x4e\x77\x6d\xc9\x97\xa0\xae\x27\x37\x64\x61\xb0\xee\x79\x65\x94" + "\xc2\xe6\xdb\x07\xe5\xf9\xd8\x7d\x94\x4d\x37\x01\x22\x38\xe5\x70" + "\xaf\x52\x3a\x47\xf3\xe8\x6e\x2a\x4c\xd0\xdb\x3a\x49\x40\xcf\x0b", + .priv_b = "\xd8\xf2\xb0\x9f\x17\xbe\x6f\x13\x64\x5c\xb4\x57\xbe\x0a\xa8\x02" + "\x02\xe8\x43\xf5\x10\xd2\x93\xf9\x32\x55\x98\x2f\x89\x87\x26\x61" + "\x79\xd6\x01\x90\x95\x70\xa3\xf9\xcc\x58\x50\x8b\x62\xf8\x8d\x64" + "\xe0\xd0\x59\xf1\xa2\xed\xea\xd4\x42\x82\x04\xcc\x09\x2a\x2d\x82", + .pub_a = "\x1f\x6d\x66\x0a\xfb\x04\x87\x42\x55\xe6\x83\xee\x89\x9a\xd2\xfd" + "\xbc\xf7\x35\x7f\xdf\xe2\x47\xef\x3b\x2f\xf9\x41\x19\x48\x45\x26" + "\x44\x53\x41\xc5\xdf\xea\x28\xa7\x45\xa0\xff\x56\x95\x13\x24\x72" + "\x34\x1b\x11\xb2\xe6\x9b\xd8\xe9\x98\x18\xf0\x5c\x22\x74\x26\x65" + "\x9c\xf0\x34\x81\x55\x50\x1d\xce\x5a\x7b\x5d\x11\xae\xaf\xfb\xd0" + "\x52\xb5\xff\x8a\xc8\xe3\x5e\x78\x50\x29\x79\x53\x9e\xf4\xe4\xa7" + "\xa9\x51\x55\x1a\xcc\x10\x02\x72\x6b\xa8\xee\x95\x95\x70\x19\x92" + "\x34\x15\xd8\xec\x61\x27\xbe\x25\x2c\x44\x65\xb0\xef\xae\x8a\xee" + "\xcd\x39\x0f\x33\x55\xcf\x94\x52\x5e\xef\x38\xdb\x92\x62\x79\xb8" + "\xfd\xce\xe1\x3c\x43\x8e\xdd\xb2\xa5\x22\x44\xa7\x1b\xda\x1e\x85" + "\x30\x91\x82\xfa\x8c\x57\xff\x0c\xd4\x06\x9d\x4f\xfb\xcc\x42\xe5" + "\xe6\x60\xc1\xf0\x07\x3c\x85\x6a\xc6\x11\xcb\xf7\xf9\xf3\x2c\x95" + "\x67\xa1\x8e\x44\x94\xed\xe7\x42\x7b\x1a\x18\x16\x55\xdb\xc7\x91" + "\xc7\x9d\x54\x7d\x88\xfd\x49\x45\x9b\xd3\x56\xee\x47\x26\xa9\x5c" + "\xd3\x7b\xf2\x42\xe4\x8a\x94\xd9\x22\xcc\x06\x66\xce\x4f\x29\x91" + "\x2a\x1e\x4e\xc8\x8e\x3e\x40\xde\xdc\x95\xe1\x2c\xe2\x50\x47\x2e" + "\x58\x37\x49\x32\xe4\x64\x81\xe7\x03\x11\x81\x13\xb7\xdd\x6f\xef" + "\xae\xf5\xc5\xe6\x1c\x13\x6b\x76\xa1\xb0\xbf\x4d\xf0\x01\xc3\x09" + "\xd8\x59\xff\x13\x34\x6d\x52\x11\x9b\xa6\xc9\xca\x38\xe6\x71\x80" + "\x39\xae\x37\x4b\x1c\xe1\x13\xfb\xc6\x91\x8f\x32\xc3\x6a\x04\xd8" + "\xc6\x80\x08\x4e\xef\xf6\x80\xf9\x8f\xda\xaf\x27\x79\x9b\x21\x2d" + "\x2d\xea\x87\x4b\x4d\xeb\x5a\x87\xfb\x72\x36\xe2\x3e\x9b\x42\xcf" + "\xa9\xeb\x49\x41\xe6\xc2\xb8\xc0\xad\xbd\xb3\x61\xc1\x61\x5f\x9c" + "\xb6\xbd\x8f\x99\x3a\xe8\xca\x86\xb8\xd8\x7f\x2f\xb2\x33\xc0\x9f" + "\xd3\x8e\x44\xdc\x6d\x0c\x19\x89\xb9\x05\xc6\x36\xf4\x7a\xc3\x06" + "\x46\xa4\x22\x6e\xef\x76\xba\x92\xfd\xaf\xce\x71\xbc\x0c\x05\xfe" + "\xec\x8f\x8d\xfb\x59\x46\xf9\x7c\xc1\x1f\x1c\x52\x62\x4d\x01\x57" + "\x4e\x86\x03\x94\x8b\xba\xf7\xbd\xca\xbb\x15\xaa\x61\xdd\xbc\x32" + "\xdf\x9e\x5f\xad\x3b\xf8\xf6\xfb\x4d\x1e\x9c\x86\x9e\x7e\x0f\xaf" + "\xf6\x91\x7e\x08\xf4\xfb\x55\xd8\xe0\x4b\xd9\xcd\x23\x57\x83\x58" + "\x59\xd7\x56\x93\xee\x14\x2f\x2b\xd2\x83\xa4\xce\x45\xa2\x90\xba" + "\x15\x4d\xca\x0c\x8b\x29\x7a\xe5\xbc\xba\xa0\x45\xd0\x08\x27\x75" + "\x61\x3a\x83\x99\x2f\x39\xc6\x41\x03\xc0\xb7\xd6\xfb\x5b\x94\x64" + "\xc3\xfe\xca\x32\x1c\xe3\x66\xc8\xb4\x49\x44\x1c\x63\xb0\xaa\x18" + "\x31\x4b\x15\x8a\xda\x77\xc5\xfd\xea\x33\x6c\x9a\x45\x4c\x24\xb5" + "\x1c\xd2\x5d\x56\x98\x3c\xdf\xb1\x5f\x10\xee\xc1\x17\xec\xbe\x7c" + "\xdb\x24\xdd\xdb\x22\xf6\x47\x8a\xfc\xc5\xb5\xa8\x9a\x8f\xb8\x27" + "\x72\xa1\xd4\x5e\x43\xcd\x7b\x33\x2e\xe3\x09\x94\x77\x20\xfe\xba" + "\xae\x2e\x9b\xc1\x43\xdd\x9d\x44\xd8\xd6\xfe\xff\xe3\x0f\xf6\xd3" + "\x71\xa1\xf8\xda\x1c\xff\x41\x21\x6f\x07\xc9\x55\x99\x6f\x0a\xef" + "\xd6\x5a\x6c\xa5\xdd\xba\x98\x46\x30\x43\xad\x27\xe4\xf1\x1e\x3a" + "\x89\x4a\xb3\xc8\x6d\xf7\xe9\x2f\x48\xd0\xd7\x29\x38\x5c\xe7\xac" + "\xbc\x3f\x65\x5e\x23\xdd\xc1\xad\x73\xed\x1a\xee\x81\xf3\x63\x29" + "\x7e\x72\x8f\x1a\xfc\x2d\x03\xf9\xbb\x3c\x38\x42\xc2\xfb\x53\x2f" + "\x56\xd6\xca\xb9\xeb\xa4\x17\x46\xdb\x53\x56\xf0\xdd\x1d\x8a\xfc" + "\x03\x06\x4d\x8c\x97\x7e\xf0\xc6\x5d\x6d\x5a\x23\xed\xee\xf9\x11" + "\xed\x04\x34\x0c\x04\xa0\x60\xf9\xa8\xfe\x8f\xfa\xd6\xf3\x27\x3d" + "\x32\x48\xbe\x3b\x56\x3a\xe8\x76\xe9\x54\xe7\x81\xef\xe3\x8f\xd9" + "\x03\x42\x5b\xa7\xd2\x69\x96\x39\x05\x8f\x41\x25\x35\x3a\x56\x66" + "\x5a\xc8\x36\xda\x84\xc5\xe9\x2e\x55\xac\xe9\xeb\xdc\x8f\xd8\x26" + "\x06\x3b\x61\x7f\xd7\x78\x4e\x5b\xe5\xd7\xca\x76\xf0\xd0\x71\xf6" + "\x45\x21\x30\xdf\xfc\x69\x82\xcf\xc3\x02\xda\x4f\x4e\x51\x59\x4f" + "\x56\xd1\x60\x5a\xd9\x12\x21\x7a\xa9\x99\x81\x5a\xa8\xa8\x10\x94" + "\xd7\x3e\x58\x7e\xd9\xde\xbc\xf5\x83\xf0\x92\x4f\xe6\xdd\x17\xb3" + "\x9c\xdd\xd5\x7b\xc0\xb4\xb5\x8c\xae\x7b\x63\x1a\xaa\xd0\x93\x55" + "\x31\x28\xd7\x8e\xec\x8c\x28\x64\x81\x9e\x2e\x47\xa9\xb3\xa0\x06" + "\x2a\x3d\xfe\x27\x40\x9c\x13\x96\xa0\xff\x65\xd9\x05\xd8\x92\xa2" + "\x63\x0e\xbf\xe2\xc5\xe3\x51\xbf\x20\x74\xdc\xbe\x5a\xfb\xd5\x5c" + "\x1b\x8f\x41\x21\x43\xaf\xdf\x35\xd1\x46\x80\x16\xf0\x28\x5d\x55" + "\x52\x0c\x05\x24\x63\x68\x5d\x50\x7a\x50\xde\x2d\xfa\xae\xd0\x71" + "\x9a\xad\x2a\x56\xb6\xa2\x52\xbc\xe1\x93\xc4\x93\x36\xc6\x08\xec" + "\xf3\x26\x14\x0b\xa5\x4c\x9e\x15\xf3\x48\xf6\xd1\xd4\x45\x41\xd7" + "\xb7\x5c\xd9\x89\x89\xe6\x62\xe6\x4b\x9f\x3a\xf7\xc7\x77\xd7\xc3" + "\xae\x18\x3c\x5c\xee\x2a\xf1\x80\x8a\x73\x83\xa4\x0e\x63\x12\x04", + .pub_b = "\x8e\x2b\x1b\xac\x90\x76\x05\x3f\xf4\xd5\xde\xa3\xad\xf0\xe9\x40" + "\x27\x69\xb2\x65\x1a\x54\x5c\x89\x0a\x82\xbd\x59\xc3\x4f\x55\x02" + "\x77\xdd\xac\x4c\x3b\x43\xb5\x34\xf5\xa2\x15\x85\xba\xa2\x40\x6f" + "\xb7\x37\x6c\xdb\x3d\xd1\xc0\xc9\xa0\x6c\x17\x3c\xa3\xc1\xcf\x7f" + "\x86\x86\xcb\xaf\x9a\x5c\x27\x36\x8e\x47\xac\x3f\x30\x46\xe7\xd9" + "\xd9\x56\x54\x22\xfe\x43\xb6\xc9\x04\xf9\xd0\x63\x02\x02\xcd\x7d" + "\x77\xcc\x21\x1b\x7b\xea\x4a\xc1\x9c\xdb\x68\x0e\x34\x00\x43\x4b" + "\xd1\x66\x03\x07\x42\xc9\x79\x7f\x81\x0f\xcc\xff\x4b\x2c\x00\xf9" + "\xb9\xd4\x70\xde\x92\x65\x45\x32\xac\x64\x76\x49\xe6\xc0\x26\x77" + "\xbc\xb8\x09\xa6\xbd\xa1\x22\x73\x13\x4b\x1c\x7c\xa8\x88\xe1\x69" + "\xb1\xe2\x64\x48\x3f\x4b\x2f\xd8\xa3\xb4\xf6\x4e\x5a\x79\x06\xf0" + "\xcb\x72\x9c\x72\x0e\xe6\x39\xa6\x69\x7b\xa3\x32\x9e\xa0\x81\xb0" + "\xd6\xa2\x10\xee\xbb\x5b\xd5\x51\xd0\xd6\xbf\x28\x80\x0c\x67\xf4" + "\x38\xf4\xc3\x16\x3b\x83\xd2\x6c\xd3\xf3\x02\x34\x64\xeb\xa1\x6c" + "\xb3\xa5\x13\x6a\x64\xb5\xa6\x3a\x1b\x63\x5e\xe7\x03\x96\xdb\x37" + "\x4f\xc8\xb8\x60\x86\x45\x30\x61\x97\xfa\x8e\x3d\xae\x48\xa4\x7d" + "\xfe\x72\x6a\xe9\x98\xeb\x77\x13\x4a\x4e\x6a\xae\x24\xf2\xd2\xad" + "\xa6\xca\x7e\x98\x38\x53\x24\xea\x98\x09\x2c\x5b\x0f\x46\x9c\x6a" + "\x50\x0c\x46\x27\x98\x51\x56\x06\x6e\xca\xe9\xb8\x47\xe7\x20\xd7" + "\x71\x38\xdc\x17\x74\x4e\x0b\x9d\xa6\xe3\x8e\x69\x28\x2a\x90\x45" + "\x3e\x72\xdf\x62\x88\x3a\x8a\x04\x59\x05\x43\x2a\xa3\x22\x90\x1f" + "\x62\xa2\x46\x03\x90\x81\xd8\x1a\x12\x77\x37\x08\x34\x58\x0d\x0b" + "\x5d\x02\x5f\xa3\x66\xfb\x6e\xeb\x22\x5c\xe3\xbc\xcc\x8d\xa5\x94" + "\xe8\x14\xd5\x08\xfe\x8b\x75\x6a\xf1\x9a\xde\x32\x26\x10\xb4\xb9" + "\x9f\x5d\x60\x83\x66\xdf\xfc\xfe\x4d\xdc\xd9\x95\xcf\xa9\x89\xc4" + "\xe6\x92\x8a\xd5\x99\x35\x7e\xc5\x5b\x42\x62\x92\x3f\x7e\x2a\x32" + "\xd0\x64\x8b\x0a\x61\x0f\x3d\xa8\x83\xb8\x95\x77\x34\x3c\xd0\x31" + "\xe6\xf9\x01\x69\x2f\x3f\xb4\xa1\x03\x18\x1b\xf1\xbd\xac\xe1\x8d" + "\x61\xb8\xd0\xf6\x7f\xd9\x7a\x3f\x26\xc1\x81\x16\x80\x93\xe6\x65" + "\x56\x5b\xc1\x56\xfb\xf1\x65\xd9\x5a\x21\xe9\xf2\xd2\xde\x7d\x89" + "\x12\xa2\x4f\x8f\xd9\x61\x0c\x51\xbf\xfc\x36\x65\x36\x5b\x51\x20" + "\x90\x42\x3a\x99\xd1\x88\x21\xf1\xd7\x1a\xe1\xed\xca\xdd\x08\x4e" + "\xb5\x29\xa3\x72\x83\xed\x85\x15\xe5\x20\x5c\x6e\xbb\x39\x2a\x38" + "\x12\xde\xe0\x5a\x1c\x10\x7b\xb2\x5b\x46\xa2\x80\xb4\x3e\x59\x1a" + "\x7d\x09\x70\x9d\xbc\x6f\x76\x8a\xf4\xb4\xc9\x35\x26\xfb\xcc\x7a" + "\xb5\x52\x8b\x06\xe3\x6f\x50\xb1\xf6\x4d\xf4\xbd\xa9\x1e\x39\x37" + "\x56\x1b\x25\x62\x0f\x7a\x4a\xfb\xe1\xff\xf5\x28\xf8\x40\xd4\xf2" + "\x99\xd1\xad\xd9\x23\x5b\x4e\x3b\x8a\x57\x87\x54\x23\xd7\x73\x54" + "\xf9\xa0\x0e\xa5\x49\x5f\x8e\x93\x8e\x41\xeb\x69\x7b\xef\x48\xeb" + "\x1b\xb6\x6b\x48\x29\xff\x4e\x89\xb1\xf2\xbd\xef\x77\x7a\x92\x71" + "\x97\xac\x21\x76\x6e\x54\xd3\x89\xe2\xca\x07\xbe\x00\xe8\xb4\xd4" + "\xd5\x63\xf1\x4b\xbb\x76\x16\xc8\xdb\xf1\x14\x18\x4b\xbe\x39\x00" + "\x75\xf2\x85\x2b\x8e\xd8\xc0\x81\x12\x9b\xe4\x9f\x98\x74\x6f\x70" + "\xa8\xa4\x7f\x14\x66\x21\x91\x61\x86\x2b\xa6\x01\xf5\xd1\x00\x6c" + "\x7b\x3a\x39\xb8\x3b\x6c\xe8\x4b\x16\xd0\x99\xcc\x2a\x9f\x63\xdd" + "\x77\xc1\x1d\x14\x98\x38\xca\x3f\x5a\xdf\xc4\x9d\xf5\xe6\xa8\x2a" + "\x4b\xfb\x53\x68\x6e\x31\x39\x12\x07\x2b\x7e\xe3\x78\x3d\x23\x79" + "\xc4\x2b\xc1\xac\x29\x20\x59\x91\xf0\xd8\xfb\x9d\x20\x5b\x21\x70" + "\x0e\xa8\x46\xca\xfc\x09\x38\x12\x1c\x2c\xa4\x67\xa8\x94\x04\x87" + "\xa4\xaa\x2c\x25\xea\x57\x35\xc2\x4e\xa9\x15\x0e\x7c\x46\xe3\xdf" + "\x40\x77\x81\xd6\xf3\x9c\xee\xd4\x22\x3b\xe9\x20\x98\x1a\x18\x4e" + "\xd3\x3d\xe6\xd0\xfc\xcc\x2d\x5c\x72\x69\xe7\xc4\xca\x12\xe9\xb7" + "\xbe\x84\x31\x9e\x5d\x6f\xcf\x91\x37\x15\xeb\xf8\x08\xba\x50\xc3" + "\xb4\xad\x36\x09\xe0\xd3\x61\xea\x9b\xe6\x28\x56\x33\x73\x2b\xe7" + "\x51\x52\xc5\x40\x66\x34\x47\x03\xe4\xd9\xff\x4b\x23\xaf\x80\x63" + "\xbd\x30\xe0\x2d\xe2\x08\x4a\x09\xd3\x04\x0a\x4d\xbc\x7b\xac\x80" + "\x94\x8c\x4d\xd7\x4a\x35\x72\xa4\x18\x66\xf2\x0e\x01\x6a\x0f\x31" + "\x17\x31\x07\xb9\x65\x68\xd6\xac\x2f\x53\x36\x01\x3f\x06\x18\x77" + "\xae\xbe\xb4\xac\x60\x9a\x73\x3d\x7d\x40\xdc\xed\x19\x27\x03\x57" + "\x0a\xca\xe4\xcc\xc6\xfe\x3b\x7a\x9d\x73\xb2\xa4\xf1\x21\x32\x11" + "\x21\x86\x77\x1e\x25\x96\xc8\xb0\xce\xd5\x1e\x4c\xea\xd0\x04\xde" + "\x67\xa8\x36\x23\x89\x85\x7b\xa9\x2a\x0c\x52\xd5\x63\xbe\x17\xdb" + "\x82\xd5\xf6\x51\xc3\x9a\x9f\xab\x58\x46\x87\x0c\xb3\xc1\x23\x87" + "\x61\xac\x00\xed\x46\xe5\x79\x2c\x5b\xd6\x6e\xaa\xee\x4b\x08\xb2", + .shared = "\x7d\xc5\xc9\x35\xc9\x62\x79\x93\x1d\xfc\x55\xc6\x20\x36\x95\x7c" + "\xa1\x5d\x9c\x0f\xdf\x95\xa7\x1f\x59\xae\xb7\xa6\x39\x0f\xd1\x7e" + "\x93\x34\x7f\xb6\x72\x96\xf2\xe3\x20\x30\x40\xe7\x77\x51\xc1\x0a" + "\x08\xf3\xad\x86\x40\xec\xf0\xd2\x9d\x88\xba\xff\x50\xf7\x4e\x88" + "\x1f\xf0\xdd\x12\x17\x05\x97\x1e\x3c\xe3\x91\x65\x10\xd9\x16\x32" + "\x21\x44\xd8\x81\xed\x17\x9a\x60\x34\xee\x4d\x81\x03\xbc\x05\x56" + "\xba\x7f\xa7\x31\xc9\x3b\x57\x5e\x38\x1c\x45\xbf\xfc\x51\x48\xf3" + "\x05\xa9\x74\x39\xdf\xa1\x34\x48\x62\x31\x5d\x58\x45\x16\xc1\x9e" + "\x26\x38\xb4\x59\x95\xdd\x92\x52\x1e\x26\x20\xed\xd2\xb2\xb3\x98" + "\x6b\xde\xbe\xf1\xa0\xbc\x52\xc9\xfe\x97\x65\x78\xd6\xce\x91\xb1" + "\x8e\x9b\x04\xfc\x74\xb9\x1d\x52\x7d\x0b\xf0\x1d\x2a\x3c\xde\x2e" + "\x4c\x49\xee\x62\x9c\x59\x09\x12\xd7\x4a\xd7\x0d\x03\x72\x3d\x04" + "\x58\xd5\x19\x9e\x42\x97\x2c\x32\xb9\xda\x5c\xee\xaf\x40\x44\xc9" + "\xfd\x69\xcf\x6e\x81\x6b\x2b\xa4\x21\x3b\xde\x2d\xc3\xb7\x03\xe3" + "\xa3\xf2\x77\xd8\x70\xf5\x6f\x24\x48\xbf\x48\xb5\xa5\xff\x86\x06" + "\x0c\x23\xc2\xc9\x8e\xfa\x0f\xa6\xaa\x77\x95\x1a\x1a\x91\xfe\x30" + "\x6b\x18\xc5\xfb\x13\x76\x7a\xa5\x29\xa3\x02\xce\x2b\x46\x74\x5a" + "\x1c\xe6\x7c\x3a\xb7\x43\xea\xf9\x3f\x53\xa9\xfb\x63\x94\x26\x42" + "\x82\xdc\x9a\x4a\xd6\xbb\xa9\xd1\x6e\xc2\xc7\x92\x28\x3b\x33\xc3" + "\x58\xf6\xfb\x44\x5c\x5d\xea\xe0\x62\xaa\x30\x97\x30\x38\x36\x47" + "\xb1\xae\x3b\x99\x35\xab\xc9\x45\x2a\x07\xec\x34\x88\x61\x70\xb0" + "\x47\xf9\xd6\x61\x23\x48\x71\x6f\x85\x3b\xf1\x8a\x17\x72\xc1\x99" + "\x6d\x4f\x94\x2b\x11\xf2\x75\x33\x08\x67\x08\xba\xa6\x50\x2a\x1f" + "\x6b\x0e\x38\x0e\x52\xea\xe0\xd8\xcd\xd0\x11\x80\xa7\xb9\x97\xd9" + "\x68\x1b\x21\x7c\xe2\x69\x8e\x14\x61\x39\x49\x65\xbb\xc2\x7c\x2e" + "\x8e\xb1\x83\x28\x7b\xf0\xf0\x62\xdc\x35\x33\xea\xc9\x14\x3f\x83" + "\x60\xd3\xec\x37\xd4\xe3\x87\x86\x2c\x43\x53\x80\x3f\x39\x36\x4d" + "\x1e\x73\x2a\x5c\x8c\xfb\x2d\x2e\x78\xd1\xf1\xe5\x8c\x89\x35\x1e" + "\x0a\xd3\x07\x3c\x05\x0d\x4e\xa0\x81\x6a\xee\xb5\x27\xef\xa6\x2e" + "\x04\x07\x01\xf7\x40\x9b\xbf\x7b\xf8\x3d\x0f\x68\x79\xc6\x96\x16" + "\x53\x5b\xb0\x8f\xb1\xbd\xd4\x28\xa7\x73\x37\x7b\x06\xbf\x9c\xd2" + "\xb4\x28\x82\xb4\xd2\x63\xf9\xb2\x56\x7c\x28\x02\x4b\x91\x63\x03" + "\xdc\x58\x6e\xb5\x88\x2e\x76\x3a\x53\x4a\xd4\x22\x7c\xa5\xca\xdc" + "\x96\x14\xa6\xfb\x64\xe9\xa5\x09\xf2\x3e\x4d\x7e\x40\x01\x93\x05" + "\xe0\xad\x2e\x20\x7c\x4e\x17\x45\xa8\x70\x7e\xd1\xc7\xbb\x10\x94" + "\x81\x36\x22\x62\x3f\x44\xe2\xfa\x36\x9e\x4e\x37\x75\xdf\x8d\x6f" + "\x15\x73\x41\xf0\x6f\x32\xce\xa9\xfc\x06\x8f\x39\xcf\xfb\x34\x16" + "\xba\x74\x7d\xe6\x02\x18\xd3\xe4\x8c\xee\xd1\xef\xdc\xd4\x59\x8d" + "\xeb\x25\x7a\x09\xc8\xcc\x38\x7b\xcb\x8b\x3c\xb8\x77\xb4\xad\x1a" + "\x9e\x78\x20\x58\x6b\x36\x4d\x5d\xbb\x07\x38\xba\x65\xf4\xfe\x4d" + "\x86\x94\xdf\x77\x52\x08\xb1\x75\x07\x85\xaf\x77\xe9\xb3\xab\x3a" + "\x35\x30\x8a\xfd\x34\x99\x3b\x8f\xfc\x9a\x9e\xe1\x46\xcb\xbf\xf3" + "\xbd\xb9\x9c\x8c\x4e\x29\x6d\xa3\x29\x5a\x1f\x88\x23\xdf\x89\xa7" + "\x88\x7c\x90\x75\x5a\xd5\x97\x60\x17\xdf\x5e\x96\x04\xf8\xae\x24" + "\xd8\xf1\xa3\x3a\xa1\x40\x40\xd1\x45\x8e\xa5\xe5\x32\x32\xcc\xcc" + "\x1c\x8a\x9f\x6d\xa0\xa8\x89\x9d\x75\x2b\xd2\xc2\x07\xb2\xe1\x1a" + "\xcd\x4f\x31\x80\xb2\x19\x5f\x06\x9d\x8e\x7a\xf1\x2e\x15\x1d\xbc" + "\x4c\xb4\x75\x6f\x7b\xb7\xe4\x70\xd6\x0c\xe1\x27\x93\xce\x4a\x63" + "\xde\xe7\x48\x87\x5c\x75\xae\x34\x82\x5a\x71\xda\x1f\x93\x72\x64" + "\x7c\x7b\xda\x6a\xd7\xf9\xe8\x1f\x72\x67\x71\x68\x6f\x85\x64\x53" + "\x72\x80\x8f\x1f\x7a\x15\x1c\x11\xfd\x11\xf7\x8c\xc4\x43\x41\x60" + "\x03\xf2\x79\x19\x27\xdf\x98\x37\xaf\x07\xb3\x8d\x0b\xee\x01\x85" + "\x6f\x6d\xa9\xbd\x0e\x1f\x79\xdf\x21\x78\x24\xbf\xc5\x09\x29\x9e" + "\x64\x0d\x8e\xff\xc9\xe7\xe8\x51\xd3\xe8\xfe\xa5\xe0\xa9\x8d\x54" + "\x17\x3a\x34\xaf\xd9\xbd\xfd\xaa\x8c\x81\x79\xfb\x65\x85\x67\x73" + "\x32\x2d\x32\x00\xcb\x3b\xe2\x0e\x43\xe8\x40\xf6\x42\xf2\x74\x00" + "\xa0\xfd\xe6\x96\x4a\x2b\xbb\xa9\xd9\x95\xc4\x42\x75\x12\x3f\xbb" + "\x79\x35\x9c\x91\xb5\x24\x10\xc4\xc5\xbd\x4a\x4c\x47\xd8\x89\x92" + "\x70\xa5\xe6\xc9\xed\x2e\xbd\x98\xc0\x17\xb0\xad\x8c\x31\x95\x81" + "\x84\x86\xb1\xaa\x42\xf6\x2e\x10\x92\x2f\x67\x73\x33\xb9\x02\x43" + "\x52\x24\x05\xdb\x9c\xec\xc5\xf1\x3e\x78\x05\xcb\x04\xd6\x91\xa8" + "\x51\x9e\x48\xa8\xae\xa8\x8d\x13\x2d\xcd\xa1\xbe\x23\x9e\x00\x4c" + "\x0a\x59\xf8\x18\xb0\x0a\x06\xe2\x0a\xb4\x16\x02\xa7\x21\x4c\xac" + "\x9a\x80\x62\x7f\xb6\xd6\xa0\x3b\x11\xd3\x30\xf9\x3d\xfd\x26\x27", +}; diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/modpsub.c b/src/libstrongswan/plugins/test_vectors/test_vectors/modpsub.c new file mode 100644 index 000000000..bb64e2df9 --- /dev/null +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/modpsub.c @@ -0,0 +1,164 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the Licenseor (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be usefulbut + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +/** + * Test vectors from RFC5114 + */ + +dh_test_vector_t modp1024_160 = { + .group = MODP_1024_160, .priv_len = 20, .pub_len = 128, .shared_len = 128, + .priv_a = "\xB9\xA3\xB3\xAE\x8F\xEF\xC1\xA2\x93\x04\x96\x50\x70\x86\xF8\x45" + "\x5D\x48\x94\x3E", + .priv_b = "\x93\x92\xC9\xF9\xEB\x6A\x7A\x6A\x90\x22\xF7\xD8\x3E\x72\x23\xC6" + "\x83\x5B\xBD\xDA", + .pub_a = "\x2A\x85\x3B\x3D\x92\x19\x75\x01\xB9\x01\x5B\x2D\xEB\x3E\xD8\x4F" + "\x5E\x02\x1D\xCC\x3E\x52\xF1\x09\xD3\x27\x3D\x2B\x75\x21\x28\x1C" + "\xBA\xBE\x0E\x76\xFF\x57\x27\xFA\x8A\xCC\xE2\x69\x56\xBA\x9A\x1F" + "\xCA\x26\xF2\x02\x28\xD8\x69\x3F\xEB\x10\x84\x1D\x84\xA7\x36\x00" + "\x54\xEC\xE5\xA7\xF5\xB7\xA6\x1A\xD3\xDF\xB3\xC6\x0D\x2E\x43\x10" + "\x6D\x87\x27\xDA\x37\xDF\x9C\xCE\x95\xB4\x78\x75\x5D\x06\xBC\xEA" + "\x8F\x9D\x45\x96\x5F\x75\xA5\xF3\xD1\xDF\x37\x01\x16\x5F\xC9\xE5" + "\x0C\x42\x79\xCE\xB0\x7F\x98\x95\x40\xAE\x96\xD5\xD8\x8E\xD7\x76", + .pub_b = "\x71\x7A\x6C\xB0\x53\x37\x1F\xF4\xA3\xB9\x32\x94\x1C\x1E\x56\x63" + "\xF8\x61\xA1\xD6\xAD\x34\xAE\x66\x57\x6D\xFB\x98\xF6\xC6\xCB\xF9" + "\xDD\xD5\xA5\x6C\x78\x33\xF6\xBC\xFD\xFF\x09\x55\x82\xAD\x86\x8E" + "\x44\x0E\x8D\x09\xFD\x76\x9E\x3C\xEC\xCD\xC3\xD3\xB1\xE4\xCF\xA0" + "\x57\x77\x6C\xAA\xF9\x73\x9B\x6A\x9F\xEE\x8E\x74\x11\xF8\xD6\xDA" + "\xC0\x9D\x6A\x4E\xDB\x46\xCC\x2B\x5D\x52\x03\x09\x0E\xAE\x61\x26" + "\x31\x1E\x53\xFD\x2C\x14\xB5\x74\xE6\xA3\x10\x9A\x3D\xA1\xBE\x41" + "\xBD\xCE\xAA\x18\x6F\x5C\xE0\x67\x16\xA2\xB6\xA0\x7B\x3C\x33\xFE", + .shared = "\x5C\x80\x4F\x45\x4D\x30\xD9\xC4\xDF\x85\x27\x1F\x93\x52\x8C\x91" + "\xDF\x6B\x48\xAB\x5F\x80\xB3\xB5\x9C\xAA\xC1\xB2\x8F\x8A\xCB\xA9" + "\xCD\x3E\x39\xF3\xCB\x61\x45\x25\xD9\x52\x1D\x2E\x64\x4C\x53\xB8" + "\x07\xB8\x10\xF3\x40\x06\x2F\x25\x7D\x7D\x6F\xBF\xE8\xD5\xE8\xF0" + "\x72\xE9\xB6\xE9\xAF\xDA\x94\x13\xEA\xFB\x2E\x8B\x06\x99\xB1\xFB" + "\x5A\x0C\xAC\xED\xDE\xAE\xAD\x7E\x9C\xFB\xB3\x6A\xE2\xB4\x20\x83" + "\x5B\xD8\x3A\x19\xFB\x0B\x5E\x96\xBF\x8F\xA4\xD0\x9E\x34\x55\x25" + "\x16\x7E\xCD\x91\x55\x41\x6F\x46\xF4\x08\xED\x31\xB6\x3C\x6E\x6D", +}; + +dh_test_vector_t modp2048_224 = { + .group = MODP_2048_224, .priv_len = 28, .pub_len = 256, .shared_len = 256, + .priv_a = "\x22\xe6\x26\x01\xdb\xff\xd0\x67\x08\xa6\x80\xf7\x47\xf3\x61\xf7" + "\x6d\x8f\x4f\x72\x1a\x05\x48\xe4\x83\x29\x4b\x0c", + .priv_b = "\x4f\xf3\xbc\x96\xc7\xfc\x6a\x6d\x71\xd3\xb3\x63\x80\x0a\x7c\xdf" + "\xef\x6f\xc4\x1b\x44\x17\xea\x15\x35\x3b\x75\x90", + .pub_a = "\x1b\x3a\x63\x45\x1b\xd8\x86\xe6\x99\xe6\x7b\x49\x4e\x28\x8b\xd7" + "\xf8\xe0\xd3\x70\xba\xdd\xa7\xa0\xef\xd2\xfd\xe7\xd8\xf6\x61\x45" + "\xcc\x9f\x28\x04\x19\x97\x5e\xb8\x08\x87\x7c\x8a\x4c\x0c\x8e\x0b" + "\xd4\x8d\x4a\x54\x01\xeb\x1e\x87\x76\xbf\xee\xe1\x34\xc0\x38\x31" + "\xac\x27\x3c\xd9\xd6\x35\xab\x0c\xe0\x06\xa4\x2a\x88\x7e\x3f\x52" + "\xfb\x87\x66\xb6\x50\xf3\x80\x78\xbc\x8e\xe8\x58\x0c\xef\xe2\x43" + "\x96\x8c\xfc\x4f\x8d\xc3\xdb\x08\x45\x54\x17\x1d\x41\xbf\x2e\x86" + "\x1b\x7b\xb4\xd6\x9d\xd0\xe0\x1e\xa3\x87\xcb\xaa\x5c\xa6\x72\xaf" + "\xcb\xe8\xbd\xb9\xd6\x2d\x4c\xe1\x5f\x17\xdd\x36\xf9\x1e\xd1\xee" + "\xdd\x65\xca\x4a\x06\x45\x5c\xb9\x4c\xd4\x0a\x52\xec\x36\x0e\x84" + "\xb3\xc9\x26\xe2\x2c\x43\x80\xa3\xbf\x30\x9d\x56\x84\x97\x68\xb7" + "\xf5\x2c\xfd\xf6\x55\xfd\x05\x3a\x7e\xf7\x06\x97\x9e\x7e\x58\x06" + "\xb1\x7d\xfa\xe5\x3a\xd2\xa5\xbc\x56\x8e\xbb\x52\x9a\x7a\x61\xd6" + "\x8d\x25\x6f\x8f\xc9\x7c\x07\x4a\x86\x1d\x82\x7e\x2e\xbc\x8c\x61" + "\x34\x55\x31\x15\xb7\x0e\x71\x03\x92\x0a\xa1\x6d\x85\xe5\x2b\xcb" + "\xab\x8d\x78\x6a\x68\x17\x8f\xa8\xff\x7c\x2f\x5c\x71\x64\x8d\x6f", + .pub_b = "\x4d\xce\xe9\x92\xa9\x76\x2a\x13\xf2\xf8\x38\x44\xad\x3d\x77\xee" + "\x0e\x31\xc9\x71\x8b\x3d\xb6\xc2\x03\x5d\x39\x61\x18\x2c\x3e\x0b" + "\xa2\x47\xec\x41\x82\xd7\x60\xcd\x48\xd9\x95\x99\x97\x06\x22\xa1" + "\x88\x1b\xba\x2d\xc8\x22\x93\x9c\x78\xc3\x91\x2c\x66\x61\xfa\x54" + "\x38\xb2\x07\x66\x22\x2b\x75\xe2\x4c\x2e\x3a\xd0\xc7\x28\x72\x36" + "\x12\x95\x25\xee\x15\xb5\xdd\x79\x98\xaa\x04\xc4\xa9\x69\x6c\xac" + "\xd7\x17\x20\x83\xa9\x7a\x81\x66\x4e\xad\x2c\x47\x9e\x44\x4e\x4c" + "\x06\x54\xcc\x19\xe2\x8d\x77\x03\xce\xe8\xda\xcd\x61\x26\xf5\xd6" + "\x65\xec\x52\xc6\x72\x55\xdb\x92\x01\x4b\x03\x7e\xb6\x21\xa2\xac" + "\x8e\x36\x5d\xe0\x71\xff\xc1\x40\x0a\xcf\x07\x7a\x12\x91\x3d\xd8" + "\xde\x89\x47\x34\x37\xab\x7b\xa3\x46\x74\x3c\x1b\x21\x5d\xd9\xc1" + "\x21\x64\xa7\xe4\x05\x31\x18\xd1\x99\xbe\xc8\xef\x6f\xc5\x61\x17" + "\x0c\x84\xc8\x7d\x10\xee\x9a\x67\x4a\x1f\xa8\xff\xe1\x3b\xdf\xba" + "\x1d\x44\xde\x48\x94\x6d\x68\xdc\x0c\xdd\x77\x76\x35\xa7\xab\x5b" + "\xfb\x1e\x4b\xb7\xb8\x56\xf9\x68\x27\x73\x4c\x18\x41\x38\xe9\x15" + "\xd9\xc3\x00\x2e\xbc\xe5\x31\x20\x54\x6a\x7e\x20\x02\x14\x2b\x6c", + .shared = "\x34\xd9\xbd\xdc\x1b\x42\x17\x6c\x31\x3f\xea\x03\x4c\x21\x03\x4d" + "\x07\x4a\x63\x13\xbb\x4e\xcd\xb3\x70\x3f\xff\x42\x45\x67\xa4\x6b" + "\xdf\x75\x53\x0e\xde\x0a\x9d\xa5\x22\x9d\xe7\xd7\x67\x32\x28\x6c" + "\xbc\x0f\x91\xda\x4c\x3c\x85\x2f\xc0\x99\xc6\x79\x53\x1d\x94\xc7" + "\x8a\xb0\x3d\x9d\xec\xb0\xa4\xe4\xca\x8b\x2b\xb4\x59\x1c\x40\x21" + "\xcf\x8c\xe3\xa2\x0a\x54\x1d\x33\x99\x40\x17\xd0\x20\x0a\xe2\xc9" + "\x51\x6e\x2f\xf5\x14\x57\x79\x26\x9e\x86\x2b\x0f\xb4\x74\xa2\xd5" + "\x6d\xc3\x1e\xd5\x69\xa7\x70\x0b\x4c\x4a\xb1\x6b\x22\xa4\x55\x13" + "\x53\x1e\xf5\x23\xd7\x12\x12\x07\x7b\x5a\x16\x9b\xde\xff\xad\x7a" + "\xd9\x60\x82\x84\xc7\x79\x5b\x6d\x5a\x51\x83\xb8\x70\x66\xde\x17" + "\xd8\xd6\x71\xc9\xeb\xd8\xec\x89\x54\x4d\x45\xec\x06\x15\x93\xd4" + "\x42\xc6\x2a\xb9\xce\x3b\x1c\xb9\x94\x3a\x1d\x23\xa5\xea\x3b\xcf" + "\x21\xa0\x14\x71\xe6\x7e\x00\x3e\x7f\x8a\x69\xc7\x28\xbe\x49\x0b" + "\x2f\xc8\x8c\xfe\xb9\x2d\xb6\xa2\x15\xe5\xd0\x3c\x17\xc4\x64\xc9" + "\xac\x1a\x46\xe2\x03\xe1\x3f\x95\x29\x95\xfb\x03\xc6\x9d\x3c\xc4" + "\x7f\xcb\x51\x0b\x69\x98\xff\xd3\xaa\x6d\xe7\x3c\xf9\xf6\x38\x69", +}; + +dh_test_vector_t modp2048_256 = { + .group = MODP_2048_256, .priv_len = 32, .pub_len = 256, .shared_len = 256, + .priv_a = "\x08\x81\x38\x2c\xdb\x87\x66\x0c\x6d\xc1\x3e\x61\x49\x38\xd5\xb9" + "\xc8\xb2\xf2\x48\x58\x1c\xc5\xe3\x1b\x35\x45\x43\x97\xfc\xe5\x0e", + .priv_b = "\x7d\x62\xa7\xe3\xef\x36\xde\x61\x7b\x13\xd1\xaf\xb8\x2c\x78\x0d" + "\x83\xa2\x3b\xd4\xee\x67\x05\x64\x51\x21\xf3\x71\xf5\x46\xa5\x3d", + .pub_a = "\x2e\x93\x80\xc8\x32\x3a\xf9\x75\x45\xbc\x49\x41\xde\xb0\xec\x37" + "\x42\xc6\x2f\xe0\xec\xe8\x24\xa6\xab\xdb\xe6\x6c\x59\xbe\xe0\x24" + "\x29\x11\xbf\xb9\x67\x23\x5c\xeb\xa3\x5a\xe1\x3e\x4e\xc7\x52\xbe" + "\x63\x0b\x92\xdc\x4b\xde\x28\x47\xa9\xc6\x2c\xb8\x15\x27\x45\x42" + "\x1f\xb7\xeb\x60\xa6\x3c\x0f\xe9\x15\x9f\xcc\xe7\x26\xce\x7c\xd8" + "\x52\x3d\x74\x50\x66\x7e\xf8\x40\xe4\x91\x91\x21\xeb\x5f\x01\xc8" + "\xc9\xb0\xd3\xd6\x48\xa9\x3b\xfb\x75\x68\x9e\x82\x44\xac\x13\x4a" + "\xf5\x44\x71\x1c\xe7\x9a\x02\xdc\xc3\x42\x26\x68\x47\x80\xdd\xdc" + "\xb4\x98\x59\x41\x06\xc3\x7f\x5b\xc7\x98\x56\x48\x7a\xf5\xab\x02" + "\x2a\x2e\x5e\x42\xf0\x98\x97\xc1\xa8\x5a\x11\xea\x02\x12\xaf\x04" + "\xd9\xb4\xce\xbc\x93\x7c\x3c\x1a\x3e\x15\xa8\xa0\x34\x2e\x33\x76" + "\x15\xc8\x4e\x7f\xe3\xb8\xb9\xb8\x7f\xb1\xe7\x3a\x15\xaf\x12\xa3" + "\x0d\x74\x6e\x06\xdf\xc3\x4f\x29\x0d\x79\x7c\xe5\x1a\xa1\x3a\xa7" + "\x85\xbf\x66\x58\xaf\xf5\xe4\xb0\x93\x00\x3c\xbe\xaf\x66\x5b\x3c" + "\x2e\x11\x3a\x3a\x4e\x90\x52\x69\x34\x1d\xc0\x71\x14\x26\x68\x5f" + "\x4e\xf3\x7e\x86\x8a\x81\x26\xff\x3f\x22\x79\xb5\x7c\xa6\x7e\x29", + .pub_b = "\x57\x5f\x03\x51\xbd\x2b\x1b\x81\x74\x48\xbd\xf8\x7a\x6c\x36\x2c" + "\x1e\x28\x9d\x39\x03\xa3\x0b\x98\x32\xc5\x74\x1f\xa2\x50\x36\x3e" + "\x7a\xcb\xc7\xf7\x7f\x3d\xac\xbc\x1f\x13\x1a\xdd\x8e\x03\x36\x7e" + "\xff\x8f\xbb\xb3\xe1\xc5\x78\x44\x24\x80\x9b\x25\xaf\xe4\xd2\x26" + "\x2a\x1a\x6f\xd2\xfa\xb6\x41\x05\xca\x30\xa6\x74\xe0\x7f\x78\x09" + "\x85\x20\x88\x63\x2f\xc0\x49\x23\x37\x91\xad\x4e\xdd\x08\x3a\x97" + "\x8b\x88\x3e\xe6\x18\xbc\x5e\x0d\xd0\x47\x41\x5f\x2d\x95\xe6\x83" + "\xcf\x14\x82\x6b\x5f\xbe\x10\xd3\xce\x41\xc6\xc1\x20\xc7\x8a\xb2" + "\x00\x08\xc6\x98\xbf\x7f\x0b\xca\xb9\xd7\xf4\x07\xbe\xd0\xf4\x3a" + "\xfb\x29\x70\xf5\x7f\x8d\x12\x04\x39\x63\xe6\x6d\xdd\x32\x0d\x59" + "\x9a\xd9\x93\x6c\x8f\x44\x13\x7c\x08\xb1\x80\xec\x5e\x98\x5c\xeb" + "\xe1\x86\xf3\xd5\x49\x67\x7e\x80\x60\x73\x31\xee\x17\xaf\x33\x80" + "\xa7\x25\xb0\x78\x23\x17\xd7\xdd\x43\xf5\x9d\x7a\xf9\x56\x8a\x9b" + "\xb6\x3a\x84\xd3\x65\xf9\x22\x44\xed\x12\x09\x88\x21\x93\x02\xf4" + "\x29\x24\xc7\xca\x90\xb8\x9d\x24\xf7\x1b\x0a\xb6\x97\x82\x3d\x7d" + "\xeb\x1a\xff\x5b\x0e\x8e\x4a\x45\xd4\x9f\x7f\x53\x75\x7e\x19\x13", + .shared = "\x86\xc7\x0b\xf8\xd0\xbb\x81\xbb\x01\x07\x8a\x17\x21\x9c\xb7\xd2" + "\x72\x03\xdb\x2a\x19\xc8\x77\xf1\xd1\xf1\x9f\xd7\xd7\x7e\xf2\x25" + "\x46\xa6\x8f\x00\x5a\xd5\x2d\xc8\x45\x53\xb7\x8f\xc6\x03\x30\xbe" + "\x51\xea\x7c\x06\x72\xca\xc1\x51\x5e\x4b\x35\xc0\x47\xb9\xa5\x51" + "\xb8\x8f\x39\xdc\x26\xda\x14\xa0\x9e\xf7\x47\x74\xd4\x7c\x76\x2d" + "\xd1\x77\xf9\xed\x5b\xc2\xf1\x1e\x52\xc8\x79\xbd\x95\x09\x85\x04" + "\xcd\x9e\xec\xd8\xa8\xf9\xb3\xef\xbd\x1f\x00\x8a\xc5\x85\x30\x97" + "\xd9\xd1\x83\x7f\x2b\x18\xf7\x7c\xd7\xbe\x01\xaf\x80\xa7\xc7\xb5" + "\xea\x3c\xa5\x4c\xc0\x2d\x0c\x11\x6f\xee\x3f\x95\xbb\x87\x39\x93" + "\x85\x87\x5d\x7e\x86\x74\x7e\x67\x6e\x72\x89\x38\xac\xbf\xf7\x09" + "\x8e\x05\xbe\x4d\xcf\xb2\x40\x52\xb8\x3a\xef\xfb\x14\x78\x3f\x02" + "\x9a\xdb\xde\x7f\x53\xfa\xe9\x20\x84\x22\x40\x90\xe0\x07\xce\xe9" + "\x4d\x4b\xf2\xba\xce\x9f\xfd\x4b\x57\xd2\xaf\x7c\x72\x4d\x0c\xaa" + "\x19\xbf\x05\x01\xf6\xf1\x7b\x4a\xa1\x0f\x42\x5e\x3e\xa7\x60\x80" + "\xb4\xb9\xd6\xb3\xce\xfe\xa1\x15\xb2\xce\xb8\x78\x9b\xb8\xa3\xb0" + "\xea\x87\xfe\xbe\x63\xb6\xc8\xf8\x46\xec\x6d\xb0\xc2\x6c\x5d\x7c", +}; diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c index cd0a12a5c..0505e2c40 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c +++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c @@ -19,12 +19,13 @@ #include /* define symbols of all test vectors */ -#define TEST_VECTOR_CRYPTER(x) crypter_test_vector_t x; -#define TEST_VECTOR_AEAD(x) aead_test_vector_t x; -#define TEST_VECTOR_SIGNER(x) signer_test_vector_t x; -#define TEST_VECTOR_HASHER(x) hasher_test_vector_t x; -#define TEST_VECTOR_PRF(x) prf_test_vector_t x; -#define TEST_VECTOR_RNG(x) rng_test_vector_t x; +#define TEST_VECTOR_CRYPTER(x) extern crypter_test_vector_t x; +#define TEST_VECTOR_AEAD(x) extern aead_test_vector_t x; +#define TEST_VECTOR_SIGNER(x) extern signer_test_vector_t x; +#define TEST_VECTOR_HASHER(x) extern hasher_test_vector_t x; +#define TEST_VECTOR_PRF(x) extern prf_test_vector_t x; +#define TEST_VECTOR_RNG(x) extern rng_test_vector_t x; +#define TEST_VECTOR_DH(x) extern dh_test_vector_t x; #include "test_vectors.h" @@ -34,6 +35,7 @@ #undef TEST_VECTOR_HASHER #undef TEST_VECTOR_PRF #undef TEST_VECTOR_RNG +#undef TEST_VECTOR_DH #define TEST_VECTOR_CRYPTER(x) #define TEST_VECTOR_AEAD(x) @@ -41,6 +43,7 @@ #define TEST_VECTOR_HASHER(x) #define TEST_VECTOR_PRF(x) #define TEST_VECTOR_RNG(x) +#define TEST_VECTOR_DH(x) /* create test vector arrays */ #undef TEST_VECTOR_CRYPTER @@ -91,6 +94,14 @@ static rng_test_vector_t *rng[] = { #undef TEST_VECTOR_RNG #define TEST_VECTOR_RNG(x) +#undef TEST_VECTOR_DH +#define TEST_VECTOR_DH(x) &x, +static dh_test_vector_t *dh[] = { +#include "test_vectors.h" +}; +#undef TEST_VECTOR_DH +#define TEST_VECTOR_DH(x) + typedef struct private_test_vectors_plugin_t private_test_vectors_plugin_t; /** @@ -175,7 +186,11 @@ plugin_t *test_vectors_plugin_create() lib->crypto->add_test_vector(lib->crypto, RANDOM_NUMBER_GENERATOR, rng[i]); } + for (i = 0; i < countof(dh); i++) + { + lib->crypto->add_test_vector(lib->crypto, + DIFFIE_HELLMAN_GROUP, dh[i]); + } return &this->public.plugin; } - diff --git a/src/libstrongswan/tests/suites/test_chunk.c b/src/libstrongswan/tests/suites/test_chunk.c index b5d23658d..312a187ac 100644 --- a/src/libstrongswan/tests/suites/test_chunk.c +++ b/src/libstrongswan/tests/suites/test_chunk.c @@ -60,6 +60,32 @@ START_TEST(test_chunk_equals) } END_TEST +/******************************************************************************* + * equals_const + */ + +START_TEST(test_chunk_equals_const) +{ + chunk_t chunk = chunk_from_str("chunk"); + chunk_t chunk_a, chunk_b; + + chunk_a = chunk_empty; + chunk_b = chunk_empty; + ck_assert(!chunk_equals_const(chunk_a, chunk_b)); + + chunk_a = chunk; + ck_assert(!chunk_equals_const(chunk_a, chunk_b)); + chunk_b = chunk; + ck_assert(chunk_equals_const(chunk_a, chunk_b)); + + chunk_b = chunk_from_str("asdf"); + ck_assert(!chunk_equals_const(chunk_a, chunk_b)); + + chunk_b = chunk_from_str("chunk"); + ck_assert(chunk_equals_const(chunk_a, chunk_b)); +} +END_TEST + /******************************************************************************* * chunk_compare test */ @@ -1013,6 +1039,7 @@ Suite *chunk_suite_create() tc = tcase_create("equals"); tcase_add_test(tc, test_chunk_equals); + tcase_add_test(tc, test_chunk_equals_const); suite_add_tcase(s, tc); tc = tcase_create("chunk_compare"); diff --git a/src/libstrongswan/tests/suites/test_enum.c b/src/libstrongswan/tests/suites/test_enum.c index 53ebd2931..70bfdb2aa 100644 --- a/src/libstrongswan/tests/suites/test_enum.c +++ b/src/libstrongswan/tests/suites/test_enum.c @@ -291,6 +291,15 @@ START_TEST(test_enum_printf_hook_split) } END_TEST +START_TEST(test_enum_printf_hook_null) +{ + char buf[16]; + + snprintf(buf, sizeof(buf), "%N", NULL, 7); + ck_assert_str_eq("(7)", buf); +} +END_TEST + START_TEST(test_enum_printf_hook_flags) { char buf[1024]; @@ -406,6 +415,7 @@ Suite *enum_suite_create() tc = tcase_create("enum_printf_hook"); tcase_add_loop_test(tc, test_enum_printf_hook_cont, 0, countof(printf_tests_cont)); tcase_add_loop_test(tc, test_enum_printf_hook_split, 0, countof(printf_tests_split)); + tcase_add_test(tc, test_enum_printf_hook_null); tcase_add_loop_test(tc, test_enum_printf_hook_flags, 0, countof(printf_tests_flags)); tcase_add_loop_test(tc, test_enum_printf_hook_flags_incomplete, 0, countof(printf_tests_flags_incomplete)); tcase_add_loop_test(tc, test_enum_printf_hook_flags_null, 0, countof(printf_tests_flags_null)); diff --git a/src/libstrongswan/tests/suites/test_threading.c b/src/libstrongswan/tests/suites/test_threading.c index 55a4cd797..9a9fdd8e9 100644 --- a/src/libstrongswan/tests/suites/test_threading.c +++ b/src/libstrongswan/tests/suites/test_threading.c @@ -1517,6 +1517,36 @@ START_TEST(test_cleanup_pop) } END_TEST +static void *cleanup_popall_run(void *data) +{ + thread_cleanup_push(cleanup3, data); + thread_cleanup_push(cleanup2, data); + thread_cleanup_push(cleanup1, data); + + thread_cleanup_popall(); + return NULL; +} + +START_TEST(test_cleanup_popall) +{ + thread_t *threads[THREADS]; + uintptr_t values[THREADS]; + int i; + + for (i = 0; i < THREADS; i++) + { + values[i] = 1; + threads[i] = thread_create(cleanup_popall_run, &values[i]); + } + for (i = 0; i < THREADS; i++) + { + threads[i]->join(threads[i]); + ck_assert_int_eq(values[i], 4); + } +} +END_TEST + + static thread_value_t *tls[10]; static void *tls_run(void *data) @@ -1697,6 +1727,7 @@ Suite *threading_suite_create() tcase_add_test(tc, test_cleanup_exit); tcase_add_test(tc, test_cleanup_cancel); tcase_add_test(tc, test_cleanup_pop); + tcase_add_test(tc, test_cleanup_popall); suite_add_tcase(s, tc); tc = tcase_create("thread local storage"); diff --git a/src/libstrongswan/tests/suites/test_utils.c b/src/libstrongswan/tests/suites/test_utils.c index 85a854456..b38f2cb52 100644 --- a/src/libstrongswan/tests/suites/test_utils.c +++ b/src/libstrongswan/tests/suites/test_utils.c @@ -228,6 +228,41 @@ START_TEST(test_strpfx) } END_TEST +/******************************************************************************* + * mallac_align/free_align + */ + +START_TEST(test_malloc_align) +{ + void *ptr[128][256]; + int size, align; + + for (size = 0; size < countof(ptr); size++) + { + for (align = 0; align < countof(ptr[0]); align++) + { + ptr[size][align] = malloc_align(size, align); + if (align) + { + ck_assert((uintptr_t)ptr[size][align] % align == 0); + } + if (size) + { + ck_assert(ptr[size][align]); + memset(ptr[size][align], 0xEF, size); + } + } + } + for (size = 0; size < countof(ptr); size++) + { + for (align = 0; align < countof(ptr[0]); align++) + { + free_align(ptr[size][align]); + } + } +} +END_TEST + /******************************************************************************* * memxor */ @@ -306,6 +341,48 @@ START_TEST(test_memxor_aligned) } END_TEST +/******************************************************************************* + * memeq/const + */ + +static struct { + char *a; + char *b; + size_t n; + bool res; +} memeq_data[] = { + {NULL, NULL, 0, TRUE}, + {"a", "b", 0, TRUE}, + {"", "", 1, TRUE}, + {"abcdefgh", "abcdefgh", 8, TRUE}, + {"a", "b", 1, FALSE}, + {"A", "a", 1, FALSE}, + {"\0a", "\0b", 2, FALSE}, + {"abc", "abd", 3, FALSE}, + {"abc", "dbd", 3, FALSE}, + {"abcdefgh", "abcdffgh", 8, FALSE}, + {"abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz", + "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz", 52, TRUE}, + {"abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz", + "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyy", 52, FALSE}, + {"bbcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz", + "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz", 52, FALSE}, +}; + +START_TEST(test_memeq) +{ + ck_assert(memeq(memeq_data[_i].a, memeq_data[_i].b, + memeq_data[_i].n) == memeq_data[_i].res); +} +END_TEST + +START_TEST(test_memeq_const) +{ + ck_assert(memeq_const(memeq_data[_i].a, memeq_data[_i].b, + memeq_data[_i].n) == memeq_data[_i].res); +} +END_TEST + /******************************************************************************* * memstr */ @@ -774,11 +851,20 @@ Suite *utils_suite_create() tcase_add_loop_test(tc, test_strpfx, 0, countof(strpfx_data)); suite_add_tcase(s, tc); + tc = tcase_create("malloc_align"); + tcase_add_test(tc, test_malloc_align); + suite_add_tcase(s, tc); + tc = tcase_create("memxor"); tcase_add_test(tc, test_memxor); tcase_add_test(tc, test_memxor_aligned); suite_add_tcase(s, tc); + tc = tcase_create("memeq"); + tcase_add_loop_test(tc, test_memeq, 0, countof(memeq_data)); + tcase_add_loop_test(tc, test_memeq_const, 0, countof(memeq_data)); + suite_add_tcase(s, tc); + tc = tcase_create("memstr"); tcase_add_loop_test(tc, test_memstr, 0, countof(memstr_data)); suite_add_tcase(s, tc); diff --git a/src/libstrongswan/tests/suites/test_vectors.c b/src/libstrongswan/tests/suites/test_vectors.c index a1205d0be..a35342837 100644 --- a/src/libstrongswan/tests/suites/test_vectors.c +++ b/src/libstrongswan/tests/suites/test_vectors.c @@ -19,15 +19,34 @@ #include "test_suite.h" #include +#include +#include -IMPORT_FUNCTION_FOR_TESTS(crypto, verify_registered_algorithms, u_int, - crypto_factory_t *factory); +static transform_type_t tfs[] = { + ENCRYPTION_ALGORITHM, + AEAD_ALGORITHM, + INTEGRITY_ALGORITHM, + HASH_ALGORITHM, + PSEUDO_RANDOM_FUNCTION, + RANDOM_NUMBER_GENERATOR, + DIFFIE_HELLMAN_GROUP, +}; START_TEST(test_vectors) { - u_int failed = TEST_FUNCTION(crypto, verify_registered_algorithms, - lib->crypto); - fail_if(failed > 0, "%u test vectors failed", failed); + enumerator_t *enumerator; + char *plugin; + bool success; + u_int alg; + + enumerator = lib->crypto->create_verify_enumerator(lib->crypto, tfs[_i]); + thread_cleanup_push((void*)enumerator->destroy, enumerator); + while (enumerator->enumerate(enumerator, &alg, &plugin, &success)) + { + ck_assert_msg(success, "test vector for %N from '%s' plugin failed", + transform_get_enum_names(tfs[_i]), alg, plugin); + } + thread_cleanup_pop(TRUE); } END_TEST @@ -39,8 +58,9 @@ Suite *vectors_suite_create() s = suite_create("vectors"); - tc = tcase_create("failures"); - tcase_add_test(tc, test_vectors); + tc = tcase_create("transforms"); + tcase_add_loop_test(tc, test_vectors, 0, countof(tfs)); + tcase_set_timeout(tc, 20); suite_add_tcase(s, tc); return s; diff --git a/src/libstrongswan/tests/test_runner.c b/src/libstrongswan/tests/test_runner.c index b77302820..0bae9c8cd 100644 --- a/src/libstrongswan/tests/test_runner.c +++ b/src/libstrongswan/tests/test_runner.c @@ -185,6 +185,7 @@ static bool run_test(test_function_t *tfun, int i) tfun->cb(i); return TRUE; } + thread_cleanup_popall(); return FALSE; } @@ -219,6 +220,7 @@ static bool call_fixture(test_case_t *tcase, bool up) } else { + thread_cleanup_popall(); failure = TRUE; break; } @@ -233,9 +235,6 @@ static bool call_fixture(test_case_t *tcase, bool up) */ static bool pre_test(test_runner_init_t init, char *cfg) { - level_t level = LEVEL_SILENT; - char *verbosity; - library_init(cfg, "test-runner"); /* use non-blocking RNG to generate keys fast */ @@ -258,12 +257,6 @@ static bool pre_test(test_runner_init_t init, char *cfg) library_deinit(); return FALSE; } - verbosity = getenv("TESTS_VERBOSITY"); - if (verbosity) - { - level = atoi(verbosity); - } - dbg_default_set_level(level); return TRUE; } @@ -336,6 +329,7 @@ static bool post_test(test_runner_init_t init, bool check_leaks, } else { + thread_cleanup_popall(); library_deinit(); return FALSE; } @@ -529,7 +523,8 @@ int test_runner_run(const char *name, test_configuration_t configs[], test_suite_t *suite; enumerator_t *enumerator; int passed = 0, result; - char *cfg; + level_t level = LEVEL_SILENT; + char *cfg, *verbosity; /* redirect all output to stderr (to redirect make's stdout to /dev/null) */ dup2(2, 1); @@ -542,6 +537,13 @@ int test_runner_run(const char *name, test_configuration_t configs[], return EXIT_FAILURE; } + verbosity = getenv("TESTS_VERBOSITY"); + if (verbosity) + { + level = atoi(verbosity); + } + dbg_default_set_level(level); + fprintf(stderr, "Running %u '%s' test suites:\n", array_count(suites), name); enumerator = array_create_enumerator(suites); diff --git a/src/libstrongswan/tests/test_runner.h b/src/libstrongswan/tests/test_runner.h index 7250f8a00..5c3057096 100644 --- a/src/libstrongswan/tests/test_runner.h +++ b/src/libstrongswan/tests/test_runner.h @@ -69,10 +69,14 @@ struct test_configuration_t { * * - TESTS_VERBOSITY: Numerical loglevel for debug log * - TESTS_STRONGSWAN_CONF: Specify a path to a custom strongswan.conf + * - TESTS_PLUGINS: Specify an explicit list of plugins to load * - TESTS_SUITES: Run specific test suites only * - TESTS_SUITES_EXCLUDE: Don't run specific test suites * - TESTS_REDUCED_KEYLENGTHS: Test minimal keylengths for public key tests only * + * Please note that TESTS_PLUGINS actually must be implemented by the init + * callback function, as plugin loading is delegated. + * * @param name name of test runner * @param config test suite constructors with dependencies * @param init_cb init/deinit callback diff --git a/src/libstrongswan/tests/test_suite.h b/src/libstrongswan/tests/test_suite.h index da57ab46c..aedd8c011 100644 --- a/src/libstrongswan/tests/test_suite.h +++ b/src/libstrongswan/tests/test_suite.h @@ -313,7 +313,7 @@ void test_fail_if_worker_failed(); test_fail_if_worker_failed(); \ if (!(x)) \ { \ - test_fail_msg(__FILE__, __LINE__, #x); \ + test_fail_msg(__FILE__, __LINE__, "%s", #x); \ } \ }) @@ -329,7 +329,7 @@ void test_fail_if_worker_failed(); test_fail_if_worker_failed(); \ if (!(x)) \ { \ - test_fail_msg(__FILE__, __LINE__, #x ": " fmt, ##__VA_ARGS__); \ + test_fail_msg(__FILE__, __LINE__, "%s: " fmt, #x, ##__VA_ARGS__); \ } \ }) @@ -349,7 +349,7 @@ void test_fail_if_worker_failed(); test_fail_if_worker_failed(); \ if (x) \ { \ - test_fail_msg(__FILE__, __LINE__, #x ": " fmt, ##__VA_ARGS__); \ + test_fail_msg(__FILE__, __LINE__, "%s : " fmt, #x, ##__VA_ARGS__); \ } \ }) #define fail_unless test_assert_msg diff --git a/src/libstrongswan/tests/tests.c b/src/libstrongswan/tests/tests.c index d95ddd9d5..aed600fbc 100644 --- a/src/libstrongswan/tests/tests.c +++ b/src/libstrongswan/tests/tests.c @@ -37,7 +37,8 @@ static bool test_runner_init(bool init) { char *plugins, *plugindir; - plugins = lib->settings->get_str(lib->settings, + plugins = getenv("TESTS_PLUGINS") ?: + lib->settings->get_str(lib->settings, "tests.load", PLUGINS); plugindir = lib->settings->get_str(lib->settings, "tests.plugindir", PLUGINDIR); diff --git a/src/libstrongswan/threading/thread.c b/src/libstrongswan/threading/thread.c index 593f44a44..7a243e826 100644 --- a/src/libstrongswan/threading/thread.c +++ b/src/libstrongswan/threading/thread.c @@ -16,7 +16,6 @@ #define _GNU_SOURCE #include #include -#include #ifdef HAVE_GETTID #include @@ -78,11 +77,6 @@ struct private_thread_t { */ mutex_t *mutex; - /** - * Semaphore used to sync the creation/start of the thread. - */ - sem_t created; - /** * TRUE if this thread has been detached or joined, i.e. can be cleaned * up after terminating. @@ -160,7 +154,6 @@ static void thread_destroy(private_thread_t *this) this->cleanup_handlers->destroy(this->cleanup_handlers); this->mutex->unlock(this->mutex); this->mutex->destroy(this->mutex); - sem_destroy(&this->created); free(this); } @@ -263,7 +256,6 @@ static private_thread_t *thread_create_internal() .cleanup_handlers = linked_list_create(), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), ); - sem_init(&this->created, FALSE, 0); return this; } @@ -292,7 +284,6 @@ static void *thread_main(private_thread_t *this) { void *res; - sem_wait(&this->created); current_thread->set(current_thread, this); pthread_cleanup_push((thread_cleanup_t)thread_cleanup, this); @@ -324,6 +315,10 @@ thread_t *thread_create(thread_main_t main, void *arg) this->main = main; this->arg = arg; + id_mutex->lock(id_mutex); + this->id = next_id++; + id_mutex->unlock(id_mutex); + if (pthread_create(&this->thread_id, NULL, (void*)thread_main, this) != 0) { DBG1(DBG_LIB, "failed to create thread!"); @@ -331,10 +326,6 @@ thread_t *thread_create(thread_main_t main, void *arg) thread_destroy(this); return NULL; } - id_mutex->lock(id_mutex); - this->id = next_id++; - id_mutex->unlock(id_mutex); - sem_post(&this->created); return &this->public; } @@ -383,9 +374,7 @@ void thread_cleanup_push(thread_cleanup_t cleanup, void *arg) .arg = arg, ); - this->mutex->lock(this->mutex); this->cleanup_handlers->insert_last(this->cleanup_handlers, handler); - this->mutex->unlock(this->mutex); } /** @@ -396,15 +385,12 @@ void thread_cleanup_pop(bool execute) private_thread_t *this = (private_thread_t*)thread_current(); cleanup_handler_t *handler; - this->mutex->lock(this->mutex); if (this->cleanup_handlers->remove_last(this->cleanup_handlers, (void**)&handler) != SUCCESS) { - this->mutex->unlock(this->mutex); DBG1(DBG_LIB, "!!! THREAD CLEANUP ERROR !!!"); return; } - this->mutex->unlock(this->mutex); if (execute) { @@ -413,6 +399,23 @@ void thread_cleanup_pop(bool execute) free(handler); } +/** + * Described in header. + */ +void thread_cleanup_popall() +{ + private_thread_t *this = (private_thread_t*)thread_current(); + cleanup_handler_t *handler; + + while (this->cleanup_handlers->get_count(this->cleanup_handlers)) + { + this->cleanup_handlers->remove_last(this->cleanup_handlers, + (void**)&handler); + handler->cleanup(handler->arg); + free(handler); + } +} + /** * Described in header. */ diff --git a/src/libstrongswan/threading/thread.h b/src/libstrongswan/threading/thread.h index 38275541e..c24772839 100644 --- a/src/libstrongswan/threading/thread.h +++ b/src/libstrongswan/threading/thread.h @@ -123,6 +123,16 @@ void thread_cleanup_push(thread_cleanup_t cleanup, void *arg); */ void thread_cleanup_pop(bool execute); +/** + * Pop and execute all cleanup handlers in reverse order of registration. + * + * This function is for very special purposes only, where the caller exactly + * knows which cleanup handlers have been pushed. For regular use, a caller + * should thread_cleanup_pop() exactly the number of handlers it pushed + * using thread_cleanup_push(). + */ +void thread_cleanup_popall(); + /** * Enable or disable the cancelability of the current thread. The current * value is returned. diff --git a/src/libstrongswan/threading/windows/thread.c b/src/libstrongswan/threading/windows/thread.c index e76758f8c..610524722 100644 --- a/src/libstrongswan/threading/windows/thread.c +++ b/src/libstrongswan/threading/windows/thread.c @@ -559,6 +559,26 @@ void thread_cleanup_pop(bool execute) } } +/** + * Described in header. + */ +void thread_cleanup_popall() +{ + private_thread_t *this; + cleanup_t cleanup = {}; + bool old; + + this = get_current_thread(); + while (array_count(this->cleanup)) + { + old = set_leak_detective(FALSE); + array_remove(this->cleanup, -1, &cleanup); + set_leak_detective(old); + + cleanup.cb(cleanup.arg); + } +} + /** * Described in header. */ diff --git a/src/libstrongswan/utils/chunk.h b/src/libstrongswan/utils/chunk.h index 48405b77e..2ec7f7543 100644 --- a/src/libstrongswan/utils/chunk.h +++ b/src/libstrongswan/utils/chunk.h @@ -309,6 +309,19 @@ static inline bool chunk_equals(chunk_t a, chunk_t b) a.len == b.len && memeq(a.ptr, b.ptr, a.len); } +/** + * Compare two chunks for equality, constant time for cryptographic purposes. + * + * Note that this function is constant time only for chunks with the same + * length, i.e. it does not protect against guessing the length of one of the + * chunks. + */ +static inline bool chunk_equals_const(chunk_t a, chunk_t b) +{ + return a.ptr != NULL && b.ptr != NULL && + a.len == b.len && memeq_const(a.ptr, b.ptr, a.len); +} + /** * Compare two chunks (given as pointers) for equality (useful as callback), * NULL chunks are never equal. diff --git a/src/libstrongswan/utils/cpu_feature.c b/src/libstrongswan/utils/cpu_feature.c new file mode 100644 index 000000000..d86ca6bd8 --- /dev/null +++ b/src/libstrongswan/utils/cpu_feature.c @@ -0,0 +1,158 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "cpu_feature.h" + +#if defined __i386__ || defined(__x86_64__) + +typedef enum { + /* Generic CPUID(1) flags */ + CPUID1_EDX_MMX = (1 << 23), + CPUID1_EDX_SSE = (1 << 25), + CPUID1_EDX_SSE2 = (1 << 26), + CPUID1_ECX_SSE3 = (1 << 0), + CPUID1_ECX_PCLMULQDQ = (1 << 1), + CPUID1_ECX_SSSE3 = (1 << 9), + CPUID1_ECX_SSE41 = (1 << 19), + CPUID1_ECX_SSE42 = (1 << 20), + CPUID1_ECX_AESNI = (1 << 25), + CPUID1_ECX_AVX = (1 << 28), + CPUID1_ECX_RDRAND = (1 << 30), + + /* For CentaurHauls cpuid(0xC0000001) */ + CPUIDC1_EDX_RNG_AVAILABLE = (1 << 2), + CPUIDC1_EDX_RNG_ENABLED = (1 << 3), + CPUIDC1_EDX_ACE_AVAILABLE = (1 << 6), + CPUIDC1_EDX_ACE_ENABLED = (1 << 7), + CPUIDC1_EDX_ACE2_AVAILABLE = (1 << 8), + CPUIDC1_EDX_ACE2_ENABLED = (1 << 9), + CPUIDC1_EDX_PHE_AVAILABLE = (1 << 10), + CPUIDC1_EDX_PHE_ENABLED = (1 << 11), + CPUIDC1_EDX_PMM_AVAILABLE = (1 << 12), + CPUIDC1_EDX_PMM_ENABLED = (1 << 13), +} cpuid_flag_t; + +/** + * Get cpuid for info, return eax, ebx, ecx and edx. + * -fPIC requires to save ebx on IA-32. + */ +static void cpuid(u_int op, u_int *a, u_int *b, u_int *c, u_int *d) +{ +#ifdef __x86_64__ + asm("cpuid" : "=a" (*a), "=b" (*b), "=c" (*c), "=d" (*d) : "a" (op)); +#else /* __i386__ */ + asm("pushl %%ebx;" + "cpuid;" + "movl %%ebx, %1;" + "popl %%ebx;" + : "=a" (*a), "=r" (*b), "=c" (*c), "=d" (*d) : "a" (op)); +#endif /* __x86_64__ / __i386__*/ +} + +/** + * Return feature if flag in reg, flag-to-feature + */ +static inline cpu_feature_t f2f(u_int reg, cpuid_flag_t flag, cpu_feature_t f) +{ + if (reg & flag) + { + return f; + } + return 0; +} + +/** + * Get features for a Via "CentaurHauls" CPU + */ +static cpu_feature_t get_via_features() +{ + cpu_feature_t f = 0; + u_int a, b, c, d; + + cpuid(0xc0000001, &a, &b, &c, &d); + + f |= f2f(d, CPUIDC1_EDX_RNG_AVAILABLE, CPU_FEATURE_PADLOCK_RNG_AVAILABLE); + f |= f2f(d, CPUIDC1_EDX_RNG_ENABLED, CPU_FEATURE_PADLOCK_RNG_ENABLED); + f |= f2f(d, CPUIDC1_EDX_ACE_AVAILABLE, CPU_FEATURE_PADLOCK_ACE_AVAILABLE); + f |= f2f(d, CPUIDC1_EDX_ACE_ENABLED, CPU_FEATURE_PADLOCK_ACE_ENABLED); + f |= f2f(d, CPUIDC1_EDX_ACE2_AVAILABLE, CPU_FEATURE_PADLOCK_ACE2_AVAILABLE); + f |= f2f(d, CPUIDC1_EDX_ACE2_ENABLED, CPU_FEATURE_PADLOCK_ACE2_ENABLED); + f |= f2f(d, CPUIDC1_EDX_PHE_AVAILABLE, CPU_FEATURE_PADLOCK_PHE_AVAILABLE); + f |= f2f(d, CPUIDC1_EDX_PHE_ENABLED, CPU_FEATURE_PADLOCK_PHE_ENABLED); + f |= f2f(d, CPUIDC1_EDX_PMM_AVAILABLE, CPU_FEATURE_PADLOCK_PMM_AVAILABLE); + f |= f2f(d, CPUIDC1_EDX_PMM_ENABLED, CPU_FEATURE_PADLOCK_PMM_ENABLED); + + return f; +} + +/** + * See header. + */ +cpu_feature_t cpu_feature_get_all() +{ + char vendor[3 * sizeof(u_int32_t) + 1]; + cpu_feature_t f = 0; + u_int a, b, c, d; + + cpuid(0, &a, &b, &c, &d); + /* VendorID string is in b-d-c (yes, in this order) */ + snprintf(vendor, sizeof(vendor), "%.4s%.4s%.4s", &b, &d, &c); + + cpuid(1, &a, &b, &c, &d); + + /* check common x86 features for CPUID(1) */ + f |= f2f(d, CPUID1_EDX_MMX, CPU_FEATURE_MMX); + f |= f2f(d, CPUID1_EDX_SSE, CPU_FEATURE_SSE); + f |= f2f(d, CPUID1_EDX_SSE2, CPU_FEATURE_SSE2); + f |= f2f(c, CPUID1_ECX_SSE3, CPU_FEATURE_SSE3); + f |= f2f(c, CPUID1_ECX_PCLMULQDQ, CPU_FEATURE_PCLMULQDQ); + f |= f2f(c, CPUID1_ECX_SSSE3, CPU_FEATURE_SSSE3); + f |= f2f(c, CPUID1_ECX_SSE41, CPU_FEATURE_SSE41); + f |= f2f(c, CPUID1_ECX_SSE42, CPU_FEATURE_SSE42); + f |= f2f(c, CPUID1_ECX_AESNI, CPU_FEATURE_AESNI); + f |= f2f(c, CPUID1_ECX_AVX, CPU_FEATURE_AVX); + f |= f2f(c, CPUID1_ECX_RDRAND, CPU_FEATURE_RDRAND); + + if (streq(vendor, "CentaurHauls")) + { + cpuid(0xc0000000, &a, &b, &c, &d); + /* check Centaur Extended Feature Flags */ + if (a >= 0xc0000001) + { + f |= get_via_features(); + } + } + return f; +} + +#else /* !x86 */ + +/** + * See header. + */ +cpu_feature_t cpu_feature_get_all() +{ + return 0; +} + +#endif + +/** + * See header. + */ +bool cpu_feature_available(cpu_feature_t feature) +{ + return (cpu_feature_get_all() & feature) == feature; +} diff --git a/src/libstrongswan/utils/cpu_feature.h b/src/libstrongswan/utils/cpu_feature.h new file mode 100644 index 000000000..3a807fa2b --- /dev/null +++ b/src/libstrongswan/utils/cpu_feature.h @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup cpu_feature cpu_feature + * @{ @ingroup utils + */ + +#ifndef CPU_FEATURE_H_ +#define CPU_FEATURE_H_ + +#include + +typedef enum { + /** x86/x64 extensions */ + CPU_FEATURE_MMX = (1 << 0), + CPU_FEATURE_SSE = (1 << 1), + CPU_FEATURE_SSE2 = (1 << 2), + CPU_FEATURE_SSE3 = (1 << 3), + CPU_FEATURE_SSSE3 = (1 << 4), + CPU_FEATURE_SSE41 = (1 << 5), + CPU_FEATURE_SSE42 = (1 << 6), + CPU_FEATURE_AVX = (1 << 7), + CPU_FEATURE_RDRAND = (1 << 8), + CPU_FEATURE_AESNI = (1 << 9), + CPU_FEATURE_PCLMULQDQ = (1 << 10), + /** Via Padlock Security features */ + CPU_FEATURE_PADLOCK_RNG_AVAILABLE = (1 << 22), + CPU_FEATURE_PADLOCK_RNG_ENABLED = (1 << 23), + CPU_FEATURE_PADLOCK_ACE_AVAILABLE = (1 << 24), + CPU_FEATURE_PADLOCK_ACE_ENABLED = (1 << 25), + CPU_FEATURE_PADLOCK_ACE2_AVAILABLE = (1 << 26), + CPU_FEATURE_PADLOCK_ACE2_ENABLED = (1 << 27), + CPU_FEATURE_PADLOCK_PHE_AVAILABLE = (1 << 28), + CPU_FEATURE_PADLOCK_PHE_ENABLED = (1 << 29), + CPU_FEATURE_PADLOCK_PMM_AVAILABLE = (1 << 30), + CPU_FEATURE_PADLOCK_PMM_ENABLED = (1 << 31), +} cpu_feature_t; + +/** + * Get a bitmask for all supported CPU features + */ +cpu_feature_t cpu_feature_get_all(); + +/** + * Check if a given set of CPU features is available. + */ +bool cpu_feature_available(cpu_feature_t feature); + +#endif /** CPU_FEATURE_H_ @}*/ diff --git a/src/libstrongswan/utils/enum.c b/src/libstrongswan/utils/enum.c index 089bebb79..1cead77ca 100644 --- a/src/libstrongswan/utils/enum.c +++ b/src/libstrongswan/utils/enum.c @@ -26,6 +26,10 @@ */ char *enum_to_name(enum_name_t *e, int val) { + if (!e) + { + return NULL; + } do { if (val >= e->first && val <= e->last) @@ -140,7 +144,7 @@ int enum_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, int val = *((int*)(args[1])); char *name, buf[512]; - if (ed->next == ENUM_FLAG_MAGIC) + if (ed && ed->next == ENUM_FLAG_MAGIC) { name = enum_flags_to_string(ed, val, buf, sizeof(buf)); if (name == NULL) diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c index bc8432aea..99f4843ad 100644 --- a/src/libstrongswan/utils/leak_detective.c +++ b/src/libstrongswan/utils/leak_detective.c @@ -552,6 +552,7 @@ char *whitelist[] = { /* ClearSilver */ "nerr_init", /* libgcrypt */ + "gcrypt_plugin_create", "gcry_control", "gcry_check_version", "gcry_randomize", @@ -690,8 +691,8 @@ static int print_traces(private_leak_detective_t *this, { if (!thresh_count || entry->count >= thresh_count) { - this->report_cb(this->report_data, entry->count, - entry->bytes, entry->backtrace, detailed); + cb(user, entry->count, entry->bytes, entry->backtrace, + detailed); } } } diff --git a/src/libstrongswan/utils/utils.c b/src/libstrongswan/utils/utils.c index 02a720945..9b516accd 100644 --- a/src/libstrongswan/utils/utils.c +++ b/src/libstrongswan/utils/utils.c @@ -14,221 +14,22 @@ * for more details. */ -#define _GNU_SOURCE /* for memrchr */ -#ifdef WIN32 -/* for GetTickCount64, Windows 7 */ -# define _WIN32_WINNT 0x0601 -#endif - #include "utils.h" -#include -#include -#include #include -#include -#include #include -#include -#include #ifndef WIN32 # include #endif #include -#include -#include #include -#include -#include -#include - -ENUM(status_names, SUCCESS, NEED_MORE, - "SUCCESS", - "FAILED", - "OUT_OF_RES", - "ALREADY_DONE", - "NOT_SUPPORTED", - "INVALID_ARG", - "NOT_FOUND", - "PARSE_ERROR", - "VERIFY_ERROR", - "INVALID_STATE", - "DESTROY_ME", - "NEED_MORE", -); - -/** - * Described in header. - */ -void memxor(u_int8_t dst[], u_int8_t src[], size_t n) -{ - int m, i; - - /* byte wise XOR until dst aligned */ - for (i = 0; (uintptr_t)&dst[i] % sizeof(long) && i < n; i++) - { - dst[i] ^= src[i]; - } - /* try to use words if src shares an aligment with dst */ - switch (((uintptr_t)&src[i] % sizeof(long))) - { - case 0: - for (m = n - sizeof(long); i <= m; i += sizeof(long)) - { - *(long*)&dst[i] ^= *(long*)&src[i]; - } - break; - case sizeof(int): - for (m = n - sizeof(int); i <= m; i += sizeof(int)) - { - *(int*)&dst[i] ^= *(int*)&src[i]; - } - break; - case sizeof(short): - for (m = n - sizeof(short); i <= m; i += sizeof(short)) - { - *(short*)&dst[i] ^= *(short*)&src[i]; - } - break; - default: - break; - } - /* byte wise XOR of the rest */ - for (; i < n; i++) - { - dst[i] ^= src[i]; - } -} - -/** - * Described in header. - */ -void memwipe_noinline(void *ptr, size_t n) -{ - memwipe_inline(ptr, n); -} - -/** - * Described in header. - */ -void *memstr(const void *haystack, const char *needle, size_t n) -{ - const u_char *pos = haystack; - size_t l; - - if (!haystack || !needle || (l = strlen(needle)) == 0) - { - return NULL; - } - for (; n >= l; ++pos, --n) - { - if (memeq(pos, needle, l)) - { - return (void*)pos; - } - } - return NULL; -} - -/** - * Described in header. - */ -void *utils_memrchr(const void *s, int c, size_t n) -{ - const u_char *pos; - - if (!s || !n) - { - return NULL; - } - - for (pos = s + n - 1; pos >= (u_char*)s; pos--) - { - if (*pos == (u_char)c) - { - return (void*)pos; - } - } - return NULL; -} - -/** - * Described in header. - */ -char* translate(char *str, const char *from, const char *to) -{ - char *pos = str; - if (strlen(from) != strlen(to)) - { - return str; - } - while (pos && *pos) - { - char *match; - if ((match = strchr(from, *pos)) != NULL) - { - *pos = to[match - from]; - } - pos++; - } - return str; -} - -/** - * Described in header. - */ -char* strreplace(const char *str, const char *search, const char *replace) -{ - size_t len, slen, rlen, count = 0; - char *res, *pos, *found, *dst; - - if (!str || !*str || !search || !*search || !replace) - { - return (char*)str; - } - slen = strlen(search); - rlen = strlen(replace); - if (slen != rlen) - { - for (pos = (char*)str; (pos = strstr(pos, search)); pos += slen) - { - found = pos; - count++; - } - if (!count) - { - return (char*)str; - } - len = (found - str) + strlen(found) + count * (rlen - slen); - } - else - { - len = strlen(str); - } - found = strstr(str, search); - if (!found) - { - return (char*)str; - } - dst = res = malloc(len + 1); - pos = (char*)str; - do - { - len = found - pos; - memcpy(dst, pos, len); - dst += len; - memcpy(dst, replace, rlen); - dst += rlen; - pos = found + slen; - } - while ((found = strstr(pos, search))); - strcpy(dst, pos); - return res; -} #ifdef WIN32 +#include +#include + /** * Flag to indicate signaled wait_sigint() */ @@ -305,216 +106,6 @@ void wait_sigint() #endif -/** - * Described in header. - */ -char* path_dirname(const char *path) -{ - char *pos; - - pos = path ? strrchr(path, DIRECTORY_SEPARATOR[0]) : NULL; - - if (pos && !pos[1]) - { /* if path ends with slashes we have to look beyond them */ - while (pos > path && *pos == DIRECTORY_SEPARATOR[0]) - { /* skip trailing slashes */ - pos--; - } - pos = memrchr(path, DIRECTORY_SEPARATOR[0], pos - path + 1); - } - if (!pos) - { -#ifdef WIN32 - if (path && strlen(path)) - { - if ((isalpha(path[0]) && path[1] == ':')) - { /* if just a drive letter given, return that as dirname */ - return chunk_clone(chunk_from_chars(path[0], ':', 0)).ptr; - } - } -#endif - return strdup("."); - } - while (pos > path && *pos == DIRECTORY_SEPARATOR[0]) - { /* skip superfluous slashes */ - pos--; - } - return strndup(path, pos - path + 1); -} - -/** - * Described in header. - */ -char* path_basename(const char *path) -{ - char *pos, *trail = NULL; - - if (!path || !*path) - { - return strdup("."); - } - pos = strrchr(path, DIRECTORY_SEPARATOR[0]); - if (pos && !pos[1]) - { /* if path ends with slashes we have to look beyond them */ - while (pos > path && *pos == DIRECTORY_SEPARATOR[0]) - { /* skip trailing slashes */ - pos--; - } - if (pos == path && *pos == DIRECTORY_SEPARATOR[0]) - { /* contains only slashes */ - return strdup(DIRECTORY_SEPARATOR); - } - trail = pos + 1; - pos = memrchr(path, DIRECTORY_SEPARATOR[0], trail - path); - } - pos = pos ? pos + 1 : (char*)path; - return trail ? strndup(pos, trail - pos) : strdup(pos); -} - -/** - * Described in header. - */ -bool path_absolute(const char *path) -{ - if (!path) - { - return FALSE; - } -#ifdef WIN32 - if (strpfx(path, "\\\\")) - { /* UNC */ - return TRUE; - } - if (strlen(path) && isalpha(path[0]) && path[1] == ':') - { /* drive letter */ - return TRUE; - } -#else /* !WIN32 */ - if (path[0] == DIRECTORY_SEPARATOR[0]) - { - return TRUE; - } -#endif - return FALSE; -} - -/** - * Described in header. - */ -bool mkdir_p(const char *path, mode_t mode) -{ - int len; - char *pos, full[PATH_MAX]; - pos = full; - if (!path || *path == '\0') - { - return TRUE; - } - len = snprintf(full, sizeof(full)-1, "%s", path); - if (len < 0 || len >= sizeof(full)-1) - { - DBG1(DBG_LIB, "path string %s too long", path); - return FALSE; - } - /* ensure that the path ends with a '/' */ - if (full[len-1] != '/') - { - full[len++] = '/'; - full[len] = '\0'; - } - /* skip '/' at the beginning */ - while (*pos == '/') - { - pos++; - } - while ((pos = strchr(pos, '/'))) - { - *pos = '\0'; - if (access(full, F_OK) < 0) - { -#ifdef WIN32 - if (_mkdir(full) < 0) -#else - if (mkdir(full, mode) < 0) -#endif - { - DBG1(DBG_LIB, "failed to create directory %s", full); - return FALSE; - } - } - *pos = '/'; - pos++; - } - return TRUE; -} - -ENUM(tty_color_names, TTY_RESET, TTY_BG_DEF, - "\e[0m", - "\e[1m", - "\e[4m", - "\e[5m", - "\e[30m", - "\e[31m", - "\e[32m", - "\e[33m", - "\e[34m", - "\e[35m", - "\e[36m", - "\e[37m", - "\e[39m", - "\e[40m", - "\e[41m", - "\e[42m", - "\e[43m", - "\e[44m", - "\e[45m", - "\e[46m", - "\e[47m", - "\e[49m", -); - -/** - * Get the escape string for a given TTY color, empty string on non-tty FILE - */ -char* tty_escape_get(int fd, tty_escape_t escape) -{ - if (!isatty(fd)) - { - return ""; - } - switch (escape) - { - case TTY_RESET: - case TTY_BOLD: - case TTY_UNDERLINE: - case TTY_BLINKING: -#ifdef WIN32 - return ""; -#endif - case TTY_FG_BLACK: - case TTY_FG_RED: - case TTY_FG_GREEN: - case TTY_FG_YELLOW: - case TTY_FG_BLUE: - case TTY_FG_MAGENTA: - case TTY_FG_CYAN: - case TTY_FG_WHITE: - case TTY_FG_DEF: - case TTY_BG_BLACK: - case TTY_BG_RED: - case TTY_BG_GREEN: - case TTY_BG_YELLOW: - case TTY_BG_BLUE: - case TTY_BG_MAGENTA: - case TTY_BG_CYAN: - case TTY_BG_WHITE: - case TTY_BG_DEF: - return enum_to_name(tty_color_names, escape); - /* warn if a escape code is missing */ - } - return ""; -} - #ifndef HAVE_CLOSEFROM /** * Described in header. @@ -562,58 +153,6 @@ void closefrom(int lowfd) } #endif /* HAVE_CLOSEFROM */ -/** - * Return monotonic time - */ -time_t time_monotonic(timeval_t *tv) -{ -#ifdef WIN32 - ULONGLONG ms; - time_t s; - - ms = GetTickCount64(); - s = ms / 1000; - if (tv) - { - tv->tv_sec = s; - tv->tv_usec = (ms - (s * 1000)) * 1000; - } - return s; -#else /* !WIN32 */ -#if defined(HAVE_CLOCK_GETTIME) && \ - (defined(HAVE_CONDATTR_CLOCK_MONOTONIC) || \ - defined(HAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC)) - /* as we use time_monotonic() for condvar operations, we use the - * monotonic time source only if it is also supported by pthread. */ - timespec_t ts; - - if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0) - { - if (tv) - { - tv->tv_sec = ts.tv_sec; - tv->tv_usec = ts.tv_nsec / 1000; - } - return ts.tv_sec; - } -#endif /* HAVE_CLOCK_GETTIME && (...) */ - /* Fallback to non-monotonic timestamps: - * On MAC OS X, creating monotonic timestamps is rather difficult. We - * could use mach_absolute_time() and catch sleep/wakeup notifications. - * We stick to the simpler (non-monotonic) gettimeofday() for now. - * But keep in mind: we need the same time source here as in condvar! */ - if (!tv) - { - return time(NULL); - } - if (gettimeofday(tv, NULL) != 0) - { /* should actually never fail if passed pointers are valid */ - return -1; - } - return tv->tv_sec; -#endif /* !WIN32 */ -} - /** * return null */ @@ -638,22 +177,6 @@ bool return_false() return FALSE; } -/** - * returns FAILED - */ -status_t return_failed() -{ - return FAILED; -} - -/** - * returns SUCCESS - */ -status_t return_success() -{ - return SUCCESS; -} - /** * nop operation */ @@ -661,122 +184,6 @@ void nop() { } -#if !defined(HAVE_GCC_ATOMIC_OPERATIONS) && !defined(HAVE_GCC_SYNC_OPERATIONS) - -/** - * Spinlock for ref_get/put - */ -static spinlock_t *ref_lock; - -/** - * Increase refcount - */ -refcount_t ref_get(refcount_t *ref) -{ - refcount_t current; - - ref_lock->lock(ref_lock); - current = ++(*ref); - ref_lock->unlock(ref_lock); - - return current; -} - -/** - * Decrease refcount - */ -bool ref_put(refcount_t *ref) -{ - bool more_refs; - - ref_lock->lock(ref_lock); - more_refs = --(*ref) > 0; - ref_lock->unlock(ref_lock); - return !more_refs; -} - -/** - * Current refcount - */ -refcount_t ref_cur(refcount_t *ref) -{ - refcount_t current; - - ref_lock->lock(ref_lock); - current = *ref; - ref_lock->unlock(ref_lock); - - return current; -} - -/** - * Spinlock for all compare and swap operations. - */ -static spinlock_t *cas_lock; - -/** - * Compare and swap if equal to old value - */ -#define _cas_impl(name, type) \ -bool cas_##name(type *ptr, type oldval, type newval) \ -{ \ - bool swapped; \ - cas_lock->lock(cas_lock); \ - if ((swapped = (*ptr == oldval))) { *ptr = newval; } \ - cas_lock->unlock(cas_lock); \ - return swapped; \ -} - -_cas_impl(bool, bool) -_cas_impl(ptr, void*) - -#endif /* !HAVE_GCC_ATOMIC_OPERATIONS && !HAVE_GCC_SYNC_OPERATIONS */ - - -#ifdef HAVE_FMEMOPEN_FALLBACK - -static int fmemread(chunk_t *cookie, char *buf, int size) -{ - int len; - - len = min(size, cookie->len); - memcpy(buf, cookie->ptr, len); - *cookie = chunk_skip(*cookie, len); - - return len; -} - -static int fmemwrite(chunk_t *cookie, const char *buf, int size) -{ - int len; - - len = min(size, cookie->len); - memcpy(cookie->ptr, buf, len); - *cookie = chunk_skip(*cookie, len); - - return len; -} - -static int fmemclose(void *cookie) -{ - free(cookie); - return 0; -} - -FILE *fmemopen(void *buf, size_t size, const char *mode) -{ - chunk_t *cookie; - - INIT(cookie, - .ptr = buf, - .len = size, - ); - - return funopen(cookie, (void*)fmemread, (void*)fmemwrite, NULL, fmemclose); -} - -#endif /* FMEMOPEN fallback*/ - /** * See header */ @@ -785,12 +192,7 @@ void utils_init() #ifdef WIN32 windows_init(); #endif - -#if !defined(HAVE_GCC_ATOMIC_OPERATIONS) && !defined(HAVE_GCC_SYNC_OPERATIONS) - ref_lock = spinlock_create(); - cas_lock = spinlock_create(); -#endif - + atomics_init(); strerror_init(); } @@ -802,137 +204,6 @@ void utils_deinit() #ifdef WIN32 windows_deinit(); #endif - -#if !defined(HAVE_GCC_ATOMIC_OPERATIONS) && !defined(HAVE_GCC_SYNC_OPERATIONS) - ref_lock->destroy(ref_lock); - cas_lock->destroy(cas_lock); -#endif - + atomics_deinit(); strerror_deinit(); } - -/** - * Described in header. - */ -int time_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, - const void *const *args) -{ - static const char* months[] = { - "Jan", "Feb", "Mar", "Apr", "May", "Jun", - "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" - }; - time_t *time = *((time_t**)(args[0])); - bool utc = *((int*)(args[1])); - struct tm t, *ret = NULL; - - if (*time != UNDEFINED_TIME) - { - if (utc) - { - ret = gmtime_r(time, &t); - } - else - { - ret = localtime_r(time, &t); - } - } - if (ret == NULL) - { - return print_in_hook(data, "--- -- --:--:--%s----", - utc ? " UTC " : " "); - } - return print_in_hook(data, "%s %02d %02d:%02d:%02d%s%04d", - months[t.tm_mon], t.tm_mday, t.tm_hour, t.tm_min, - t.tm_sec, utc ? " UTC " : " ", t.tm_year + 1900); -} - -/** - * Described in header. - */ -int time_delta_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, - const void *const *args) -{ - char* unit = "second"; - time_t *arg1 = *((time_t**)(args[0])); - time_t *arg2 = *((time_t**)(args[1])); - u_int64_t delta = llabs(*arg1 - *arg2); - - if (delta > 2 * 60 * 60 * 24) - { - delta /= 60 * 60 * 24; - unit = "day"; - } - else if (delta > 2 * 60 * 60) - { - delta /= 60 * 60; - unit = "hour"; - } - else if (delta > 2 * 60) - { - delta /= 60; - unit = "minute"; - } - return print_in_hook(data, "%" PRIu64 " %s%s", delta, unit, - (delta == 1) ? "" : "s"); -} - -/** - * Number of bytes per line to dump raw data - */ -#define BYTES_PER_LINE 16 - -static char hexdig_upper[] = "0123456789ABCDEF"; - -/** - * Described in header. - */ -int mem_printf_hook(printf_hook_data_t *data, - printf_hook_spec_t *spec, const void *const *args) -{ - char *bytes = *((void**)(args[0])); - u_int len = *((int*)(args[1])); - - char buffer[BYTES_PER_LINE * 3]; - char ascii_buffer[BYTES_PER_LINE + 1]; - char *buffer_pos = buffer; - char *bytes_pos = bytes; - char *bytes_roof = bytes + len; - int line_start = 0; - int i = 0; - int written = 0; - - written += print_in_hook(data, "=> %u bytes @ %p", len, bytes); - - while (bytes_pos < bytes_roof) - { - *buffer_pos++ = hexdig_upper[(*bytes_pos >> 4) & 0xF]; - *buffer_pos++ = hexdig_upper[ *bytes_pos & 0xF]; - - ascii_buffer[i++] = - (*bytes_pos > 31 && *bytes_pos < 127) ? *bytes_pos : '.'; - - if (++bytes_pos == bytes_roof || i == BYTES_PER_LINE) - { - int padding = 3 * (BYTES_PER_LINE - i); - - while (padding--) - { - *buffer_pos++ = ' '; - } - *buffer_pos++ = '\0'; - ascii_buffer[i] = '\0'; - - written += print_in_hook(data, "\n%4d: %s %s", - line_start, buffer, ascii_buffer); - - buffer_pos = buffer; - line_start += BYTES_PER_LINE; - i = 0; - } - else - { - *buffer_pos++ = ' '; - } - } - return written; -} diff --git a/src/libstrongswan/utils/utils.h b/src/libstrongswan/utils/utils.h index 7c48d949f..acc15c42a 100644 --- a/src/libstrongswan/utils/utils.h +++ b/src/libstrongswan/utils/utils.h @@ -40,6 +40,33 @@ # include #endif +#include "utils/types.h" +#include "enum.h" +#include "utils/atomics.h" +#include "utils/align.h" +#include "utils/byteorder.h" +#include "utils/string.h" +#include "utils/memory.h" +#include "utils/strerror.h" +#include "utils/status.h" +#include "utils/object.h" +#include "utils/path.h" +#include "utils/time.h" +#include "utils/tty.h" +#ifdef __APPLE__ +# include "compat/apple.h" +#endif + +/** + * Initialize utility functions + */ +void utils_init(); + +/** + * Deinitialize utility functions + */ +void utils_deinit(); + /** * strongSwan program return codes */ @@ -74,236 +101,11 @@ #define BUILD_ASSERT_ARRAY(a) \ BUILD_ASSERT(!__builtin_types_compatible_p(typeof(a), typeof(&(a)[0]))) -/** - * General purpose boolean type. - */ -#ifdef HAVE_STDBOOL_H -# include -#else -# ifndef HAVE__BOOL -# define _Bool signed char -# endif /* HAVE__BOOL */ -# define bool _Bool -# define false 0 -# define true 1 -# define __bool_true_false_are_defined 1 -#endif /* HAVE_STDBOOL_H */ -#ifndef FALSE -# define FALSE false -#endif /* FALSE */ -#ifndef TRUE -# define TRUE true -#endif /* TRUE */ - -#include "enum.h" -#include "utils/strerror.h" -#ifdef __APPLE__ -# include "compat/apple.h" -#endif - -/** - * Directory separator character in paths on this platform - */ -#ifdef WIN32 -# define DIRECTORY_SEPARATOR "\\" -#else -# define DIRECTORY_SEPARATOR "/" -#endif - -/** - * Initialize utility functions - */ -void utils_init(); - -/** - * Deinitialize utility functions - */ -void utils_deinit(); - -/** - * Helper function that compares two strings for equality - */ -static inline bool streq(const char *x, const char *y) -{ - return strcmp(x, y) == 0; -} - -/** - * Helper function that compares two strings for equality, length limited - */ -static inline bool strneq(const char *x, const char *y, size_t len) -{ - return strncmp(x, y, len) == 0; -} - -/** - * Helper function that checks if a string starts with a given prefix - */ -static inline bool strpfx(const char *x, const char *prefix) -{ - return strneq(x, prefix, strlen(prefix)); -} - -/** - * Helper function that compares two strings for equality ignoring case - */ -static inline bool strcaseeq(const char *x, const char *y) -{ - return strcasecmp(x, y) == 0; -} - -/** - * Helper function that compares two strings for equality ignoring case, length limited - */ -static inline bool strncaseeq(const char *x, const char *y, size_t len) -{ - return strncasecmp(x, y, len) == 0; -} - -/** - * Helper function that checks if a string starts with a given prefix - */ -static inline bool strcasepfx(const char *x, const char *prefix) -{ - return strncaseeq(x, prefix, strlen(prefix)); -} - -/** - * NULL-safe strdup variant - */ -static inline char *strdupnull(const char *s) -{ - return s ? strdup(s) : NULL; -} - -/** - * Helper function that compares two binary blobs for equality - */ -static inline bool memeq(const void *x, const void *y, size_t len) -{ - return memcmp(x, y, len) == 0; -} - -/** - * Calling memcpy() with NULL pointers, even with n == 0, results in undefined - * behavior according to the C standard. This version is guaranteed to not - * access the pointers if n is 0. - */ -static inline void *memcpy_noop(void *dst, const void *src, size_t n) -{ - return n ? memcpy(dst, src, n) : dst; -} -#ifdef memcpy -# undef memcpy -#endif -#define memcpy(d,s,n) memcpy_noop(d,s,n) - -/** - * Calling memmove() with NULL pointers, even with n == 0, results in undefined - * behavior according to the C standard. This version is guaranteed to not - * access the pointers if n is 0. - */ -static inline void *memmove_noop(void *dst, const void *src, size_t n) -{ - return n ? memmove(dst, src, n) : dst; -} -#ifdef memmove -# undef memmove -#endif -#define memmove(d,s,n) memmove_noop(d,s,n) - -/** - * Calling memset() with a NULL pointer, even with n == 0, results in undefined - * behavior according to the C standard. This version is guaranteed to not - * access the pointer if n is 0. - */ -static inline void *memset_noop(void *s, int c, size_t n) -{ - return n ? memset(s, c, n) : s; -} -#ifdef memset -# undef memset -#endif -#define memset(s,c,n) memset_noop(s,c,n) - -/** - * Macro gives back larger of two values. - */ -#define max(x,y) ({ \ - typeof(x) _x = (x); \ - typeof(y) _y = (y); \ - _x > _y ? _x : _y; }) - -/** - * Macro gives back smaller of two values. - */ -#define min(x,y) ({ \ - typeof(x) _x = (x); \ - typeof(y) _y = (y); \ - _x < _y ? _x : _y; }) - -/** - * Call destructor of an object, if object != NULL - */ -#define DESTROY_IF(obj) if (obj) (obj)->destroy(obj) - -/** - * Call offset destructor of an object, if object != NULL - */ -#define DESTROY_OFFSET_IF(obj, offset) if (obj) obj->destroy_offset(obj, offset); - -/** - * Call function destructor of an object, if object != NULL - */ -#define DESTROY_FUNCTION_IF(obj, fn) if (obj) obj->destroy_function(obj, fn); - /** * Debug macro to follow control flow */ #define POS printf("%s, line %d\n", __FILE__, __LINE__) -/** - * Object allocation/initialization macro, using designated initializer. - */ -#define INIT(this, ...) { (this) = malloc(sizeof(*(this))); \ - *(this) = (typeof(*(this))){ __VA_ARGS__ }; } - -/** - * Method declaration/definition macro, providing private and public interface. - * - * Defines a method name with this as first parameter and a return value ret, - * and an alias for this method with a _ prefix, having the this argument - * safely casted to the public interface iface. - * _name is provided a function pointer, but will get optimized out by GCC. - */ -#define METHOD(iface, name, ret, this, ...) \ - static ret name(union {iface *_public; this;} \ - __attribute__((transparent_union)), ##__VA_ARGS__); \ - static typeof(name) *_##name = (typeof(name)*)name; \ - static ret name(this, ##__VA_ARGS__) - -/** - * Same as METHOD(), but is defined for two public interfaces. - */ -#define METHOD2(iface1, iface2, name, ret, this, ...) \ - static ret name(union {iface1 *_public1; iface2 *_public2; this;} \ - __attribute__((transparent_union)), ##__VA_ARGS__); \ - static typeof(name) *_##name = (typeof(name)*)name; \ - static ret name(this, ##__VA_ARGS__) - -/** - * Callback declaration/definition macro, allowing casted first parameter. - * - * This is very similar to METHOD, but instead of casting the first parameter - * to a public interface, it uses a void*. This allows type safe definition - * of a callback function, while using the real type for the first parameter. - */ -#define CALLBACK(name, ret, param1, ...) \ - static ret _cb_##name(union {void *_generic; param1;} \ - __attribute__((transparent_union)), ##__VA_ARGS__); \ - static typeof(_cb_##name) *name = (typeof(_cb_##name)*)_cb_##name; \ - static ret _cb_##name(param1, ##__VA_ARGS__) - /** * This macro allows counting the number of arguments passed to a macro. * Combined with the VA_ARGS_DISPATCH() macro this can be used to implement @@ -330,28 +132,6 @@ static inline void *memset_noop(void *s, int c, size_t n) #define _VA_ARGS_DISPATCH(func, num) __VA_ARGS_DISPATCH(func, num) #define __VA_ARGS_DISPATCH(func, num) func ## num -/** - * Architecture independent bitfield definition helpers (at least with GCC). - * - * Defines a bitfield with a type t and a fixed size of bitfield members, e.g.: - * BITFIELD2(u_int8_t, - * low: 4, - * high: 4, - * ) flags; - * The member defined first placed at bit 0. - */ -#if BYTE_ORDER == LITTLE_ENDIAN -#define BITFIELD2(t, a, b,...) struct { t a; t b; __VA_ARGS__} -#define BITFIELD3(t, a, b, c,...) struct { t a; t b; t c; __VA_ARGS__} -#define BITFIELD4(t, a, b, c, d,...) struct { t a; t b; t c; t d; __VA_ARGS__} -#define BITFIELD5(t, a, b, c, d, e,...) struct { t a; t b; t c; t d; t e; __VA_ARGS__} -#elif BYTE_ORDER == BIG_ENDIAN -#define BITFIELD2(t, a, b,...) struct { t b; t a; __VA_ARGS__} -#define BITFIELD3(t, a, b, c,...) struct { t c; t b; t a; __VA_ARGS__} -#define BITFIELD4(t, a, b, c, d,...) struct { t d; t c; t b; t a; __VA_ARGS__} -#define BITFIELD5(t, a, b, c, d, e,...) struct { t e; t d; t c; t b; t a; __VA_ARGS__} -#endif - /** * Macro to allocate a sized type. */ @@ -368,314 +148,11 @@ static inline void *memset_noop(void *s, int c, size_t n) */ #define ignore_result(call) { if(call){}; } -/** - * Assign a function as a class method - */ -#define ASSIGN(method, function) (method = (typeof(method))function) - -/** - * time_t not defined - */ -#define UNDEFINED_TIME 0 - -/** - * Maximum time since epoch causing wrap-around on Jan 19 03:14:07 UTC 2038 - */ -#define TIME_32_BIT_SIGNED_MAX 0x7fffffff - -/** - * define some missing fixed width int types on OpenSolaris. - * TODO: since the uintXX_t types are defined by the C99 standard we should - * probably use those anyway - */ -#if defined __sun || defined WIN32 - #include - typedef uint8_t u_int8_t; - typedef uint16_t u_int16_t; - typedef uint32_t u_int32_t; - typedef uint64_t u_int64_t; -#endif - -typedef enum status_t status_t; - -/** - * Return values of function calls. - */ -enum status_t { - /** - * Call succeeded. - */ - SUCCESS, - - /** - * Call failed. - */ - FAILED, - - /** - * Out of resources. - */ - OUT_OF_RES, - - /** - * The suggested operation is already done - */ - ALREADY_DONE, - - /** - * Not supported. - */ - NOT_SUPPORTED, - - /** - * One of the arguments is invalid. - */ - INVALID_ARG, - - /** - * Something could not be found. - */ - NOT_FOUND, - - /** - * Error while parsing. - */ - PARSE_ERROR, - - /** - * Error while verifying. - */ - VERIFY_ERROR, - - /** - * Object in invalid state. - */ - INVALID_STATE, - - /** - * Destroy object which called method belongs to. - */ - DESTROY_ME, - - /** - * Another call to the method is required. - */ - NEED_MORE, -}; - -/** - * enum_names for type status_t. - */ -extern enum_name_t *status_names; - -typedef enum tty_escape_t tty_escape_t; - -/** - * Excape codes for tty colors - */ -enum tty_escape_t { - /** text properties */ - TTY_RESET, - TTY_BOLD, - TTY_UNDERLINE, - TTY_BLINKING, - - /** foreground colors */ - TTY_FG_BLACK, - TTY_FG_RED, - TTY_FG_GREEN, - TTY_FG_YELLOW, - TTY_FG_BLUE, - TTY_FG_MAGENTA, - TTY_FG_CYAN, - TTY_FG_WHITE, - TTY_FG_DEF, - - /** background colors */ - TTY_BG_BLACK, - TTY_BG_RED, - TTY_BG_GREEN, - TTY_BG_YELLOW, - TTY_BG_BLUE, - TTY_BG_MAGENTA, - TTY_BG_CYAN, - TTY_BG_WHITE, - TTY_BG_DEF, -}; - -/** - * Get the escape string for a given TTY color, empty string on non-tty fd - */ -char* tty_escape_get(int fd, tty_escape_t escape); - -/** - * deprecated pluto style return value: - * error message, NULL for success - */ -typedef const char *err_t; - -/** - * Handle struct timeval like an own type. - */ -typedef struct timeval timeval_t; - -/** - * Handle struct timespec like an own type. - */ -typedef struct timespec timespec_t; - -/** - * Handle struct chunk_t like an own type. - */ -typedef struct sockaddr sockaddr_t; - -/** - * Same as memcpy, but XORs src into dst instead of copy - */ -void memxor(u_int8_t dest[], u_int8_t src[], size_t n); - -/** - * Safely overwrite n bytes of memory at ptr with zero, non-inlining variant. - */ -void memwipe_noinline(void *ptr, size_t n); - -/** - * Safely overwrite n bytes of memory at ptr with zero, inlining variant. - */ -static inline void memwipe_inline(void *ptr, size_t n) -{ - volatile char *c = (volatile char*)ptr; - size_t m, i; - - /* byte wise until long aligned */ - for (i = 0; (uintptr_t)&c[i] % sizeof(long) && i < n; i++) - { - c[i] = 0; - } - /* word wise */ - if (n >= sizeof(long)) - { - for (m = n - sizeof(long); i <= m; i += sizeof(long)) - { - *(volatile long*)&c[i] = 0; - } - } - /* byte wise of the rest */ - for (; i < n; i++) - { - c[i] = 0; - } -} - -/** - * Safely overwrite n bytes of memory at ptr with zero, auto-inlining variant. - */ -static inline void memwipe(void *ptr, size_t n) -{ - if (!ptr) - { - return; - } - if (__builtin_constant_p(n)) - { - memwipe_inline(ptr, n); - } - else - { - memwipe_noinline(ptr, n); - } -} - -/** - * A variant of strstr with the characteristics of memchr, where haystack is not - * a null-terminated string but simply a memory area of length n. - */ -void *memstr(const void *haystack, const char *needle, size_t n); - -/** - * Replacement for memrchr(3) if it is not provided by the C library. - * - * @param s start of the memory area to search - * @param c character to search - * @param n length of memory area to search - * @return pointer to the found character or NULL - */ -void *utils_memrchr(const void *s, int c, size_t n); - -#ifndef HAVE_MEMRCHR -#define memrchr(s,c,n) utils_memrchr(s,c,n) -#endif - -/** - * Translates the characters in the given string, searching for characters - * in 'from' and mapping them to characters in 'to'. - * The two characters sets 'from' and 'to' must contain the same number of - * characters. - */ -char *translate(char *str, const char *from, const char *to); - -/** - * Replaces all occurrences of search in the given string with replace. - * - * Allocates memory only if anything is replaced in the string. The original - * string is also returned if any of the arguments are invalid (e.g. if search - * is empty or any of them are NULL). - * - * @param str original string - * @param search string to search for and replace - * @param replace string to replace found occurrences with - * @return allocated string, if anything got replaced, str otherwise - */ -char *strreplace(const char *str, const char *search, const char *replace); - /** * Portable function to wait for SIGINT/SIGTERM (or equivalent). */ void wait_sigint(); -/** - * Like dirname(3) returns the directory part of the given null-terminated - * pathname, up to but not including the final '/' (or '.' if no '/' is found). - * Trailing '/' are not counted as part of the pathname. - * - * The difference is that it does this in a thread-safe manner (i.e. it does not - * use static buffers) and does not modify the original path. - * - * @param path original pathname - * @return allocated directory component - */ -char *path_dirname(const char *path); - -/** - * Like basename(3) returns the filename part of the given null-terminated path, - * i.e. the part following the final '/' (or '.' if path is empty or NULL). - * Trailing '/' are not counted as part of the pathname. - * - * The difference is that it does this in a thread-safe manner (i.e. it does not - * use static buffers) and does not modify the original path. - * - * @param path original pathname - * @return allocated filename component - */ -char *path_basename(const char *path); - -/** - * Check if a given path is absolute. - * - * @param path path to check - * @return TRUE if absolute, FALSE if relative - */ -bool path_absolute(const char *path); - -/** - * Creates a directory and all required parent directories. - * - * @param path path to the new directory - * @param mode permissions of the new directory/directories - * @return TRUE on success - */ -bool mkdir_p(const char *path, mode_t mode); - #ifndef HAVE_CLOSEFROM /** * Close open file descriptors greater than or equal to lowfd. @@ -685,34 +162,6 @@ bool mkdir_p(const char *path, mode_t mode); void closefrom(int lowfd); #endif -/** - * Get a timestamp from a monotonic time source. - * - * While the time()/gettimeofday() functions are affected by leap seconds - * and system time changes, this function returns ever increasing monotonic - * time stamps. - * - * @param tv timeval struct receiving monotonic timestamps, or NULL - * @return monotonic timestamp in seconds - */ -time_t time_monotonic(timeval_t *tv); - -/** - * Add the given number of milliseconds to the given timeval struct - * - * @param tv timeval struct to modify - * @param ms number of milliseconds - */ -static inline void timeval_add_ms(timeval_t *tv, u_int ms) -{ - tv->tv_usec += ms * 1000; - while (tv->tv_usec >= 1000000 /* 1s */) - { - tv->tv_usec -= 1000000; - tv->tv_sec++; - } -} - /** * returns null */ @@ -733,294 +182,4 @@ bool return_true(); */ bool return_false(); -/** - * returns FAILED - */ -status_t return_failed(); - -/** - * returns SUCCESS - */ -status_t return_success(); - -/** - * Write a 16-bit host order value in network order to an unaligned address. - * - * @param host host order 16-bit value - * @param network unaligned address to write network order value to - */ -static inline void htoun16(void *network, u_int16_t host) -{ - char *unaligned = (char*)network; - - host = htons(host); - memcpy(unaligned, &host, sizeof(host)); -} - -/** - * Write a 32-bit host order value in network order to an unaligned address. - * - * @param host host order 32-bit value - * @param network unaligned address to write network order value to - */ -static inline void htoun32(void *network, u_int32_t host) -{ - char *unaligned = (char*)network; - - host = htonl(host); - memcpy((char*)unaligned, &host, sizeof(host)); -} - -/** - * Write a 64-bit host order value in network order to an unaligned address. - * - * @param host host order 64-bit value - * @param network unaligned address to write network order value to - */ -static inline void htoun64(void *network, u_int64_t host) -{ - char *unaligned = (char*)network; - -#ifdef be64toh - host = htobe64(host); - memcpy((char*)unaligned, &host, sizeof(host)); -#else - u_int32_t high_part, low_part; - - high_part = host >> 32; - high_part = htonl(high_part); - low_part = host & 0xFFFFFFFFLL; - low_part = htonl(low_part); - - memcpy(unaligned, &high_part, sizeof(high_part)); - unaligned += sizeof(high_part); - memcpy(unaligned, &low_part, sizeof(low_part)); -#endif -} - -/** - * Read a 16-bit value in network order from an unaligned address to host order. - * - * @param network unaligned address to read network order value from - * @return host order value - */ -static inline u_int16_t untoh16(void *network) -{ - char *unaligned = (char*)network; - u_int16_t tmp; - - memcpy(&tmp, unaligned, sizeof(tmp)); - return ntohs(tmp); -} - -/** - * Read a 32-bit value in network order from an unaligned address to host order. - * - * @param network unaligned address to read network order value from - * @return host order value - */ -static inline u_int32_t untoh32(void *network) -{ - char *unaligned = (char*)network; - u_int32_t tmp; - - memcpy(&tmp, unaligned, sizeof(tmp)); - return ntohl(tmp); -} - -/** - * Read a 64-bit value in network order from an unaligned address to host order. - * - * @param network unaligned address to read network order value from - * @return host order value - */ -static inline u_int64_t untoh64(void *network) -{ - char *unaligned = (char*)network; - -#ifdef be64toh - u_int64_t tmp; - - memcpy(&tmp, unaligned, sizeof(tmp)); - return be64toh(tmp); -#else - u_int32_t high_part, low_part; - - memcpy(&high_part, unaligned, sizeof(high_part)); - unaligned += sizeof(high_part); - memcpy(&low_part, unaligned, sizeof(low_part)); - - high_part = ntohl(high_part); - low_part = ntohl(low_part); - - return (((u_int64_t)high_part) << 32) + low_part; -#endif -} - -/** - * Get the padding required to make size a multiple of alignment - */ -static inline size_t pad_len(size_t size, size_t alignment) -{ - size_t remainder; - - remainder = size % alignment; - return remainder ? alignment - remainder : 0; -} - -/** - * Round up size to be multiple of alignment - */ -static inline size_t round_up(size_t size, size_t alignment) -{ - return size + pad_len(size, alignment); -} - -/** - * Round down size to be a multiple of alignment - */ -static inline size_t round_down(size_t size, size_t alignment) -{ - return size - (size % alignment); -} - -/** - * Special type to count references - */ -typedef u_int refcount_t; - -/* use __atomic* built-ins with GCC 4.7 and newer */ -#ifdef __GNUC__ -# if (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 6)) -# define HAVE_GCC_ATOMIC_OPERATIONS -# endif -#endif - -#ifdef HAVE_GCC_ATOMIC_OPERATIONS - -#define ref_get(ref) __atomic_add_fetch(ref, 1, __ATOMIC_RELAXED) -/* The relaxed memory model works fine for increments as these (usually) don't - * change the state of refcounted objects. But here we have to ensure that we - * free the right stuff if ref counted objects are mutable. So we have to sync - * with other threads that call ref_put(). It would be sufficient to use - * __ATOMIC_RELEASE here and then call __atomic_thread_fence() with - * __ATOMIC_ACQUIRE if we reach 0, but since we don't have control over the use - * of ref_put() we have to make sure. */ -#define ref_put(ref) (!__atomic_sub_fetch(ref, 1, __ATOMIC_ACQ_REL)) -#define ref_cur(ref) __atomic_load_n(ref, __ATOMIC_RELAXED) - -#define _cas_impl(ptr, oldval, newval) ({ typeof(oldval) _old = oldval; \ - __atomic_compare_exchange_n(ptr, &_old, newval, FALSE, \ - __ATOMIC_SEQ_CST, __ATOMIC_RELAXED); }) -#define cas_bool(ptr, oldval, newval) _cas_impl(ptr, oldval, newval) -#define cas_ptr(ptr, oldval, newval) _cas_impl(ptr, oldval, newval) - -#elif defined(HAVE_GCC_SYNC_OPERATIONS) - -#define ref_get(ref) __sync_add_and_fetch(ref, 1) -#define ref_put(ref) (!__sync_sub_and_fetch(ref, 1)) -#define ref_cur(ref) __sync_fetch_and_add(ref, 0) - -#define cas_bool(ptr, oldval, newval) \ - (__sync_bool_compare_and_swap(ptr, oldval, newval)) -#define cas_ptr(ptr, oldval, newval) \ - (__sync_bool_compare_and_swap(ptr, oldval, newval)) - -#else /* !HAVE_GCC_ATOMIC_OPERATIONS && !HAVE_GCC_SYNC_OPERATIONS */ - -/** - * Get a new reference. - * - * Increments the reference counter atomically. - * - * @param ref pointer to ref counter - * @return new value of ref - */ -refcount_t ref_get(refcount_t *ref); - -/** - * Put back a unused reference. - * - * Decrements the reference counter atomically and - * says if more references available. - * - * @param ref pointer to ref counter - * @return TRUE if no more references counted - */ -bool ref_put(refcount_t *ref); - -/** - * Get the current value of the reference counter. - * - * @param ref pointer to ref counter - * @return current value of ref - */ -refcount_t ref_cur(refcount_t *ref); - -/** - * Atomically replace value of ptr with newval if it currently equals oldval. - * - * @param ptr pointer to variable - * @param oldval old value of the variable - * @param newval new value set if possible - * @return TRUE if value equaled oldval and newval was written - */ -bool cas_bool(bool *ptr, bool oldval, bool newval); - -/** - * Atomically replace value of ptr with newval if it currently equals oldval. - * - * @param ptr pointer to variable - * @param oldval old value of the variable - * @param newval new value set if possible - * @return TRUE if value equaled oldval and newval was written - */ -bool cas_ptr(void **ptr, void *oldval, void *newval); - -#endif /* HAVE_GCC_ATOMIC_OPERATIONS */ - -#ifndef HAVE_FMEMOPEN -# ifdef HAVE_FUNOPEN -# define HAVE_FMEMOPEN -# define HAVE_FMEMOPEN_FALLBACK -# include -/** - * fmemopen(3) fallback using BSD funopen. - * - * We could also provide one using fopencookie(), but should we have it we - * most likely have fmemopen(). - * - * fseek() is currently not supported. - */ -FILE *fmemopen(void *buf, size_t size, const char *mode); -# endif /* FUNOPEN */ -#endif /* FMEMOPEN */ - -/** - * printf hook for time_t. - * - * Arguments are: - * time_t* time, bool utc - */ -int time_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, - const void *const *args); - -/** - * printf hook for time_t deltas. - * - * Arguments are: - * time_t* begin, time_t* end - */ -int time_delta_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, - const void *const *args); - -/** - * printf hook for memory areas. - * - * Arguments are: - * u_char *ptr, u_int len - */ -int mem_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, - const void *const *args); - #endif /** UTILS_H_ @}*/ diff --git a/src/libstrongswan/utils/utils/align.c b/src/libstrongswan/utils/utils/align.c new file mode 100644 index 000000000..29f110ff1 --- /dev/null +++ b/src/libstrongswan/utils/utils/align.c @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2005-2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include + +/** + * Described in header. + */ +void* malloc_align(size_t size, u_int8_t align) +{ + u_int8_t pad; + void *ptr; + + if (align == 0) + { + align = 1; + } + ptr = malloc(align + sizeof(pad) + size); + if (!ptr) + { + return NULL; + } + /* store padding length just before data, down to the allocation boundary + * to do some verification during free_align() */ + pad = align - ((uintptr_t)ptr % align); + memset(ptr, pad, pad); + return ptr + pad; +} + +/** + * Described in header. + */ +void free_align(void *ptr) +{ + u_int8_t pad, *pos; + + pos = ptr - 1; + /* verify padding to check any corruption */ + for (pad = *pos; (void*)pos >= ptr - pad; pos--) + { + if (*pos != pad) + { + DBG1(DBG_LIB, "!!!! invalid free_align() !!!!"); + return; + } + } + free(ptr - pad); +} diff --git a/src/libstrongswan/utils/utils/align.h b/src/libstrongswan/utils/utils/align.h new file mode 100644 index 000000000..39cde10c8 --- /dev/null +++ b/src/libstrongswan/utils/utils/align.h @@ -0,0 +1,86 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup align_i align + * @{ @ingroup utils_i + */ + +#ifndef ALIGN_H_ +#define ALIGN_H_ + +/** + * Macro gives back larger of two values. + */ +#define max(x,y) ({ \ + typeof(x) _x = (x); \ + typeof(y) _y = (y); \ + _x > _y ? _x : _y; }) + +/** + * Macro gives back smaller of two values. + */ +#define min(x,y) ({ \ + typeof(x) _x = (x); \ + typeof(y) _y = (y); \ + _x < _y ? _x : _y; }) + +/** + * Get the padding required to make size a multiple of alignment + */ +static inline size_t pad_len(size_t size, size_t alignment) +{ + size_t remainder; + + remainder = size % alignment; + return remainder ? alignment - remainder : 0; +} + +/** + * Round up size to be multiple of alignment + */ +static inline size_t round_up(size_t size, size_t alignment) +{ + return size + pad_len(size, alignment); +} + +/** + * Round down size to be a multiple of alignment + */ +static inline size_t round_down(size_t size, size_t alignment) +{ + return size - (size % alignment); +} + +/** + * malloc(), but returns aligned memory. + * + * The returned pointer must be freed using free_align(), not free(). + * + * @param size size of allocated data + * @param align alignment, up to 255 bytes, usually a power of 2 + * @return allocated hunk, aligned to align bytes + */ +void* malloc_align(size_t size, u_int8_t align); + +/** + * Free a hunk allocated by malloc_align(). + * + * @param ptr hunk to free + */ +void free_align(void *ptr); + +#endif /** ALIGN_H_ @} */ diff --git a/src/libstrongswan/utils/utils/atomics.c b/src/libstrongswan/utils/utils/atomics.c new file mode 100644 index 000000000..17e823e70 --- /dev/null +++ b/src/libstrongswan/utils/utils/atomics.c @@ -0,0 +1,112 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2005-2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#if !defined(HAVE_GCC_ATOMIC_OPERATIONS) && !defined(HAVE_GCC_SYNC_OPERATIONS) + +#include + +/** + * Spinlock for ref_get/put + */ +static spinlock_t *ref_lock; + +/** + * Increase refcount + */ +refcount_t ref_get(refcount_t *ref) +{ + refcount_t current; + + ref_lock->lock(ref_lock); + current = ++(*ref); + ref_lock->unlock(ref_lock); + + return current; +} + +/** + * Decrease refcount + */ +bool ref_put(refcount_t *ref) +{ + bool more_refs; + + ref_lock->lock(ref_lock); + more_refs = --(*ref) > 0; + ref_lock->unlock(ref_lock); + return !more_refs; +} + +/** + * Current refcount + */ +refcount_t ref_cur(refcount_t *ref) +{ + refcount_t current; + + ref_lock->lock(ref_lock); + current = *ref; + ref_lock->unlock(ref_lock); + + return current; +} + +/** + * Spinlock for all compare and swap operations. + */ +static spinlock_t *cas_lock; + +/** + * Compare and swap if equal to old value + */ +#define _cas_impl(name, type) \ +bool cas_##name(type *ptr, type oldval, type newval) \ +{ \ + bool swapped; \ + cas_lock->lock(cas_lock); \ + if ((swapped = (*ptr == oldval))) { *ptr = newval; } \ + cas_lock->unlock(cas_lock); \ + return swapped; \ +} + +_cas_impl(bool, bool) +_cas_impl(ptr, void*) + +#endif /* !HAVE_GCC_ATOMIC_OPERATIONS && !HAVE_GCC_SYNC_OPERATIONS */ + +/** + * See header + */ +void atomics_init() +{ +#if !defined(HAVE_GCC_ATOMIC_OPERATIONS) && !defined(HAVE_GCC_SYNC_OPERATIONS) + ref_lock = spinlock_create(); + cas_lock = spinlock_create(); +#endif +} + +/** + * See header + */ +void atomics_deinit() +{ +#if !defined(HAVE_GCC_ATOMIC_OPERATIONS) && !defined(HAVE_GCC_SYNC_OPERATIONS) + ref_lock->destroy(ref_lock); + cas_lock->destroy(cas_lock); +#endif +} diff --git a/src/libstrongswan/utils/utils/atomics.h b/src/libstrongswan/utils/utils/atomics.h new file mode 100644 index 000000000..e5db0a1cb --- /dev/null +++ b/src/libstrongswan/utils/utils/atomics.h @@ -0,0 +1,130 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup atomics_i atomics + * @{ @ingroup utils_i + */ + +#ifndef ATOMICS_H_ +#define ATOMICS_H_ + +/** + * Special type to count references + */ +typedef u_int refcount_t; + +/* use __atomic* built-ins with GCC 4.7 and newer */ +#ifdef __GNUC__ +# if (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 6)) +# define HAVE_GCC_ATOMIC_OPERATIONS +# endif +#endif + +#ifdef HAVE_GCC_ATOMIC_OPERATIONS + +#define ref_get(ref) __atomic_add_fetch(ref, 1, __ATOMIC_RELAXED) +/* The relaxed memory model works fine for increments as these (usually) don't + * change the state of refcounted objects. But here we have to ensure that we + * free the right stuff if ref counted objects are mutable. So we have to sync + * with other threads that call ref_put(). It would be sufficient to use + * __ATOMIC_RELEASE here and then call __atomic_thread_fence() with + * __ATOMIC_ACQUIRE if we reach 0, but since we don't have control over the use + * of ref_put() we have to make sure. */ +#define ref_put(ref) (!__atomic_sub_fetch(ref, 1, __ATOMIC_ACQ_REL)) +#define ref_cur(ref) __atomic_load_n(ref, __ATOMIC_RELAXED) + +#define _cas_impl(ptr, oldval, newval) ({ typeof(oldval) _old = oldval; \ + __atomic_compare_exchange_n(ptr, &_old, newval, FALSE, \ + __ATOMIC_SEQ_CST, __ATOMIC_RELAXED); }) +#define cas_bool(ptr, oldval, newval) _cas_impl(ptr, oldval, newval) +#define cas_ptr(ptr, oldval, newval) _cas_impl(ptr, oldval, newval) + +#elif defined(HAVE_GCC_SYNC_OPERATIONS) + +#define ref_get(ref) __sync_add_and_fetch(ref, 1) +#define ref_put(ref) (!__sync_sub_and_fetch(ref, 1)) +#define ref_cur(ref) __sync_fetch_and_add(ref, 0) + +#define cas_bool(ptr, oldval, newval) \ + (__sync_bool_compare_and_swap(ptr, oldval, newval)) +#define cas_ptr(ptr, oldval, newval) \ + (__sync_bool_compare_and_swap(ptr, oldval, newval)) + +#else /* !HAVE_GCC_ATOMIC_OPERATIONS && !HAVE_GCC_SYNC_OPERATIONS */ + +/** + * Get a new reference. + * + * Increments the reference counter atomically. + * + * @param ref pointer to ref counter + * @return new value of ref + */ +refcount_t ref_get(refcount_t *ref); + +/** + * Put back a unused reference. + * + * Decrements the reference counter atomically and + * says if more references available. + * + * @param ref pointer to ref counter + * @return TRUE if no more references counted + */ +bool ref_put(refcount_t *ref); + +/** + * Get the current value of the reference counter. + * + * @param ref pointer to ref counter + * @return current value of ref + */ +refcount_t ref_cur(refcount_t *ref); + +/** + * Atomically replace value of ptr with newval if it currently equals oldval. + * + * @param ptr pointer to variable + * @param oldval old value of the variable + * @param newval new value set if possible + * @return TRUE if value equaled oldval and newval was written + */ +bool cas_bool(bool *ptr, bool oldval, bool newval); + +/** + * Atomically replace value of ptr with newval if it currently equals oldval. + * + * @param ptr pointer to variable + * @param oldval old value of the variable + * @param newval new value set if possible + * @return TRUE if value equaled oldval and newval was written + */ +bool cas_ptr(void **ptr, void *oldval, void *newval); + +#endif /* HAVE_GCC_ATOMIC_OPERATIONS */ + +/** + * Initialize atomics utility functions + */ +void atomics_init(); + +/** + * Clean up atomics utility functions + */ +void atomics_deinit(); + +#endif /** ATOMICS_H_ @} */ diff --git a/src/libstrongswan/utils/utils/byteorder.h b/src/libstrongswan/utils/utils/byteorder.h new file mode 100644 index 000000000..48cf1d526 --- /dev/null +++ b/src/libstrongswan/utils/utils/byteorder.h @@ -0,0 +1,161 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup byteorder_i byteorder + * @{ @ingroup utils_i + */ + +#ifndef BYTEORDER_H_ +#define BYTEORDER_H_ + +/** + * Architecture independent bitfield definition helpers (at least with GCC). + * + * Defines a bitfield with a type t and a fixed size of bitfield members, e.g.: + * BITFIELD2(u_int8_t, + * low: 4, + * high: 4, + * ) flags; + * The member defined first placed at bit 0. + */ +#if BYTE_ORDER == LITTLE_ENDIAN +#define BITFIELD2(t, a, b,...) struct { t a; t b; __VA_ARGS__} +#define BITFIELD3(t, a, b, c,...) struct { t a; t b; t c; __VA_ARGS__} +#define BITFIELD4(t, a, b, c, d,...) struct { t a; t b; t c; t d; __VA_ARGS__} +#define BITFIELD5(t, a, b, c, d, e,...) struct { t a; t b; t c; t d; t e; __VA_ARGS__} +#elif BYTE_ORDER == BIG_ENDIAN +#define BITFIELD2(t, a, b,...) struct { t b; t a; __VA_ARGS__} +#define BITFIELD3(t, a, b, c,...) struct { t c; t b; t a; __VA_ARGS__} +#define BITFIELD4(t, a, b, c, d,...) struct { t d; t c; t b; t a; __VA_ARGS__} +#define BITFIELD5(t, a, b, c, d, e,...) struct { t e; t d; t c; t b; t a; __VA_ARGS__} +#endif + +/** + * Write a 16-bit host order value in network order to an unaligned address. + * + * @param host host order 16-bit value + * @param network unaligned address to write network order value to + */ +static inline void htoun16(void *network, u_int16_t host) +{ + char *unaligned = (char*)network; + + host = htons(host); + memcpy(unaligned, &host, sizeof(host)); +} + +/** + * Write a 32-bit host order value in network order to an unaligned address. + * + * @param host host order 32-bit value + * @param network unaligned address to write network order value to + */ +static inline void htoun32(void *network, u_int32_t host) +{ + char *unaligned = (char*)network; + + host = htonl(host); + memcpy((char*)unaligned, &host, sizeof(host)); +} + +/** + * Write a 64-bit host order value in network order to an unaligned address. + * + * @param host host order 64-bit value + * @param network unaligned address to write network order value to + */ +static inline void htoun64(void *network, u_int64_t host) +{ + char *unaligned = (char*)network; + +#ifdef be64toh + host = htobe64(host); + memcpy((char*)unaligned, &host, sizeof(host)); +#else + u_int32_t high_part, low_part; + + high_part = host >> 32; + high_part = htonl(high_part); + low_part = host & 0xFFFFFFFFLL; + low_part = htonl(low_part); + + memcpy(unaligned, &high_part, sizeof(high_part)); + unaligned += sizeof(high_part); + memcpy(unaligned, &low_part, sizeof(low_part)); +#endif +} + +/** + * Read a 16-bit value in network order from an unaligned address to host order. + * + * @param network unaligned address to read network order value from + * @return host order value + */ +static inline u_int16_t untoh16(void *network) +{ + char *unaligned = (char*)network; + u_int16_t tmp; + + memcpy(&tmp, unaligned, sizeof(tmp)); + return ntohs(tmp); +} + +/** + * Read a 32-bit value in network order from an unaligned address to host order. + * + * @param network unaligned address to read network order value from + * @return host order value + */ +static inline u_int32_t untoh32(void *network) +{ + char *unaligned = (char*)network; + u_int32_t tmp; + + memcpy(&tmp, unaligned, sizeof(tmp)); + return ntohl(tmp); +} + +/** + * Read a 64-bit value in network order from an unaligned address to host order. + * + * @param network unaligned address to read network order value from + * @return host order value + */ +static inline u_int64_t untoh64(void *network) +{ + char *unaligned = (char*)network; + +#ifdef be64toh + u_int64_t tmp; + + memcpy(&tmp, unaligned, sizeof(tmp)); + return be64toh(tmp); +#else + u_int32_t high_part, low_part; + + memcpy(&high_part, unaligned, sizeof(high_part)); + unaligned += sizeof(high_part); + memcpy(&low_part, unaligned, sizeof(low_part)); + + high_part = ntohl(high_part); + low_part = ntohl(low_part); + + return (((u_int64_t)high_part) << 32) + low_part; +#endif +} + +#endif /** BYTEORDER_H_ @} */ diff --git a/src/libstrongswan/utils/utils/memory.c b/src/libstrongswan/utils/utils/memory.c new file mode 100644 index 000000000..a15371518 --- /dev/null +++ b/src/libstrongswan/utils/utils/memory.c @@ -0,0 +1,237 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2005-2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include + +/** + * Described in header. + */ +void memxor(u_int8_t dst[], u_int8_t src[], size_t n) +{ + int m, i; + + /* byte wise XOR until dst aligned */ + for (i = 0; (uintptr_t)&dst[i] % sizeof(long) && i < n; i++) + { + dst[i] ^= src[i]; + } + /* try to use words if src shares an aligment with dst */ + switch (((uintptr_t)&src[i] % sizeof(long))) + { + case 0: + for (m = n - sizeof(long); i <= m; i += sizeof(long)) + { + *(long*)&dst[i] ^= *(long*)&src[i]; + } + break; + case sizeof(int): + for (m = n - sizeof(int); i <= m; i += sizeof(int)) + { + *(int*)&dst[i] ^= *(int*)&src[i]; + } + break; + case sizeof(short): + for (m = n - sizeof(short); i <= m; i += sizeof(short)) + { + *(short*)&dst[i] ^= *(short*)&src[i]; + } + break; + default: + break; + } + /* byte wise XOR of the rest */ + for (; i < n; i++) + { + dst[i] ^= src[i]; + } +} + +/** + * Described in header. + */ +void memwipe_noinline(void *ptr, size_t n) +{ + memwipe_inline(ptr, n); +} + +/** + * Described in header. + */ +bool memeq_const(const void *x, const void *y, size_t len) +{ + const u_char *a, *b; + u_int bad = 0; + size_t i; + + a = (const u_char*)x; + b = (const u_char*)y; + + for (i = 0; i < len; i++) + { + bad |= a[i] != b[i]; + } + return !bad; +} + +/** + * Described in header. + */ +void *memstr(const void *haystack, const char *needle, size_t n) +{ + const u_char *pos = haystack; + size_t l; + + if (!haystack || !needle || (l = strlen(needle)) == 0) + { + return NULL; + } + for (; n >= l; ++pos, --n) + { + if (memeq(pos, needle, l)) + { + return (void*)pos; + } + } + return NULL; +} + +/** + * Described in header. + */ +void *utils_memrchr(const void *s, int c, size_t n) +{ + const u_char *pos; + + if (!s || !n) + { + return NULL; + } + + for (pos = s + n - 1; pos >= (u_char*)s; pos--) + { + if (*pos == (u_char)c) + { + return (void*)pos; + } + } + return NULL; +} + +#ifdef HAVE_FMEMOPEN_FALLBACK + +static int fmemread(chunk_t *cookie, char *buf, int size) +{ + int len; + + len = min(size, cookie->len); + memcpy(buf, cookie->ptr, len); + *cookie = chunk_skip(*cookie, len); + + return len; +} + +static int fmemwrite(chunk_t *cookie, const char *buf, int size) +{ + int len; + + len = min(size, cookie->len); + memcpy(cookie->ptr, buf, len); + *cookie = chunk_skip(*cookie, len); + + return len; +} + +static int fmemclose(void *cookie) +{ + free(cookie); + return 0; +} + +FILE *fmemopen(void *buf, size_t size, const char *mode) +{ + chunk_t *cookie; + + INIT(cookie, + .ptr = buf, + .len = size, + ); + + return funopen(cookie, (void*)fmemread, (void*)fmemwrite, NULL, fmemclose); +} + +#endif /* FMEMOPEN fallback*/ + +/** + * Number of bytes per line to dump raw data + */ +#define BYTES_PER_LINE 16 + +static char hexdig_upper[] = "0123456789ABCDEF"; + +/** + * Described in header. + */ +int mem_printf_hook(printf_hook_data_t *data, + printf_hook_spec_t *spec, const void *const *args) +{ + char *bytes = *((void**)(args[0])); + u_int len = *((int*)(args[1])); + + char buffer[BYTES_PER_LINE * 3]; + char ascii_buffer[BYTES_PER_LINE + 1]; + char *buffer_pos = buffer; + char *bytes_pos = bytes; + char *bytes_roof = bytes + len; + int line_start = 0; + int i = 0; + int written = 0; + + written += print_in_hook(data, "=> %u bytes @ %p", len, bytes); + + while (bytes_pos < bytes_roof) + { + *buffer_pos++ = hexdig_upper[(*bytes_pos >> 4) & 0xF]; + *buffer_pos++ = hexdig_upper[ *bytes_pos & 0xF]; + + ascii_buffer[i++] = + (*bytes_pos > 31 && *bytes_pos < 127) ? *bytes_pos : '.'; + + if (++bytes_pos == bytes_roof || i == BYTES_PER_LINE) + { + int padding = 3 * (BYTES_PER_LINE - i); + + while (padding--) + { + *buffer_pos++ = ' '; + } + *buffer_pos++ = '\0'; + ascii_buffer[i] = '\0'; + + written += print_in_hook(data, "\n%4d: %s %s", + line_start, buffer, ascii_buffer); + + buffer_pos = buffer; + line_start += BYTES_PER_LINE; + i = 0; + } + else + { + *buffer_pos++ = ' '; + } + } + return written; +} diff --git a/src/libstrongswan/utils/utils/memory.h b/src/libstrongswan/utils/utils/memory.h new file mode 100644 index 000000000..aef318f6c --- /dev/null +++ b/src/libstrongswan/utils/utils/memory.h @@ -0,0 +1,183 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup memory_i memory + * @{ @ingroup utils_i + */ + +#ifndef MEMORY_H_ +#define MEMORY_H_ + +/** + * Helper function that compares two binary blobs for equality + */ +static inline bool memeq(const void *x, const void *y, size_t len) +{ + return memcmp(x, y, len) == 0; +} + +/** + * Same as memeq(), but with a constant runtime, safe for cryptographic use. + */ +bool memeq_const(const void *x, const void *y, size_t len); + +/** + * Calling memcpy() with NULL pointers, even with n == 0, results in undefined + * behavior according to the C standard. This version is guaranteed to not + * access the pointers if n is 0. + */ +static inline void *memcpy_noop(void *dst, const void *src, size_t n) +{ + return n ? memcpy(dst, src, n) : dst; +} +#ifdef memcpy +# undef memcpy +#endif +#define memcpy(d,s,n) memcpy_noop(d,s,n) + +/** + * Calling memmove() with NULL pointers, even with n == 0, results in undefined + * behavior according to the C standard. This version is guaranteed to not + * access the pointers if n is 0. + */ +static inline void *memmove_noop(void *dst, const void *src, size_t n) +{ + return n ? memmove(dst, src, n) : dst; +} +#ifdef memmove +# undef memmove +#endif +#define memmove(d,s,n) memmove_noop(d,s,n) + +/** + * Calling memset() with a NULL pointer, even with n == 0, results in undefined + * behavior according to the C standard. This version is guaranteed to not + * access the pointer if n is 0. + */ +static inline void *memset_noop(void *s, int c, size_t n) +{ + return n ? memset(s, c, n) : s; +} +#ifdef memset +# undef memset +#endif +#define memset(s,c,n) memset_noop(s,c,n) + +/** + * Same as memcpy, but XORs src into dst instead of copy + */ +void memxor(u_int8_t dest[], u_int8_t src[], size_t n); + +/** + * Safely overwrite n bytes of memory at ptr with zero, non-inlining variant. + */ +void memwipe_noinline(void *ptr, size_t n); + +/** + * Safely overwrite n bytes of memory at ptr with zero, inlining variant. + */ +static inline void memwipe_inline(void *ptr, size_t n) +{ + volatile char *c = (volatile char*)ptr; + size_t m, i; + + /* byte wise until long aligned */ + for (i = 0; (uintptr_t)&c[i] % sizeof(long) && i < n; i++) + { + c[i] = 0; + } + /* word wise */ + if (n >= sizeof(long)) + { + for (m = n - sizeof(long); i <= m; i += sizeof(long)) + { + *(volatile long*)&c[i] = 0; + } + } + /* byte wise of the rest */ + for (; i < n; i++) + { + c[i] = 0; + } +} + +/** + * Safely overwrite n bytes of memory at ptr with zero, auto-inlining variant. + */ +static inline void memwipe(void *ptr, size_t n) +{ + if (!ptr) + { + return; + } + if (__builtin_constant_p(n)) + { + memwipe_inline(ptr, n); + } + else + { + memwipe_noinline(ptr, n); + } +} + +/** + * A variant of strstr with the characteristics of memchr, where haystack is not + * a null-terminated string but simply a memory area of length n. + */ +void *memstr(const void *haystack, const char *needle, size_t n); + +/** + * Replacement for memrchr(3) if it is not provided by the C library. + * + * @param s start of the memory area to search + * @param c character to search + * @param n length of memory area to search + * @return pointer to the found character or NULL + */ +void *utils_memrchr(const void *s, int c, size_t n); + +#ifndef HAVE_MEMRCHR +#define memrchr(s,c,n) utils_memrchr(s,c,n) +#endif + +#ifndef HAVE_FMEMOPEN +# ifdef HAVE_FUNOPEN +# define HAVE_FMEMOPEN +# define HAVE_FMEMOPEN_FALLBACK +# include +/** + * fmemopen(3) fallback using BSD funopen. + * + * We could also provide one using fopencookie(), but should we have it we + * most likely have fmemopen(). + * + * fseek() is currently not supported. + */ +FILE *fmemopen(void *buf, size_t size, const char *mode); +# endif /* FUNOPEN */ +#endif /* FMEMOPEN */ + +/** + * printf hook for memory areas. + * + * Arguments are: + * u_char *ptr, u_int len + */ +int mem_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, + const void *const *args); + +#endif /** MEMORY_H_ @} */ diff --git a/src/libstrongswan/utils/utils/object.h b/src/libstrongswan/utils/utils/object.h new file mode 100644 index 000000000..301fb6685 --- /dev/null +++ b/src/libstrongswan/utils/utils/object.h @@ -0,0 +1,126 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup object_i object + * @{ @ingroup utils_i + */ + +#ifndef OBJECT_H_ +#define OBJECT_H_ + +/** + * Call destructor of an object, if object != NULL + */ +#define DESTROY_IF(obj) if (obj) (obj)->destroy(obj) + +/** + * Call offset destructor of an object, if object != NULL + */ +#define DESTROY_OFFSET_IF(obj, offset) if (obj) obj->destroy_offset(obj, offset); + +/** + * Call function destructor of an object, if object != NULL + */ +#define DESTROY_FUNCTION_IF(obj, fn) if (obj) obj->destroy_function(obj, fn); + +/** + * Object allocation/initialization macro, using designated initializer. + */ +#define INIT(this, ...) { (this) = malloc(sizeof(*(this))); \ + *(this) = (typeof(*(this))){ __VA_ARGS__ }; } + +/** + * Aligning version of INIT(). + * + * The returned pointer must be freed using free_align(), not free(). + * + * @param this object to allocate/initialize + * @param align alignment for allocation, in bytes + * @param ... initializer + */ +#define INIT_ALIGN(this, align, ...) { \ + (this) = malloc_align(sizeof(*(this)), align); \ + *(this) = (typeof(*(this))){ __VA_ARGS__ }; } + +/** + * Object allocation/initialization macro, with extra allocated bytes at tail. + * + * The extra space gets zero-initialized. + * + * @param this pointer to object to allocate memory for + * @param extra number of bytes to allocate at end of this + * @param ... initializer + */ +#define INIT_EXTRA(this, extra, ...) { \ + typeof(extra) _extra = (extra); \ + (this) = malloc(sizeof(*(this)) + _extra); \ + *(this) = (typeof(*(this))){ __VA_ARGS__ }; \ + memset((this) + 1, 0, _extra); } + +/** + * Aligning version of INIT_EXTRA(). + * + * The returned pointer must be freed using free_align(), not free(). + * + * @param this object to allocate/initialize + * @param extra number of bytes to allocate at end of this + * @param align alignment for allocation, in bytes + * @param ... initializer + */ +#define INIT_EXTRA_ALIGN(this, extra, align, ...) { \ + typeof(extra) _extra = (extra); \ + (this) = malloc_align(sizeof(*(this)) + _extra, align); \ + *(this) = (typeof(*(this))){ __VA_ARGS__ }; \ + memset((this) + 1, 0, _extra); } + +/** + * Method declaration/definition macro, providing private and public interface. + * + * Defines a method name with this as first parameter and a return value ret, + * and an alias for this method with a _ prefix, having the this argument + * safely casted to the public interface iface. + * _name is provided a function pointer, but will get optimized out by GCC. + */ +#define METHOD(iface, name, ret, this, ...) \ + static ret name(union {iface *_public; this;} \ + __attribute__((transparent_union)), ##__VA_ARGS__); \ + static typeof(name) *_##name = (typeof(name)*)name; \ + static ret name(this, ##__VA_ARGS__) + +/** + * Same as METHOD(), but is defined for two public interfaces. + */ +#define METHOD2(iface1, iface2, name, ret, this, ...) \ + static ret name(union {iface1 *_public1; iface2 *_public2; this;} \ + __attribute__((transparent_union)), ##__VA_ARGS__); \ + static typeof(name) *_##name = (typeof(name)*)name; \ + static ret name(this, ##__VA_ARGS__) + +/** + * Callback declaration/definition macro, allowing casted first parameter. + * + * This is very similar to METHOD, but instead of casting the first parameter + * to a public interface, it uses a void*. This allows type safe definition + * of a callback function, while using the real type for the first parameter. + */ +#define CALLBACK(name, ret, param1, ...) \ + static ret _cb_##name(union {void *_generic; param1;} \ + __attribute__((transparent_union)), ##__VA_ARGS__); \ + static typeof(_cb_##name) *name = (typeof(_cb_##name)*)_cb_##name; \ + static ret _cb_##name(param1, ##__VA_ARGS__) + +#endif /** OBJECT_H_ @} */ diff --git a/src/libstrongswan/utils/utils/path.c b/src/libstrongswan/utils/utils/path.c new file mode 100644 index 000000000..3abbe77ed --- /dev/null +++ b/src/libstrongswan/utils/utils/path.c @@ -0,0 +1,168 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2005-2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE /* for memrchr */ +#include +#include +#include + +#include +#include +#include +#include + +/** + * Described in header. + */ +char* path_dirname(const char *path) +{ + char *pos; + + pos = path ? strrchr(path, DIRECTORY_SEPARATOR[0]) : NULL; + + if (pos && !pos[1]) + { /* if path ends with slashes we have to look beyond them */ + while (pos > path && *pos == DIRECTORY_SEPARATOR[0]) + { /* skip trailing slashes */ + pos--; + } + pos = memrchr(path, DIRECTORY_SEPARATOR[0], pos - path + 1); + } + if (!pos) + { +#ifdef WIN32 + if (path && strlen(path)) + { + if ((isalpha(path[0]) && path[1] == ':')) + { /* if just a drive letter given, return that as dirname */ + return chunk_clone(chunk_from_chars(path[0], ':', 0)).ptr; + } + } +#endif + return strdup("."); + } + while (pos > path && *pos == DIRECTORY_SEPARATOR[0]) + { /* skip superfluous slashes */ + pos--; + } + return strndup(path, pos - path + 1); +} + +/** + * Described in header. + */ +char* path_basename(const char *path) +{ + char *pos, *trail = NULL; + + if (!path || !*path) + { + return strdup("."); + } + pos = strrchr(path, DIRECTORY_SEPARATOR[0]); + if (pos && !pos[1]) + { /* if path ends with slashes we have to look beyond them */ + while (pos > path && *pos == DIRECTORY_SEPARATOR[0]) + { /* skip trailing slashes */ + pos--; + } + if (pos == path && *pos == DIRECTORY_SEPARATOR[0]) + { /* contains only slashes */ + return strdup(DIRECTORY_SEPARATOR); + } + trail = pos + 1; + pos = memrchr(path, DIRECTORY_SEPARATOR[0], trail - path); + } + pos = pos ? pos + 1 : (char*)path; + return trail ? strndup(pos, trail - pos) : strdup(pos); +} + +/** + * Described in header. + */ +bool path_absolute(const char *path) +{ + if (!path) + { + return FALSE; + } +#ifdef WIN32 + if (strpfx(path, "\\\\")) + { /* UNC */ + return TRUE; + } + if (strlen(path) && isalpha(path[0]) && path[1] == ':') + { /* drive letter */ + return TRUE; + } +#else /* !WIN32 */ + if (path[0] == DIRECTORY_SEPARATOR[0]) + { + return TRUE; + } +#endif + return FALSE; +} + +/** + * Described in header. + */ +bool mkdir_p(const char *path, mode_t mode) +{ + int len; + char *pos, full[PATH_MAX]; + pos = full; + if (!path || *path == '\0') + { + return TRUE; + } + len = snprintf(full, sizeof(full)-1, "%s", path); + if (len < 0 || len >= sizeof(full)-1) + { + DBG1(DBG_LIB, "path string %s too long", path); + return FALSE; + } + /* ensure that the path ends with a '/' */ + if (full[len-1] != '/') + { + full[len++] = '/'; + full[len] = '\0'; + } + /* skip '/' at the beginning */ + while (*pos == '/') + { + pos++; + } + while ((pos = strchr(pos, '/'))) + { + *pos = '\0'; + if (access(full, F_OK) < 0) + { +#ifdef WIN32 + if (_mkdir(full) < 0) +#else + if (mkdir(full, mode) < 0) +#endif + { + DBG1(DBG_LIB, "failed to create directory %s", full); + return FALSE; + } + } + *pos = '/'; + pos++; + } + return TRUE; +} diff --git a/src/libstrongswan/utils/utils/path.h b/src/libstrongswan/utils/utils/path.h new file mode 100644 index 000000000..838ce73e6 --- /dev/null +++ b/src/libstrongswan/utils/utils/path.h @@ -0,0 +1,77 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup path_i path + * @{ @ingroup utils_i + */ + +#ifndef PATH_H_ +#define PATH_H_ + +/** + * Directory separator character in paths on this platform + */ +#ifdef WIN32 +# define DIRECTORY_SEPARATOR "\\" +#else +# define DIRECTORY_SEPARATOR "/" +#endif + +/** + * Like dirname(3) returns the directory part of the given null-terminated + * pathname, up to but not including the final '/' (or '.' if no '/' is found). + * Trailing '/' are not counted as part of the pathname. + * + * The difference is that it does this in a thread-safe manner (i.e. it does not + * use static buffers) and does not modify the original path. + * + * @param path original pathname + * @return allocated directory component + */ +char *path_dirname(const char *path); + +/** + * Like basename(3) returns the filename part of the given null-terminated path, + * i.e. the part following the final '/' (or '.' if path is empty or NULL). + * Trailing '/' are not counted as part of the pathname. + * + * The difference is that it does this in a thread-safe manner (i.e. it does not + * use static buffers) and does not modify the original path. + * + * @param path original pathname + * @return allocated filename component + */ +char *path_basename(const char *path); + +/** + * Check if a given path is absolute. + * + * @param path path to check + * @return TRUE if absolute, FALSE if relative + */ +bool path_absolute(const char *path); + +/** + * Creates a directory and all required parent directories. + * + * @param path path to the new directory + * @param mode permissions of the new directory/directories + * @return TRUE on success + */ +bool mkdir_p(const char *path, mode_t mode); + +#endif /** PATH_H_ @} */ diff --git a/src/libstrongswan/utils/utils/status.c b/src/libstrongswan/utils/utils/status.c new file mode 100644 index 000000000..4a97d846c --- /dev/null +++ b/src/libstrongswan/utils/utils/status.c @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2005-2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +ENUM(status_names, SUCCESS, NEED_MORE, + "SUCCESS", + "FAILED", + "OUT_OF_RES", + "ALREADY_DONE", + "NOT_SUPPORTED", + "INVALID_ARG", + "NOT_FOUND", + "PARSE_ERROR", + "VERIFY_ERROR", + "INVALID_STATE", + "DESTROY_ME", + "NEED_MORE", +); + +/** + * returns FAILED + */ +status_t return_failed() +{ + return FAILED; +} + +/** + * returns SUCCESS + */ +status_t return_success() +{ + return SUCCESS; +} diff --git a/src/libstrongswan/utils/utils/status.h b/src/libstrongswan/utils/utils/status.h new file mode 100644 index 000000000..c96eebd44 --- /dev/null +++ b/src/libstrongswan/utils/utils/status.h @@ -0,0 +1,72 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup status_i status + * @{ @ingroup utils_i + */ + +#ifndef STATUS_H_ +#define STATUS_H_ + +typedef enum status_t status_t; + +/** + * Return values of function calls. + */ +enum status_t { + /** Call succeeded */ + SUCCESS, + /** Call failed */ + FAILED, + /** Out of resources */ + OUT_OF_RES, + /** The suggested operation is already done */ + ALREADY_DONE, + /** Not supported */ + NOT_SUPPORTED, + /** One of the arguments is invalid */ + INVALID_ARG, + /** Something could not be found */ + NOT_FOUND, + /** Error while parsing */ + PARSE_ERROR, + /** Error while verifying */ + VERIFY_ERROR, + /** Object in invalid state */ + INVALID_STATE, + /** Destroy object which called method belongs to */ + DESTROY_ME, + /** Another call to the method is required */ + NEED_MORE, +}; + +/** + * enum_names for type status_t. + */ +extern enum_name_t *status_names; + +/** + * returns FAILED + */ +status_t return_failed(); + +/** + * returns SUCCESS + */ +status_t return_success(); + +#endif /** STATUS_H_ @} */ diff --git a/src/libstrongswan/utils/utils/strerror.h b/src/libstrongswan/utils/utils/strerror.h index e1b063842..f59649c2a 100644 --- a/src/libstrongswan/utils/utils/strerror.h +++ b/src/libstrongswan/utils/utils/strerror.h @@ -14,7 +14,8 @@ */ /** - * @{ @ingroup utils + * @defgroup strerror_i strerror + * @{ @ingroup utils_i */ #ifndef STRERROR_H_ diff --git a/src/libstrongswan/utils/utils/string.c b/src/libstrongswan/utils/utils/string.c new file mode 100644 index 000000000..14087e765 --- /dev/null +++ b/src/libstrongswan/utils/utils/string.c @@ -0,0 +1,91 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2005-2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +/** + * Described in header. + */ +char* translate(char *str, const char *from, const char *to) +{ + char *pos = str; + if (strlen(from) != strlen(to)) + { + return str; + } + while (pos && *pos) + { + char *match; + if ((match = strchr(from, *pos)) != NULL) + { + *pos = to[match - from]; + } + pos++; + } + return str; +} + +/** + * Described in header. + */ +char* strreplace(const char *str, const char *search, const char *replace) +{ + size_t len, slen, rlen, count = 0; + char *res, *pos, *found, *dst; + + if (!str || !*str || !search || !*search || !replace) + { + return (char*)str; + } + slen = strlen(search); + rlen = strlen(replace); + if (slen != rlen) + { + for (pos = (char*)str; (pos = strstr(pos, search)); pos += slen) + { + found = pos; + count++; + } + if (!count) + { + return (char*)str; + } + len = (found - str) + strlen(found) + count * (rlen - slen); + } + else + { + len = strlen(str); + } + found = strstr(str, search); + if (!found) + { + return (char*)str; + } + dst = res = malloc(len + 1); + pos = (char*)str; + do + { + len = found - pos; + memcpy(dst, pos, len); + dst += len; + memcpy(dst, replace, rlen); + dst += rlen; + pos = found + slen; + } + while ((found = strstr(pos, search))); + strcpy(dst, pos); + return res; +} diff --git a/src/libstrongswan/utils/utils/string.h b/src/libstrongswan/utils/utils/string.h new file mode 100644 index 000000000..60eaaae22 --- /dev/null +++ b/src/libstrongswan/utils/utils/string.h @@ -0,0 +1,103 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup string_i string + * @{ @ingroup utils_i + */ + +#ifndef STRING_H_ +#define STRING_H_ + +/** + * Helper function that compares two strings for equality + */ +static inline bool streq(const char *x, const char *y) +{ + return strcmp(x, y) == 0; +} + +/** + * Helper function that compares two strings for equality, length limited + */ +static inline bool strneq(const char *x, const char *y, size_t len) +{ + return strncmp(x, y, len) == 0; +} + +/** + * Helper function that checks if a string starts with a given prefix + */ +static inline bool strpfx(const char *x, const char *prefix) +{ + return strneq(x, prefix, strlen(prefix)); +} + +/** + * Helper function that compares two strings for equality ignoring case + */ +static inline bool strcaseeq(const char *x, const char *y) +{ + return strcasecmp(x, y) == 0; +} + +/** + * Helper function that compares two strings for equality ignoring case, length limited + */ +static inline bool strncaseeq(const char *x, const char *y, size_t len) +{ + return strncasecmp(x, y, len) == 0; +} + +/** + * Helper function that checks if a string starts with a given prefix + */ +static inline bool strcasepfx(const char *x, const char *prefix) +{ + return strncaseeq(x, prefix, strlen(prefix)); +} + +/** + * NULL-safe strdup variant + */ +static inline char *strdupnull(const char *s) +{ + return s ? strdup(s) : NULL; +} + +/** + * Translates the characters in the given string, searching for characters + * in 'from' and mapping them to characters in 'to'. + * The two characters sets 'from' and 'to' must contain the same number of + * characters. + */ +char *translate(char *str, const char *from, const char *to); + +/** + * Replaces all occurrences of search in the given string with replace. + * + * Allocates memory only if anything is replaced in the string. The original + * string is also returned if any of the arguments are invalid (e.g. if search + * is empty or any of them are NULL). + * + * @param str original string + * @param search string to search for and replace + * @param replace string to replace found occurrences with + * @return allocated string, if anything got replaced, str otherwise + */ +char *strreplace(const char *str, const char *search, const char *replace); + +#endif /** STRING_H_ @} */ diff --git a/src/libstrongswan/utils/utils/time.c b/src/libstrongswan/utils/utils/time.c new file mode 100644 index 000000000..c67ae93f2 --- /dev/null +++ b/src/libstrongswan/utils/utils/time.c @@ -0,0 +1,143 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2005-2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifdef WIN32 +/* for GetTickCount64, Windows 7 */ +# define _WIN32_WINNT 0x0601 +#endif + +#define _GNU_SOURCE +#include + +#include +#include + +/** + * Return monotonic time + */ +time_t time_monotonic(timeval_t *tv) +{ +#ifdef WIN32 + ULONGLONG ms; + time_t s; + + ms = GetTickCount64(); + s = ms / 1000; + if (tv) + { + tv->tv_sec = s; + tv->tv_usec = (ms - (s * 1000)) * 1000; + } + return s; +#else /* !WIN32 */ +#if defined(HAVE_CLOCK_GETTIME) && \ + (defined(HAVE_CONDATTR_CLOCK_MONOTONIC) || \ + defined(HAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC)) + /* as we use time_monotonic() for condvar operations, we use the + * monotonic time source only if it is also supported by pthread. */ + timespec_t ts; + + if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0) + { + if (tv) + { + tv->tv_sec = ts.tv_sec; + tv->tv_usec = ts.tv_nsec / 1000; + } + return ts.tv_sec; + } +#endif /* HAVE_CLOCK_GETTIME && (...) */ + /* Fallback to non-monotonic timestamps: + * On MAC OS X, creating monotonic timestamps is rather difficult. We + * could use mach_absolute_time() and catch sleep/wakeup notifications. + * We stick to the simpler (non-monotonic) gettimeofday() for now. + * But keep in mind: we need the same time source here as in condvar! */ + if (!tv) + { + return time(NULL); + } + if (gettimeofday(tv, NULL) != 0) + { /* should actually never fail if passed pointers are valid */ + return -1; + } + return tv->tv_sec; +#endif /* !WIN32 */ +} + +/** + * Described in header. + */ +int time_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, + const void *const *args) +{ + static const char* months[] = { + "Jan", "Feb", "Mar", "Apr", "May", "Jun", + "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" + }; + time_t *time = *((time_t**)(args[0])); + bool utc = *((int*)(args[1])); + struct tm t, *ret = NULL; + + if (*time != UNDEFINED_TIME) + { + if (utc) + { + ret = gmtime_r(time, &t); + } + else + { + ret = localtime_r(time, &t); + } + } + if (ret == NULL) + { + return print_in_hook(data, "--- -- --:--:--%s----", + utc ? " UTC " : " "); + } + return print_in_hook(data, "%s %02d %02d:%02d:%02d%s%04d", + months[t.tm_mon], t.tm_mday, t.tm_hour, t.tm_min, + t.tm_sec, utc ? " UTC " : " ", t.tm_year + 1900); +} + +/** + * Described in header. + */ +int time_delta_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, + const void *const *args) +{ + char* unit = "second"; + time_t *arg1 = *((time_t**)(args[0])); + time_t *arg2 = *((time_t**)(args[1])); + u_int64_t delta = llabs(*arg1 - *arg2); + + if (delta > 2 * 60 * 60 * 24) + { + delta /= 60 * 60 * 24; + unit = "day"; + } + else if (delta > 2 * 60 * 60) + { + delta /= 60 * 60; + unit = "hour"; + } + else if (delta > 2 * 60) + { + delta /= 60; + unit = "minute"; + } + return print_in_hook(data, "%" PRIu64 " %s%s", delta, unit, + (delta == 1) ? "" : "s"); +} diff --git a/src/libstrongswan/utils/utils/time.h b/src/libstrongswan/utils/utils/time.h new file mode 100644 index 000000000..2626d9a33 --- /dev/null +++ b/src/libstrongswan/utils/utils/time.h @@ -0,0 +1,91 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup time_i time + * @{ @ingroup utils_i + */ + +#ifndef TIME_H_ +#define TIME_H_ + +/** + * time_t not defined + */ +#define UNDEFINED_TIME 0 + +/** + * Maximum time since epoch causing wrap-around on Jan 19 03:14:07 UTC 2038 + */ +#define TIME_32_BIT_SIGNED_MAX 0x7fffffff + +/** + * Handle struct timeval like an own type. + */ +typedef struct timeval timeval_t; + +/** + * Handle struct timespec like an own type. + */ +typedef struct timespec timespec_t; + +/** + * Get a timestamp from a monotonic time source. + * + * While the time()/gettimeofday() functions are affected by leap seconds + * and system time changes, this function returns ever increasing monotonic + * time stamps. + * + * @param tv timeval struct receiving monotonic timestamps, or NULL + * @return monotonic timestamp in seconds + */ +time_t time_monotonic(timeval_t *tv); + +/** + * Add the given number of milliseconds to the given timeval struct + * + * @param tv timeval struct to modify + * @param ms number of milliseconds + */ +static inline void timeval_add_ms(timeval_t *tv, u_int ms) +{ + tv->tv_usec += ms * 1000; + while (tv->tv_usec >= 1000000 /* 1s */) + { + tv->tv_usec -= 1000000; + tv->tv_sec++; + } +} + +/** + * printf hook for time_t. + * + * Arguments are: + * time_t* time, bool utc + */ +int time_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, + const void *const *args); + +/** + * printf hook for time_t deltas. + * + * Arguments are: + * time_t* begin, time_t* end + */ +int time_delta_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, + const void *const *args); + +#endif /** TIME_H_ @} */ diff --git a/src/libstrongswan/utils/utils/tty.c b/src/libstrongswan/utils/utils/tty.c new file mode 100644 index 000000000..7cce71dc5 --- /dev/null +++ b/src/libstrongswan/utils/utils/tty.c @@ -0,0 +1,86 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2005-2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include + +ENUM(tty_color_names, TTY_RESET, TTY_BG_DEF, + "\e[0m", + "\e[1m", + "\e[4m", + "\e[5m", + "\e[30m", + "\e[31m", + "\e[32m", + "\e[33m", + "\e[34m", + "\e[35m", + "\e[36m", + "\e[37m", + "\e[39m", + "\e[40m", + "\e[41m", + "\e[42m", + "\e[43m", + "\e[44m", + "\e[45m", + "\e[46m", + "\e[47m", + "\e[49m", +); + +/** + * Get the escape string for a given TTY color, empty string on non-tty FILE + */ +char* tty_escape_get(int fd, tty_escape_t escape) +{ + if (!isatty(fd)) + { + return ""; + } + switch (escape) + { + case TTY_RESET: + case TTY_BOLD: + case TTY_UNDERLINE: + case TTY_BLINKING: +#ifdef WIN32 + return ""; +#endif + case TTY_FG_BLACK: + case TTY_FG_RED: + case TTY_FG_GREEN: + case TTY_FG_YELLOW: + case TTY_FG_BLUE: + case TTY_FG_MAGENTA: + case TTY_FG_CYAN: + case TTY_FG_WHITE: + case TTY_FG_DEF: + case TTY_BG_BLACK: + case TTY_BG_RED: + case TTY_BG_GREEN: + case TTY_BG_YELLOW: + case TTY_BG_BLUE: + case TTY_BG_MAGENTA: + case TTY_BG_CYAN: + case TTY_BG_WHITE: + case TTY_BG_DEF: + return enum_to_name(tty_color_names, escape); + /* warn if a escape code is missing */ + } + return ""; +} diff --git a/src/libstrongswan/utils/utils/tty.h b/src/libstrongswan/utils/utils/tty.h new file mode 100644 index 000000000..6cd285a9a --- /dev/null +++ b/src/libstrongswan/utils/utils/tty.h @@ -0,0 +1,65 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tty_i tty + * @{ @ingroup utils_i + */ + +#ifndef TTY_H_ +#define TTY_H_ + +typedef enum tty_escape_t tty_escape_t; + +/** + * Excape codes for tty colors + */ +enum tty_escape_t { + /** text properties */ + TTY_RESET, + TTY_BOLD, + TTY_UNDERLINE, + TTY_BLINKING, + + /** foreground colors */ + TTY_FG_BLACK, + TTY_FG_RED, + TTY_FG_GREEN, + TTY_FG_YELLOW, + TTY_FG_BLUE, + TTY_FG_MAGENTA, + TTY_FG_CYAN, + TTY_FG_WHITE, + TTY_FG_DEF, + + /** background colors */ + TTY_BG_BLACK, + TTY_BG_RED, + TTY_BG_GREEN, + TTY_BG_YELLOW, + TTY_BG_BLUE, + TTY_BG_MAGENTA, + TTY_BG_CYAN, + TTY_BG_WHITE, + TTY_BG_DEF, +}; + +/** + * Get the escape string for a given TTY color, empty string on non-tty fd + */ +char* tty_escape_get(int fd, tty_escape_t escape); + +#endif /** TTY_H_ @} */ diff --git a/src/libstrongswan/utils/utils/types.h b/src/libstrongswan/utils/utils/types.h new file mode 100644 index 000000000..056c2e0c2 --- /dev/null +++ b/src/libstrongswan/utils/utils/types.h @@ -0,0 +1,87 @@ +/* + * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup types_i types + * @{ @ingroup utils_i + */ + +#ifndef TYPES_H_ +#define TYPES_H_ + +/** + * General purpose boolean type. + */ +#ifdef HAVE_STDBOOL_H +# include +#else +# ifndef HAVE__BOOL +# define _Bool signed char +# endif /* HAVE__BOOL */ +# define bool _Bool +# define false 0 +# define true 1 +# define __bool_true_false_are_defined 1 +#endif /* HAVE_STDBOOL_H */ +#ifndef FALSE +# define FALSE false +#endif /* FALSE */ +#ifndef TRUE +# define TRUE true +#endif /* TRUE */ + +/** + * define some missing fixed width int types on OpenSolaris. + * TODO: since the uintXX_t types are defined by the C99 standard we should + * probably use those anyway + */ +#if defined __sun || defined WIN32 +#include +typedef uint8_t u_int8_t; +typedef uint16_t u_int16_t; +typedef uint32_t u_int32_t; +typedef uint64_t u_int64_t; +#endif + +#ifdef HAVE_INT128 +/** + * 128 bit wide signed integer, if supported + */ +typedef __int128 int128_t; +/** + * 128 bit wide unsigned integer, if supported + */ +typedef unsigned __int128 u_int128_t; + +# define MAX_INT_TYPE int128_t +# define MAX_UINT_TYPE u_int128_t +#else +# define MAX_INT_TYPE int64_t +# define MAX_UINT_TYPE u_int64_t +#endif + +/** + * deprecated pluto style return value: + * error message, NULL for success + */ +typedef const char *err_t; + +/** + * Handle struct sockaddr as a simpler sockaddr_t type. + */ +typedef struct sockaddr sockaddr_t; + +#endif /** TYPES_H_ @} */ diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c index e6be36b7b..000dda43b 100644 --- a/src/libtls/tls_peer.c +++ b/src/libtls/tls_peer.c @@ -354,6 +354,13 @@ static status_t process_modp_key_exchange(private_tls_peer_t *this, this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); return NEED_MORE; } + /* reject (export) DH groups using primes smaller than 1024 bit */ + if (prime.len < 1024 / 8) + { + DBG1(DBG_TLS, "short DH prime received (%zu bytes)", prime.len); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); + return NEED_MORE; + } public = find_public_key(this); if (!public) { @@ -641,7 +648,7 @@ static status_t process_finished(private_tls_peer_t *this, bio_reader_t *reader) this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); return NEED_MORE; } - if (!chunk_equals(received, chunk_from_thing(buf))) + if (!chunk_equals_const(received, chunk_from_thing(buf))) { DBG1(DBG_TLS, "received server finished invalid"); this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR); diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c index b1a214f7f..f9295a160 100644 --- a/src/libtls/tls_server.c +++ b/src/libtls/tls_server.c @@ -607,7 +607,7 @@ static status_t process_finished(private_tls_server_t *this, this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); return NEED_MORE; } - if (!chunk_equals(received, chunk_from_thing(buf))) + if (!chunk_equals_const(received, chunk_from_thing(buf))) { DBG1(DBG_TLS, "received client finished invalid"); this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR); diff --git a/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c b/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c index faad02b9b..b239c20dc 100644 --- a/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c +++ b/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c @@ -283,7 +283,7 @@ METHOD(pb_tnc_batch_t, process_header, status_t, if (directionality & (*from_server == is_server)) { - DBG1(DBG_TNC, "wrong Directionality: batch is from a PB %s", + DBG1(DBG_TNC, "wrong Directionality: batch is from a PB-TNC %s", is_server ? "server" : "client"); msg = pb_error_msg_create_with_offset(TRUE, PEN_IETF, PB_ERROR_INVALID_PARAMETER, 1); diff --git a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h index 35b0b7c26..395284366 100644 --- a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h +++ b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-213 Andreas Steffen + * Copyright (C) 2010-2013 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it diff --git a/src/starter/Android.mk b/src/starter/Android.mk index c37fc1aa6..8c5d1a92f 100644 --- a/src/starter/Android.mk +++ b/src/starter/Android.mk @@ -19,7 +19,7 @@ LOCAL_C_INCLUDES += \ $(strongswan_PATH)/src/starter \ $(strongswan_PATH)/src/stroke -LOCAL_CFLAGS := $(strongswan_CFLAGS) -DSTART_CHARON \ +LOCAL_CFLAGS := $(strongswan_CFLAGS) \ -DIPSEC_SCRIPT='"ipsec"' \ -DPLUGINS='"$(strongswan_STARTER_PLUGINS)"' diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index f0a2be856..7f5d1ca5b 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -40,10 +40,6 @@ EXTRA_DIST = keywords.txt ipsec.conf Android.mk MAINTAINERCLEANFILES = keywords.c BUILT_SOURCES = keywords.c parser/parser.h -if USE_CHARON - AM_CPPFLAGS += -DSTART_CHARON -endif - if USE_LOAD_WARNING AM_CPPFLAGS += -DLOAD_WARNING endif diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index ee68adc21..3166cc5d5 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -80,9 +80,8 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ ipsec_PROGRAMS = starter$(EXEEXT) -@USE_CHARON_TRUE@am__append_1 = -DSTART_CHARON -@USE_LOAD_WARNING_TRUE@am__append_2 = -DLOAD_WARNING -@USE_SCEPCLIENT_TRUE@am__append_3 = -DGENERATE_SELFCERT +@USE_LOAD_WARNING_TRUE@am__append_1 = -DLOAD_WARNING +@USE_SCEPCLIENT_TRUE@am__append_2 = -DGENERATE_SELFCERT subdir = src/starter DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ parser/parser.h parser/parser.c parser/lexer.c \ @@ -493,7 +492,7 @@ AM_CPPFLAGS = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \ -DDEV_RANDOM=\"${random_device}\" \ -DDEV_URANDOM=\"${urandom_device}\" \ -DPLUGINS=\""${starter_plugins}\"" -DDEBUG $(am__append_1) \ - $(am__append_2) $(am__append_3) + $(am__append_2) AM_YFLAGS = -v -d starter_LDADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ diff --git a/src/starter/confread.c b/src/starter/confread.c index de9099a1b..c3a0ac07f 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -50,17 +50,6 @@ static const char firewall_defaults[] = IPSEC_SCRIPT " _updown iptables"; */ extern kw_entry_t *in_word_set (char *str, unsigned int len); -static bool daemon_exists(char *daemon, char *path) -{ - struct stat st; - if (stat(path, &st) != 0) - { - DBG1(DBG_APP, "Disabling %sstart option, '%s' not found", daemon, path); - return FALSE; - } - return TRUE; -} - /** * Process deprecated keywords */ @@ -147,14 +136,6 @@ static void load_setup(starter_config_t *cfg, conf_parser_t *parser) } enumerator->destroy(enumerator); dict->destroy(dict); - - /* verify the executables are actually available */ -#ifdef START_CHARON - cfg->setup.charonstart = cfg->setup.charonstart && - daemon_exists(daemon_name, cmd); -#else - cfg->setup.charonstart = FALSE; -#endif } /* @@ -722,12 +703,8 @@ starter_config_t* confread_load(const char *file) INIT(cfg, .setup = { .uniqueids = TRUE, - } ); -#ifdef START_CHARON - cfg->setup.charonstart = TRUE; -#endif /* load config setup section */ load_setup(cfg, parser); diff --git a/src/starter/confread.h b/src/starter/confread.h index 0eea98849..457327f18 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -193,7 +193,6 @@ typedef struct starter_config starter_config_t; struct starter_config { struct { - bool charonstart; char *charondebug; bool uniqueids; bool cachecrls; diff --git a/src/starter/starter.c b/src/starter/starter.c index 74b5b5286..a19298923 100644 --- a/src/starter/starter.c +++ b/src/starter/starter.c @@ -517,6 +517,13 @@ int main (int argc, char **argv) exit(status); } + if (stat(cmd, &stb) != 0) + { + DBG1(DBG_APP, "IKE daemon '%s' not found", cmd); + cleanup(); + exit(LSB_RC_FAILURE); + } + DBG1(DBG_APP, "Starting %sSwan "VERSION" IPsec [starter]...", lib->settings->get_bool(lib->settings, "charon.i_dont_care_about_security_and_use_aggressive_mode_psk", @@ -836,7 +843,7 @@ int main (int argc, char **argv) */ if (_action_ & FLAG_ACTION_START_CHARON) { - if (cfg->setup.charonstart && !starter_charon_pid()) + if (!starter_charon_pid()) { DBG2(DBG_APP, "Attempting to start %s...", daemon_name); if (starter_start_charon(cfg, no_fork, attach_gdb)) diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 6e1f1605d..79a92cdad 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2007-2015 Tobias Brunner * Copyright (C) 2006 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -31,37 +32,57 @@ #define IPV4_LEN 4 #define IPV6_LEN 16 -static char* push_string(stroke_msg_t *msg, char *string) +static stroke_msg_t *create_stroke_msg(int type) { - unsigned long string_start = msg->length; + stroke_msg_t *msg; - if (string == NULL) + INIT(msg, + .type = type, + .length = offsetof(stroke_msg_t, buffer), + ); + return msg; +} + +#define push_string(msg, field, str) \ + push_string_impl(msg, offsetof(stroke_msg_t, field), str) +#define push_string_end(msg, offset, field, str) \ + push_string_impl(msg, offset + offsetof(stroke_end_t, field), str) + +static void push_string_impl(stroke_msg_t **msg, size_t offset, char *string) +{ + size_t cur_len = (*msg)->length, str_len; + + if (!string) { - return NULL; + return; } - else if ((size_t)msg->length + strlen(string) >= sizeof(stroke_msg_t)) + str_len = strlen(string) + 1; + if (cur_len + str_len >= UINT16_MAX) { - /* set invalid length to fail during message send */ - msg->length = ~0; - return NULL; + (*msg)->length = UINT16_MAX; + return; } - else + while (cur_len + str_len > sizeof(stroke_msg_t) + (*msg)->buflen) { - msg->length += strlen(string) + 1; - strcpy((char*)msg + string_start, string); - return (char*)string_start; + *msg = realloc(*msg, sizeof(stroke_msg_t) + (*msg)->buflen + + STROKE_BUF_LEN_INC); + (*msg)->buflen += STROKE_BUF_LEN_INC; } + (*msg)->length += str_len; + strcpy((char*)*msg + cur_len, string); + *(char**)((char*)*msg + offset) = (char*)cur_len; } -static int send_stroke_msg (stroke_msg_t *msg) +static int send_stroke_msg(stroke_msg_t *msg) { stream_t *stream; char *uri, buffer[64]; int count; - if (msg->length > sizeof(stroke_msg_t)) + if (msg->length == UINT16_MAX) { - DBG1(DBG_APP, "stroke message exceeds buffer size"); + DBG1(DBG_APP, "stroke message exceeds maximum buffer size"); + free(msg); return -1; } @@ -74,6 +95,7 @@ static int send_stroke_msg (stroke_msg_t *msg) if (!stream) { DBG1(DBG_APP, "failed to connect to stroke socket '%s'", uri); + free(msg); return -1; } @@ -81,6 +103,7 @@ static int send_stroke_msg (stroke_msg_t *msg) { DBG1(DBG_APP, "sending stroke message failed"); stream->destroy(stream); + free(msg); return -1; } while ((count = stream->read(stream, buffer, sizeof(buffer)-1, TRUE)) > 0) @@ -93,6 +116,7 @@ static int send_stroke_msg (stroke_msg_t *msg) DBG1(DBG_APP, "reading stroke response failed"); } stream->destroy(stream); + free(msg); return 0; } @@ -109,33 +133,38 @@ static char* connection_name(starter_conn_t *conn) return conn->name; } -static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end) +static void add_end(stroke_msg_t **msg, size_t offset, starter_end_t *conn_end) { - msg_end->auth = push_string(msg, conn_end->auth); - msg_end->auth2 = push_string(msg, conn_end->auth2); - msg_end->id = push_string(msg, conn_end->id); - msg_end->id2 = push_string(msg, conn_end->id2); - msg_end->rsakey = push_string(msg, conn_end->rsakey); - msg_end->cert = push_string(msg, conn_end->cert); - msg_end->cert2 = push_string(msg, conn_end->cert2); - msg_end->cert_policy = push_string(msg, conn_end->cert_policy); - msg_end->ca = push_string(msg, conn_end->ca); - msg_end->ca2 = push_string(msg, conn_end->ca2); - msg_end->groups = push_string(msg, conn_end->groups); - msg_end->groups2 = push_string(msg, conn_end->groups2); - msg_end->updown = push_string(msg, conn_end->updown); + stroke_end_t *msg_end; + + push_string_end(msg, offset, auth, conn_end->auth); + push_string_end(msg, offset, auth2, conn_end->auth2); + push_string_end(msg, offset, id, conn_end->id); + push_string_end(msg, offset, id2, conn_end->id2); + push_string_end(msg, offset, rsakey, conn_end->rsakey); + push_string_end(msg, offset, cert, conn_end->cert); + push_string_end(msg, offset, cert2, conn_end->cert2); + push_string_end(msg, offset, cert_policy, conn_end->cert_policy); + push_string_end(msg, offset, ca, conn_end->ca); + push_string_end(msg, offset, ca2, conn_end->ca2); + push_string_end(msg, offset, groups, conn_end->groups); + push_string_end(msg, offset, groups2, conn_end->groups2); + push_string_end(msg, offset, updown, conn_end->updown); if (conn_end->host) { - msg_end->address = push_string(msg, conn_end->host); + push_string_end(msg, offset, address, conn_end->host); } else { - msg_end->address = push_string(msg, "%any"); + push_string_end(msg, offset, address, "%any"); } + push_string_end(msg, offset, subnets, conn_end->subnet); + push_string_end(msg, offset, sourceip, conn_end->sourceip); + push_string_end(msg, offset, dns, conn_end->dns); + + /* we can't assign it earlier as msg might change */ + msg_end = (stroke_end_t*)((char*)(*msg) + offset); msg_end->ikeport = conn_end->ikeport; - msg_end->subnets = push_string(msg, conn_end->subnet); - msg_end->sourceip = push_string(msg, conn_end->sourceip); - msg_end->dns = push_string(msg, conn_end->dns); msg_end->sendcert = conn_end->sendcert; msg_end->hostaccess = conn_end->hostaccess; msg_end->tohost = !conn_end->subnet; @@ -147,187 +176,178 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) { - stroke_msg_t msg; + stroke_msg_t *msg; - memset(&msg, 0, sizeof(msg)); - msg.type = STR_ADD_CONN; - msg.length = offsetof(stroke_msg_t, buffer); - msg.add_conn.version = conn->keyexchange; - msg.add_conn.name = push_string(&msg, connection_name(conn)); - msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity); - msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity); - msg.add_conn.xauth_identity = push_string(&msg, conn->xauth_identity); + msg = create_stroke_msg(STR_ADD_CONN); + msg->add_conn.version = conn->keyexchange; + push_string(&msg, add_conn.name, connection_name(conn)); + push_string(&msg, add_conn.eap_identity, conn->eap_identity); + push_string(&msg, add_conn.aaa_identity, conn->aaa_identity); + push_string(&msg, add_conn.xauth_identity, conn->xauth_identity); - msg.add_conn.mode = conn->mode; - msg.add_conn.proxy_mode = conn->proxy_mode; + msg->add_conn.mode = conn->mode; + msg->add_conn.proxy_mode = conn->proxy_mode; if (!(conn->options & SA_OPTION_DONT_REKEY)) { - msg.add_conn.rekey.reauth = !(conn->options & SA_OPTION_DONT_REAUTH); - msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds; - msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds; - msg.add_conn.rekey.margin = conn->sa_rekey_margin; - msg.add_conn.rekey.life_bytes = conn->sa_ipsec_life_bytes; - msg.add_conn.rekey.margin_bytes = conn->sa_ipsec_margin_bytes; - msg.add_conn.rekey.life_packets = conn->sa_ipsec_life_packets; - msg.add_conn.rekey.margin_packets = conn->sa_ipsec_margin_packets; - msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz; + msg->add_conn.rekey.reauth = !(conn->options & SA_OPTION_DONT_REAUTH); + msg->add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds; + msg->add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds; + msg->add_conn.rekey.margin = conn->sa_rekey_margin; + msg->add_conn.rekey.life_bytes = conn->sa_ipsec_life_bytes; + msg->add_conn.rekey.margin_bytes = conn->sa_ipsec_margin_bytes; + msg->add_conn.rekey.life_packets = conn->sa_ipsec_life_packets; + msg->add_conn.rekey.margin_packets = conn->sa_ipsec_margin_packets; + msg->add_conn.rekey.fuzz = conn->sa_rekey_fuzz; } - msg.add_conn.rekey.tries = conn->sa_keying_tries; - - msg.add_conn.mobike = conn->options & SA_OPTION_MOBIKE; - msg.add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP; - msg.add_conn.fragmentation = conn->fragmentation; - msg.add_conn.ikedscp = conn->ikedscp; - msg.add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS; - msg.add_conn.install_policy = conn->install_policy; - msg.add_conn.aggressive = conn->aggressive; - msg.add_conn.pushmode = conn->options & SA_OPTION_MODECFG_PUSH; - msg.add_conn.crl_policy = (crl_policy_t)cfg->setup.strictcrlpolicy; - msg.add_conn.unique = cfg->setup.uniqueids; - msg.add_conn.algorithms.ike = push_string(&msg, conn->ike); - msg.add_conn.algorithms.esp = push_string(&msg, conn->esp); - msg.add_conn.algorithms.ah = push_string(&msg, conn->ah); - msg.add_conn.dpd.delay = conn->dpd_delay; - msg.add_conn.dpd.timeout = conn->dpd_timeout; - msg.add_conn.dpd.action = conn->dpd_action; - msg.add_conn.close_action = conn->close_action; - msg.add_conn.inactivity = conn->inactivity; - msg.add_conn.ikeme.mediation = conn->me_mediation; - msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by); - msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid); - msg.add_conn.reqid = conn->reqid; - msg.add_conn.replay_window = conn->replay_window; - msg.add_conn.mark_in.value = conn->mark_in.value; - msg.add_conn.mark_in.mask = conn->mark_in.mask; - msg.add_conn.mark_out.value = conn->mark_out.value; - msg.add_conn.mark_out.mask = conn->mark_out.mask; - msg.add_conn.tfc = conn->tfc; - - starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left); - starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right); - - if (!msg.add_conn.me.auth && !msg.add_conn.other.auth && + msg->add_conn.rekey.tries = conn->sa_keying_tries; + + msg->add_conn.mobike = conn->options & SA_OPTION_MOBIKE; + msg->add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP; + msg->add_conn.fragmentation = conn->fragmentation; + msg->add_conn.ikedscp = conn->ikedscp; + msg->add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS; + msg->add_conn.install_policy = conn->install_policy; + msg->add_conn.aggressive = conn->aggressive; + msg->add_conn.pushmode = conn->options & SA_OPTION_MODECFG_PUSH; + msg->add_conn.crl_policy = (crl_policy_t)cfg->setup.strictcrlpolicy; + msg->add_conn.unique = cfg->setup.uniqueids; + push_string(&msg, add_conn.algorithms.ike, conn->ike); + push_string(&msg, add_conn.algorithms.esp, conn->esp); + push_string(&msg, add_conn.algorithms.ah, conn->ah); + msg->add_conn.dpd.delay = conn->dpd_delay; + msg->add_conn.dpd.timeout = conn->dpd_timeout; + msg->add_conn.dpd.action = conn->dpd_action; + msg->add_conn.close_action = conn->close_action; + msg->add_conn.inactivity = conn->inactivity; + msg->add_conn.ikeme.mediation = conn->me_mediation; + push_string(&msg, add_conn.ikeme.mediated_by, conn->me_mediated_by); + push_string(&msg, add_conn.ikeme.peerid, conn->me_peerid); + msg->add_conn.reqid = conn->reqid; + msg->add_conn.replay_window = conn->replay_window; + msg->add_conn.mark_in.value = conn->mark_in.value; + msg->add_conn.mark_in.mask = conn->mark_in.mask; + msg->add_conn.mark_out.value = conn->mark_out.value; + msg->add_conn.mark_out.mask = conn->mark_out.mask; + msg->add_conn.tfc = conn->tfc; + + add_end(&msg, offsetof(stroke_msg_t, add_conn.me), &conn->left); + add_end(&msg, offsetof(stroke_msg_t, add_conn.other), &conn->right); + + if (!msg->add_conn.me.auth && !msg->add_conn.other.auth && conn->authby) { /* leftauth/rightauth not set, use legacy options */ if (streq(conn->authby, "rsa") || streq(conn->authby, "rsasig") || streq(conn->authby, "ecdsa") || streq(conn->authby, "ecdsasig") || streq(conn->authby, "pubkey")) { - msg.add_conn.me.auth = push_string(&msg, "pubkey"); - msg.add_conn.other.auth = push_string(&msg, "pubkey"); + push_string(&msg, add_conn.me.auth, "pubkey"); + push_string(&msg, add_conn.other.auth, "pubkey"); } else if (streq(conn->authby, "secret") || streq(conn->authby, "psk")) { - msg.add_conn.me.auth = push_string(&msg, "psk"); - msg.add_conn.other.auth = push_string(&msg, "psk"); + push_string(&msg, add_conn.me.auth, "psk"); + push_string(&msg, add_conn.other.auth, "psk"); } else if (streq(conn->authby, "xauthrsasig")) { - msg.add_conn.me.auth = push_string(&msg, "pubkey"); - msg.add_conn.other.auth = push_string(&msg, "pubkey"); + push_string(&msg, add_conn.me.auth, "pubkey"); + push_string(&msg, add_conn.other.auth, "pubkey"); if (conn->options & SA_OPTION_XAUTH_SERVER) { - msg.add_conn.other.auth2 = push_string(&msg, "xauth"); + push_string(&msg, add_conn.other.auth2, "xauth"); } else { - msg.add_conn.me.auth2 = push_string(&msg, "xauth"); + push_string(&msg, add_conn.me.auth2, "xauth"); } } else if (streq(conn->authby, "xauthpsk")) { - msg.add_conn.me.auth = push_string(&msg, "psk"); - msg.add_conn.other.auth = push_string(&msg, "psk"); + push_string(&msg, add_conn.me.auth, "psk"); + push_string(&msg, add_conn.other.auth, "psk"); if (conn->options & SA_OPTION_XAUTH_SERVER) { - msg.add_conn.other.auth2 = push_string(&msg, "xauth"); + push_string(&msg, add_conn.other.auth2, "xauth"); } else { - msg.add_conn.me.auth2 = push_string(&msg, "xauth"); + push_string(&msg, add_conn.me.auth2, "xauth"); } } } - return send_stroke_msg(&msg); + return send_stroke_msg(msg); } int starter_stroke_del_conn(starter_conn_t *conn) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_DEL_CONN; - msg.length = offsetof(stroke_msg_t, buffer); - msg.del_conn.name = push_string(&msg, connection_name(conn)); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_DEL_CONN); + push_string(&msg, del_conn.name, connection_name(conn)); + return send_stroke_msg(msg); } int starter_stroke_route_conn(starter_conn_t *conn) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_ROUTE; - msg.length = offsetof(stroke_msg_t, buffer); - msg.route.name = push_string(&msg, connection_name(conn)); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_ROUTE); + push_string(&msg, route.name, connection_name(conn)); + return send_stroke_msg(msg); } int starter_stroke_unroute_conn(starter_conn_t *conn) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_UNROUTE; - msg.length = offsetof(stroke_msg_t, buffer); - msg.route.name = push_string(&msg, connection_name(conn)); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_UNROUTE); + push_string(&msg, route.name, connection_name(conn)); + return send_stroke_msg(msg); } int starter_stroke_initiate_conn(starter_conn_t *conn) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_INITIATE; - msg.length = offsetof(stroke_msg_t, buffer); - msg.initiate.name = push_string(&msg, connection_name(conn)); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_INITIATE); + push_string(&msg, initiate.name, connection_name(conn)); + return send_stroke_msg(msg); } int starter_stroke_add_ca(starter_ca_t *ca) { - stroke_msg_t msg; - - msg.type = STR_ADD_CA; - msg.length = offsetof(stroke_msg_t, buffer); - msg.add_ca.name = push_string(&msg, ca->name); - msg.add_ca.cacert = push_string(&msg, ca->cacert); - msg.add_ca.crluri = push_string(&msg, ca->crluri); - msg.add_ca.crluri2 = push_string(&msg, ca->crluri2); - msg.add_ca.ocspuri = push_string(&msg, ca->ocspuri); - msg.add_ca.ocspuri2 = push_string(&msg, ca->ocspuri2); - msg.add_ca.certuribase = push_string(&msg, ca->certuribase); - return send_stroke_msg(&msg); + stroke_msg_t *msg; + + msg = create_stroke_msg(STR_ADD_CA); + push_string(&msg, add_ca.name, ca->name); + push_string(&msg, add_ca.cacert, ca->cacert); + push_string(&msg, add_ca.crluri, ca->crluri); + push_string(&msg, add_ca.crluri2, ca->crluri2); + push_string(&msg, add_ca.ocspuri, ca->ocspuri); + push_string(&msg, add_ca.ocspuri2, ca->ocspuri2); + push_string(&msg, add_ca.certuribase, ca->certuribase); + return send_stroke_msg(msg); } int starter_stroke_del_ca(starter_ca_t *ca) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_DEL_CA; - msg.length = offsetof(stroke_msg_t, buffer); - msg.del_ca.name = push_string(&msg, ca->name); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_DEL_CA); + push_string(&msg, del_ca.name, ca->name); + return send_stroke_msg(msg); } int starter_stroke_configure(starter_config_t *cfg) { - stroke_msg_t msg; + stroke_msg_t *msg; if (cfg->setup.cachecrls) { - msg.type = STR_CONFIG; - msg.length = offsetof(stroke_msg_t, buffer); - msg.config.cachecrl = 1; - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_CONFIG); + msg->config.cachecrl = 1; + return send_stroke_msg(msg); } return 0; } diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c index ae20b0ca3..07911d2d2 100644 --- a/src/stroke/stroke.c +++ b/src/stroke/stroke.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007-2014 Tobias Brunner + * Copyright (C) 2007-2015 Tobias Brunner * Copyright (C) 2006 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -33,28 +33,58 @@ struct stroke_token { static char *daemon_name = "charon"; static int output_verbosity = 1; /* CONTROL */ -static char* push_string(stroke_msg_t *msg, char *string) +static stroke_msg_t *create_stroke_msg(int type) { - unsigned long string_start = msg->length; + stroke_msg_t *msg; - if (string == NULL || msg->length + strlen(string) >= sizeof(stroke_msg_t)) + INIT(msg, + .type = type, + .length = offsetof(stroke_msg_t, buffer), + ); + return msg; +} + +#define push_string(msg, field, str) \ + push_string_impl(msg, offsetof(stroke_msg_t, field), str) + +static void push_string_impl(stroke_msg_t **msg, size_t offset, char *string) +{ + size_t cur_len = (*msg)->length, str_len; + + if (!string) + { + return; + } + str_len = strlen(string) + 1; + if (cur_len + str_len >= UINT16_MAX) { - return NULL; + (*msg)->length = UINT16_MAX; + return; } - else + while (cur_len + str_len > sizeof(stroke_msg_t) + (*msg)->buflen) { - msg->length += strlen(string) + 1; - strcpy((char*)msg + string_start, string); - return (char*)string_start; + *msg = realloc(*msg, sizeof(stroke_msg_t) + (*msg)->buflen + + STROKE_BUF_LEN_INC); + (*msg)->buflen += STROKE_BUF_LEN_INC; } + (*msg)->length += str_len; + strcpy((char*)*msg + cur_len, string); + *(char**)((char*)*msg + offset) = (char*)cur_len; } -static int send_stroke_msg (stroke_msg_t *msg) +static int send_stroke_msg(stroke_msg_t *msg) { stream_t *stream; char *uri, buffer[512], *pass; int count; + if (msg->length == UINT16_MAX) + { + fprintf(stderr, "stroke message exceeds maximum buffer size"); + free(msg); + return -1; + } + msg->output_verbosity = output_verbosity; uri = lib->settings->get_str(lib->settings, "%s.plugins.stroke.socket", @@ -63,6 +93,7 @@ static int send_stroke_msg (stroke_msg_t *msg) if (!stream) { fprintf(stderr, "failed to connect to stroke socket '%s'\n", uri); + free(msg); return -1; } @@ -70,6 +101,7 @@ static int send_stroke_msg (stroke_msg_t *msg) { fprintf(stderr, "sending stroke message failed\n"); stream->destroy(stream); + free(msg); return -1; } @@ -109,6 +141,7 @@ static int send_stroke_msg (stroke_msg_t *msg) fprintf(stderr, "reading stroke response failed\n"); } stream->destroy(stream); + free(msg); return 0; } @@ -117,126 +150,116 @@ static int add_connection(char *name, char *my_addr, char *other_addr, char *my_nets, char *other_nets) { - stroke_msg_t msg; - - memset(&msg, 0, sizeof(msg)); - msg.length = offsetof(stroke_msg_t, buffer); - msg.type = STR_ADD_CONN; - - msg.add_conn.name = push_string(&msg, name); - msg.add_conn.version = 2; - msg.add_conn.mode = 1; - msg.add_conn.mobike = 1; - msg.add_conn.dpd.action = 1; - msg.add_conn.install_policy = 1; - - msg.add_conn.me.id = push_string(&msg, my_id); - msg.add_conn.me.address = push_string(&msg, my_addr); - msg.add_conn.me.ikeport = 500; - msg.add_conn.me.subnets = push_string(&msg, my_nets); - msg.add_conn.me.sendcert = 1; - msg.add_conn.me.to_port = 65535; - - msg.add_conn.other.id = push_string(&msg, other_id); - msg.add_conn.other.address = push_string(&msg, other_addr); - msg.add_conn.other.ikeport = 500; - msg.add_conn.other.subnets = push_string(&msg, other_nets); - msg.add_conn.other.sendcert = 1; - msg.add_conn.other.to_port = 65535; - - return send_stroke_msg(&msg); + stroke_msg_t *msg; + + msg = create_stroke_msg(STR_ADD_CONN); + + push_string(&msg, add_conn.name, name); + msg->add_conn.version = 2; + msg->add_conn.mode = 1; + msg->add_conn.mobike = 1; + msg->add_conn.dpd.action = 1; + msg->add_conn.install_policy = 1; + + push_string(&msg, add_conn.me.id, my_id); + push_string(&msg, add_conn.me.address, my_addr); + msg->add_conn.me.ikeport = 500; + push_string(&msg, add_conn.me.subnets, my_nets); + msg->add_conn.me.sendcert = 1; + msg->add_conn.me.to_port = 65535; + + push_string(&msg, add_conn.other.id, other_id); + push_string(&msg, add_conn.other.address, other_addr); + msg->add_conn.other.ikeport = 500; + push_string(&msg, add_conn.other.subnets, other_nets); + msg->add_conn.other.sendcert = 1; + msg->add_conn.other.to_port = 65535; + + return send_stroke_msg(msg); } static int del_connection(char *name) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.length = offsetof(stroke_msg_t, buffer); - msg.type = STR_DEL_CONN; - msg.initiate.name = push_string(&msg, name); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_DEL_CONN); + push_string(&msg, initiate.name, name); + return send_stroke_msg(msg); } static int initiate_connection(char *name) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.length = offsetof(stroke_msg_t, buffer); - msg.type = STR_INITIATE; - msg.initiate.name = push_string(&msg, name); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_INITIATE); + push_string(&msg, initiate.name, name); + return send_stroke_msg(msg); } static int terminate_connection(char *name) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_TERMINATE; - msg.length = offsetof(stroke_msg_t, buffer); - msg.initiate.name = push_string(&msg, name); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_TERMINATE); + push_string(&msg, initiate.name, name); + return send_stroke_msg(msg); } static int terminate_connection_srcip(char *start, char *end) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_TERMINATE_SRCIP; - msg.length = offsetof(stroke_msg_t, buffer); - msg.terminate_srcip.start = push_string(&msg, start); - msg.terminate_srcip.end = push_string(&msg, end); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_TERMINATE_SRCIP); + push_string(&msg, terminate_srcip.start, start); + push_string(&msg, terminate_srcip.end, end); + return send_stroke_msg(msg); } static int rekey_connection(char *name) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_REKEY; - msg.length = offsetof(stroke_msg_t, buffer); - msg.rekey.name = push_string(&msg, name); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_REKEY); + push_string(&msg, rekey.name, name); + return send_stroke_msg(msg); } static int route_connection(char *name) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_ROUTE; - msg.length = offsetof(stroke_msg_t, buffer); - msg.route.name = push_string(&msg, name); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_ROUTE); + push_string(&msg, route.name, name); + return send_stroke_msg(msg); } static int unroute_connection(char *name) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_UNROUTE; - msg.length = offsetof(stroke_msg_t, buffer); - msg.unroute.name = push_string(&msg, name); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_UNROUTE); + push_string(&msg, unroute.name, name); + return send_stroke_msg(msg); } static int show_status(stroke_keyword_t kw, char *connection) { - stroke_msg_t msg; + stroke_msg_t *msg; switch (kw) { case STROKE_STATUSALL: - msg.type = STR_STATUS_ALL; + msg = create_stroke_msg(STR_STATUS_ALL); break; case STROKE_STATUSALL_NOBLK: - msg.type = STR_STATUS_ALL_NOBLK; + msg = create_stroke_msg(STR_STATUS_ALL_NOBLK); break; default: - msg.type = STR_STATUS; + msg = create_stroke_msg(STR_STATUS); break; } - msg.length = offsetof(stroke_msg_t, buffer); - msg.status.name = push_string(&msg, connection); - return send_stroke_msg(&msg); + push_string(&msg, status.name, connection); + return send_stroke_msg(msg); } static int list_flags[] = { @@ -257,13 +280,12 @@ static int list_flags[] = { static int list(stroke_keyword_t kw, int utc) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_LIST; - msg.length = offsetof(stroke_msg_t, buffer); - msg.list.utc = utc; - msg.list.flags = list_flags[kw - STROKE_LIST_FIRST]; - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_LIST); + msg->list.utc = utc; + msg->list.flags = list_flags[kw - STROKE_LIST_FIRST]; + return send_stroke_msg(msg); } static int reread_flags[] = { @@ -278,12 +300,11 @@ static int reread_flags[] = { static int reread(stroke_keyword_t kw) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_REREAD; - msg.length = offsetof(stroke_msg_t, buffer); - msg.reread.flags = reread_flags[kw - STROKE_REREAD_FIRST]; - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_REREAD); + msg->reread.flags = reread_flags[kw - STROKE_REREAD_FIRST]; + return send_stroke_msg(msg); } static int purge_flags[] = { @@ -295,12 +316,11 @@ static int purge_flags[] = { static int purge(stroke_keyword_t kw) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_PURGE; - msg.length = offsetof(stroke_msg_t, buffer); - msg.purge.flags = purge_flags[kw - STROKE_PURGE_FIRST]; - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_PURGE); + msg->purge.flags = purge_flags[kw - STROKE_PURGE_FIRST]; + return send_stroke_msg(msg); } static int export_flags[] = { @@ -311,68 +331,61 @@ static int export_flags[] = { static int export(stroke_keyword_t kw, char *selector) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_EXPORT; - msg.length = offsetof(stroke_msg_t, buffer); - msg.export.selector = push_string(&msg, selector); - msg.export.flags = export_flags[kw - STROKE_EXPORT_FIRST]; - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_EXPORT); + push_string(&msg, export.selector, selector); + msg->export.flags = export_flags[kw - STROKE_EXPORT_FIRST]; + return send_stroke_msg(msg); } static int leases(stroke_keyword_t kw, char *pool, char *address) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_LEASES; - msg.length = offsetof(stroke_msg_t, buffer); - msg.leases.pool = push_string(&msg, pool); - msg.leases.address = push_string(&msg, address); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_LEASES); + push_string(&msg, leases.pool, pool); + push_string(&msg, leases.address, address); + return send_stroke_msg(msg); } static int memusage() { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_MEMUSAGE; - msg.length = offsetof(stroke_msg_t, buffer); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_MEMUSAGE); + return send_stroke_msg(msg); } static int user_credentials(char *name, char *user, char *pass) { - stroke_msg_t msg; - - msg.type = STR_USER_CREDS; - msg.length = offsetof(stroke_msg_t, buffer); - msg.user_creds.name = push_string(&msg, name); - msg.user_creds.username = push_string(&msg, user); - msg.user_creds.password = push_string(&msg, pass); - return send_stroke_msg(&msg); + stroke_msg_t *msg; + + msg = create_stroke_msg(STR_USER_CREDS); + push_string(&msg, user_creds.name, name); + push_string(&msg, user_creds.username, user); + push_string(&msg, user_creds.password, pass); + return send_stroke_msg(msg); } static int counters(int reset, char *name) { - stroke_msg_t msg; - - msg.type = STR_COUNTERS; - msg.length = offsetof(stroke_msg_t, buffer); - msg.counters.name = push_string(&msg, name); - msg.counters.reset = reset; + stroke_msg_t *msg; - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_COUNTERS); + push_string(&msg, counters.name, name); + msg->counters.reset = reset; + return send_stroke_msg(msg); } static int set_loglevel(char *type, u_int level) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_LOGLEVEL; - msg.length = offsetof(stroke_msg_t, buffer); - msg.loglevel.type = push_string(&msg, type); - msg.loglevel.level = level; - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_LOGLEVEL); + push_string(&msg, loglevel.type, type); + msg->loglevel.level = level; + return send_stroke_msg(msg); } static int usage(char *error) diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index c2b923f6d..17f8a4326 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -1,11 +1,5 @@ -/** - * @file stroke_msg.h - * - * @brief Definition of stroke_msg_t. - * - */ - /* + * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2006 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -32,7 +26,10 @@ */ #define STROKE_SOCKET IPSEC_PIDDIR "/charon.ctl" -#define STROKE_BUF_LEN 4096 +/** + * Number of bytes by which the buffer is increased as needed + */ +#define STROKE_BUF_LEN_INC 1024 typedef enum list_flag_t list_flag_t; @@ -371,7 +368,10 @@ struct stroke_msg_t { char *name; } counters; }; - char buffer[STROKE_BUF_LEN]; + /* length of the string buffer */ + u_int16_t buflen; + /* string buffer */ + char buffer[]; }; #endif /* STROKE_MSG_H_ */ diff --git a/src/swanctl/command.c b/src/swanctl/command.c index 1c079ec3a..03cd8b959 100644 --- a/src/swanctl/command.c +++ b/src/swanctl/command.c @@ -124,17 +124,8 @@ int command_getopt(char **arg) switch (op) { case '+': - if (!options->from(options, optarg, &argc, &argv, optind)) - { - /* a error value */ - return 255; - } - continue; case 'v': - dbg_default_set_level(atoi(optarg)); - continue; case 'u': - uri = optarg; continue; default: *arg = optarg; @@ -256,6 +247,37 @@ static void cleanup() options->destroy(options); } +/** + * Process options common for all commands + */ +static bool process_common_opts() +{ + while (TRUE) + { + switch (getopt_long(argc, argv, command_optstring, command_opts, NULL)) + { + case '+': + if (!options->from(options, optarg, &argc, &argv, optind)) + { + return FALSE; + } + continue; + case 'v': + dbg_default_set_level(atoi(optarg)); + continue; + case 'u': + uri = optarg; + continue; + default: + continue; + case '?': + return FALSE; + case EOF: + return TRUE; + } + } +} + /** * Open vici connection, call a command */ @@ -303,6 +325,11 @@ int command_dispatch(int c, char *v[]) { return command_usage(NULL); } + if (!process_common_opts()) + { + return command_usage("invalid options"); + } + optind = 2; return call_command(&cmds[i]); } } diff --git a/src/swanctl/command.h b/src/swanctl/command.h index 2d78a24da..ffc319085 100644 --- a/src/swanctl/command.h +++ b/src/swanctl/command.h @@ -27,7 +27,7 @@ /** * Maximum number of commands (+1). */ -#define MAX_COMMANDS 18 +#define MAX_COMMANDS 19 /** * Maximum number of options in a command (+3) diff --git a/src/swanctl/commands/list_sas.c b/src/swanctl/commands/list_sas.c index 81e1b7cca..1aca6d212 100644 --- a/src/swanctl/commands/list_sas.c +++ b/src/swanctl/commands/list_sas.c @@ -13,6 +13,28 @@ * for more details. */ +/* + * Copyright (C) 2014 Timo Teräs + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + #define _GNU_SOURCE #include #include @@ -126,7 +148,7 @@ CALLBACK(child_sas, int, } printf("\n"); - printf(" installed %s ago", child->get(child, "install-time")); + printf(" installed %ss ago", child->get(child, "install-time")); if (child->get(child, "rekey-time")) { printf(", rekeying in %ss", child->get(child, "rekey-time")); @@ -262,9 +284,12 @@ CALLBACK(ike_sas, int, CALLBACK(list_cb, void, command_format_options_t *format, char *name, vici_res_t *res) { + char buf[256]; + if (*format & COMMAND_FORMAT_RAW) { - vici_dump(res, "list-sa event", *format & COMMAND_FORMAT_PRETTY, + snprintf(buf, sizeof(buf), "%s event", name); + vici_dump(res, buf, *format & COMMAND_FORMAT_PRETTY, stdout); } else @@ -348,6 +373,50 @@ static int list_sas(vici_conn_t *conn) return 0; } +static int monitor_sas(vici_conn_t *conn) +{ + command_format_options_t format = COMMAND_FORMAT_NONE; + char *arg; + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + return command_usage(NULL); + case 'P': + format |= COMMAND_FORMAT_PRETTY; + /* fall through to raw */ + case 'r': + format |= COMMAND_FORMAT_RAW; + continue; + case EOF: + break; + default: + return command_usage("invalid --monitor-sa option"); + } + break; + } + if (vici_register(conn, "ike-updown", list_cb, &format) != 0) + { + fprintf(stderr, "registering for IKE_SAs failed: %s\n", + strerror(errno)); + return errno; + } + if (vici_register(conn, "child-updown", list_cb, &format) != 0) + { + fprintf(stderr, "registering for CHILD_SAs failed: %s\n", + strerror(errno)); + return errno; + } + + wait_sigint(); + + fprintf(stderr, "disconnecting...\n"); + + return 0; +} + /** * Register the command. */ @@ -366,3 +435,16 @@ static void __attribute__ ((constructor))reg() } }); } + +static void __attribute__ ((constructor))reg_monitor_sa() +{ + command_register((command_t) { + monitor_sas, 'm', "monitor-sa", "monitor for IKE_SA and CHILD_SA changes", + {"[--raw|--pretty]"}, + { + {"help", 'h', 0, "show usage information"}, + {"raw", 'r', 0, "dump raw response message"}, + {"pretty", 'P', 0, "dump raw response message in pretty print"}, + } + }); +} diff --git a/testing/config/kernel/config-4.0 b/testing/config/kernel/config-4.0 new file mode 100644 index 000000000..33771a260 --- /dev/null +++ b/testing/config/kernel/config-4.0 @@ -0,0 +1,2202 @@ +# +# Automatically generated file; DO NOT EDIT. +# Linux/x86 4.0.0 Kernel Configuration +# +CONFIG_64BIT=y +CONFIG_X86_64=y +CONFIG_X86=y +CONFIG_INSTRUCTION_DECODER=y +CONFIG_PERF_EVENTS_INTEL_UNCORE=y +CONFIG_OUTPUT_FORMAT="elf64-x86-64" +CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig" +CONFIG_LOCKDEP_SUPPORT=y +CONFIG_STACKTRACE_SUPPORT=y +CONFIG_HAVE_LATENCYTOP_SUPPORT=y +CONFIG_MMU=y +CONFIG_NEED_DMA_MAP_STATE=y +CONFIG_NEED_SG_DMA_LENGTH=y +CONFIG_GENERIC_ISA_DMA=y +CONFIG_GENERIC_BUG=y +CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y +CONFIG_GENERIC_HWEIGHT=y +CONFIG_ARCH_MAY_HAVE_PC_FDC=y +CONFIG_RWSEM_XCHGADD_ALGORITHM=y +CONFIG_GENERIC_CALIBRATE_DELAY=y +CONFIG_ARCH_HAS_CPU_RELAX=y +CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y +CONFIG_HAVE_SETUP_PER_CPU_AREA=y +CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y +CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y +CONFIG_ARCH_HIBERNATION_POSSIBLE=y +CONFIG_ARCH_SUSPEND_POSSIBLE=y +CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y +CONFIG_ARCH_WANT_GENERAL_HUGETLB=y +CONFIG_ZONE_DMA32=y +CONFIG_AUDIT_ARCH=y +CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y +CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y +CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11" +CONFIG_ARCH_SUPPORTS_UPROBES=y +CONFIG_FIX_EARLYCON_MEM=y +CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" +CONFIG_IRQ_WORK=y +CONFIG_BUILDTIME_EXTABLE_SORT=y + +# +# General setup +# +CONFIG_BROKEN_ON_SMP=y +CONFIG_INIT_ENV_ARG_LIMIT=32 +CONFIG_CROSS_COMPILE="" +# CONFIG_COMPILE_TEST is not set +CONFIG_LOCALVERSION="" +CONFIG_LOCALVERSION_AUTO=y +CONFIG_HAVE_KERNEL_GZIP=y +CONFIG_HAVE_KERNEL_BZIP2=y +CONFIG_HAVE_KERNEL_LZMA=y +CONFIG_HAVE_KERNEL_XZ=y +CONFIG_HAVE_KERNEL_LZO=y +CONFIG_HAVE_KERNEL_LZ4=y +CONFIG_KERNEL_GZIP=y +# CONFIG_KERNEL_BZIP2 is not set +# CONFIG_KERNEL_LZMA is not set +# CONFIG_KERNEL_XZ is not set +# CONFIG_KERNEL_LZO is not set +# CONFIG_KERNEL_LZ4 is not set +CONFIG_DEFAULT_HOSTNAME="(none)" +CONFIG_SWAP=y +CONFIG_SYSVIPC=y +CONFIG_SYSVIPC_SYSCTL=y +CONFIG_POSIX_MQUEUE=y +CONFIG_POSIX_MQUEUE_SYSCTL=y +CONFIG_CROSS_MEMORY_ATTACH=y +# CONFIG_FHANDLE is not set +CONFIG_USELIB=y +# CONFIG_AUDIT is not set +CONFIG_HAVE_ARCH_AUDITSYSCALL=y + +# +# IRQ subsystem +# +CONFIG_GENERIC_IRQ_PROBE=y +CONFIG_GENERIC_IRQ_SHOW=y +CONFIG_GENERIC_IRQ_LEGACY_ALLOC_HWIRQ=y +CONFIG_IRQ_DOMAIN=y +CONFIG_GENERIC_MSI_IRQ=y +CONFIG_IRQ_FORCED_THREADING=y +CONFIG_SPARSE_IRQ=y +CONFIG_CLOCKSOURCE_WATCHDOG=y +CONFIG_ARCH_CLOCKSOURCE_DATA=y +CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y +CONFIG_GENERIC_TIME_VSYSCALL=y +CONFIG_GENERIC_CLOCKEVENTS=y +CONFIG_GENERIC_CLOCKEVENTS_BUILD=y +CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y +CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y +CONFIG_GENERIC_CMOS_UPDATE=y + +# +# Timers subsystem +# +CONFIG_TICK_ONESHOT=y +CONFIG_NO_HZ_COMMON=y +# CONFIG_HZ_PERIODIC is not set +CONFIG_NO_HZ_IDLE=y +CONFIG_NO_HZ=y +CONFIG_HIGH_RES_TIMERS=y + +# +# CPU/Task time and stats accounting +# +CONFIG_TICK_CPU_ACCOUNTING=y +# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set +# CONFIG_IRQ_TIME_ACCOUNTING is not set +CONFIG_BSD_PROCESS_ACCT=y +# CONFIG_BSD_PROCESS_ACCT_V3 is not set +# CONFIG_TASKSTATS is not set + +# +# RCU Subsystem +# +CONFIG_TINY_RCU=y +CONFIG_SRCU=y +# CONFIG_TASKS_RCU is not set +# CONFIG_RCU_STALL_COMMON is not set +# CONFIG_TREE_RCU_TRACE is not set +CONFIG_RCU_KTHREAD_PRIO=0 +CONFIG_BUILD_BIN2C=y +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y +CONFIG_LOG_BUF_SHIFT=14 +CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y +CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y +CONFIG_ARCH_SUPPORTS_INT128=y +# CONFIG_CGROUPS is not set +# CONFIG_CHECKPOINT_RESTORE is not set +CONFIG_NAMESPACES=y +# CONFIG_UTS_NS is not set +# CONFIG_IPC_NS is not set +# CONFIG_USER_NS is not set +# CONFIG_PID_NS is not set +# CONFIG_NET_NS is not set +# CONFIG_SCHED_AUTOGROUP is not set +# CONFIG_SYSFS_DEPRECATED is not set +# CONFIG_RELAY is not set +# CONFIG_BLK_DEV_INITRD is not set +CONFIG_CC_OPTIMIZE_FOR_SIZE=y +CONFIG_SYSCTL=y +CONFIG_ANON_INODES=y +CONFIG_SYSCTL_EXCEPTION_TRACE=y +CONFIG_HAVE_PCSPKR_PLATFORM=y +CONFIG_BPF=y +# CONFIG_EXPERT is not set +CONFIG_SGETMASK_SYSCALL=y +CONFIG_SYSFS_SYSCALL=y +# CONFIG_SYSCTL_SYSCALL is not set +CONFIG_KALLSYMS=y +# CONFIG_KALLSYMS_ALL is not set +CONFIG_PRINTK=y +CONFIG_BUG=y +CONFIG_ELF_CORE=y +CONFIG_PCSPKR_PLATFORM=y +CONFIG_BASE_FULL=y +CONFIG_FUTEX=y +CONFIG_EPOLL=y +CONFIG_SIGNALFD=y +CONFIG_TIMERFD=y +CONFIG_EVENTFD=y +# CONFIG_BPF_SYSCALL is not set +CONFIG_SHMEM=y +CONFIG_AIO=y +CONFIG_ADVISE_SYSCALLS=y +CONFIG_PCI_QUIRKS=y +# CONFIG_EMBEDDED is not set +CONFIG_HAVE_PERF_EVENTS=y + +# +# Kernel Performance Events And Counters +# +CONFIG_PERF_EVENTS=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_VM_EVENT_COUNTERS=y +CONFIG_COMPAT_BRK=y +CONFIG_SLAB=y +# CONFIG_SLUB is not set +# CONFIG_PROFILING is not set +CONFIG_HAVE_OPROFILE=y +CONFIG_OPROFILE_NMI_TIMER=y +# CONFIG_JUMP_LABEL is not set +# CONFIG_UPROBES is not set +# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set +CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y +CONFIG_ARCH_USE_BUILTIN_BSWAP=y +CONFIG_HAVE_IOREMAP_PROT=y +CONFIG_HAVE_KPROBES=y +CONFIG_HAVE_KRETPROBES=y +CONFIG_HAVE_OPTPROBES=y +CONFIG_HAVE_KPROBES_ON_FTRACE=y +CONFIG_HAVE_ARCH_TRACEHOOK=y +CONFIG_HAVE_DMA_ATTRS=y +CONFIG_HAVE_DMA_CONTIGUOUS=y +CONFIG_GENERIC_SMP_IDLE_THREAD=y +CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y +CONFIG_HAVE_DMA_API_DEBUG=y +CONFIG_HAVE_HW_BREAKPOINT=y +CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y +CONFIG_HAVE_USER_RETURN_NOTIFIER=y +CONFIG_HAVE_PERF_EVENTS_NMI=y +CONFIG_HAVE_PERF_REGS=y +CONFIG_HAVE_PERF_USER_STACK_DUMP=y +CONFIG_HAVE_ARCH_JUMP_LABEL=y +CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y +CONFIG_HAVE_CMPXCHG_LOCAL=y +CONFIG_HAVE_CMPXCHG_DOUBLE=y +CONFIG_HAVE_ARCH_SECCOMP_FILTER=y +CONFIG_SECCOMP_FILTER=y +CONFIG_HAVE_CC_STACKPROTECTOR=y +CONFIG_CC_STACKPROTECTOR=y +# CONFIG_CC_STACKPROTECTOR_NONE is not set +CONFIG_CC_STACKPROTECTOR_REGULAR=y +# CONFIG_CC_STACKPROTECTOR_STRONG is not set +CONFIG_HAVE_CONTEXT_TRACKING=y +CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y +CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y +CONFIG_HAVE_ARCH_SOFT_DIRTY=y +CONFIG_MODULES_USE_ELF_RELA=y +CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y + +# +# GCOV-based kernel profiling +# +CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y +# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set +CONFIG_SLABINFO=y +CONFIG_RT_MUTEXES=y +CONFIG_BASE_SMALL=0 +# CONFIG_MODULES is not set +CONFIG_BLOCK=y +# CONFIG_BLK_DEV_BSG is not set +# CONFIG_BLK_DEV_BSGLIB is not set +# CONFIG_BLK_DEV_INTEGRITY is not set +# CONFIG_BLK_CMDLINE_PARSER is not set + +# +# Partition Types +# +# CONFIG_PARTITION_ADVANCED is not set +CONFIG_MSDOS_PARTITION=y +CONFIG_EFI_PARTITION=y + +# +# IO Schedulers +# +CONFIG_IOSCHED_NOOP=y +CONFIG_IOSCHED_DEADLINE=y +CONFIG_IOSCHED_CFQ=y +# CONFIG_DEFAULT_DEADLINE is not set +CONFIG_DEFAULT_CFQ=y +# CONFIG_DEFAULT_NOOP is not set +CONFIG_DEFAULT_IOSCHED="cfq" +CONFIG_INLINE_SPIN_UNLOCK_IRQ=y +CONFIG_INLINE_READ_UNLOCK=y +CONFIG_INLINE_READ_UNLOCK_IRQ=y +CONFIG_INLINE_WRITE_UNLOCK=y +CONFIG_INLINE_WRITE_UNLOCK_IRQ=y +CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y +CONFIG_ARCH_USE_QUEUE_RWLOCK=y +CONFIG_FREEZER=y + +# +# Processor type and features +# +CONFIG_ZONE_DMA=y +# CONFIG_SMP is not set +CONFIG_X86_FEATURE_NAMES=y +CONFIG_X86_MPPARSE=y +CONFIG_X86_EXTENDED_PLATFORM=y +# CONFIG_X86_GOLDFISH is not set +# CONFIG_X86_INTEL_LPSS is not set +# CONFIG_X86_AMD_PLATFORM_DEVICE is not set +CONFIG_IOSF_MBI=y +CONFIG_SCHED_OMIT_FRAME_POINTER=y +# CONFIG_HYPERVISOR_GUEST is not set +CONFIG_NO_BOOTMEM=y +# CONFIG_MEMTEST is not set +# CONFIG_MK8 is not set +# CONFIG_MPSC is not set +CONFIG_MCORE2=y +# CONFIG_MATOM is not set +# CONFIG_GENERIC_CPU is not set +CONFIG_X86_INTERNODE_CACHE_SHIFT=6 +CONFIG_X86_L1_CACHE_SHIFT=6 +CONFIG_X86_INTEL_USERCOPY=y +CONFIG_X86_USE_PPRO_CHECKSUM=y +CONFIG_X86_P6_NOP=y +CONFIG_X86_TSC=y +CONFIG_X86_CMPXCHG64=y +CONFIG_X86_CMOV=y +CONFIG_X86_MINIMUM_CPU_FAMILY=64 +CONFIG_X86_DEBUGCTLMSR=y +CONFIG_CPU_SUP_INTEL=y +CONFIG_CPU_SUP_AMD=y +CONFIG_CPU_SUP_CENTAUR=y +CONFIG_HPET_TIMER=y +CONFIG_DMI=y +CONFIG_GART_IOMMU=y +# CONFIG_CALGARY_IOMMU is not set +CONFIG_SWIOTLB=y +CONFIG_IOMMU_HELPER=y +CONFIG_NR_CPUS=1 +CONFIG_PREEMPT_NONE=y +# CONFIG_PREEMPT_VOLUNTARY is not set +# CONFIG_PREEMPT is not set +CONFIG_UP_LATE_INIT=y +CONFIG_X86_UP_APIC_MSI=y +CONFIG_X86_LOCAL_APIC=y +CONFIG_X86_IO_APIC=y +# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set +# CONFIG_X86_MCE is not set +CONFIG_X86_16BIT=y +CONFIG_X86_ESPFIX64=y +CONFIG_X86_VSYSCALL_EMULATION=y +# CONFIG_I8K is not set +# CONFIG_MICROCODE is not set +# CONFIG_MICROCODE_INTEL_EARLY is not set +# CONFIG_MICROCODE_AMD_EARLY is not set +# CONFIG_X86_MSR is not set +# CONFIG_X86_CPUID is not set +CONFIG_ARCH_PHYS_ADDR_T_64BIT=y +CONFIG_ARCH_DMA_ADDR_T_64BIT=y +CONFIG_DIRECT_GBPAGES=y +CONFIG_ARCH_SPARSEMEM_ENABLE=y +CONFIG_ARCH_SPARSEMEM_DEFAULT=y +CONFIG_ARCH_SELECT_MEMORY_MODEL=y +CONFIG_ARCH_MEMORY_PROBE=y +CONFIG_ARCH_PROC_KCORE_TEXT=y +CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 +CONFIG_SELECT_MEMORY_MODEL=y +CONFIG_SPARSEMEM_MANUAL=y +CONFIG_SPARSEMEM=y +CONFIG_HAVE_MEMORY_PRESENT=y +CONFIG_SPARSEMEM_EXTREME=y +CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y +CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y +CONFIG_SPARSEMEM_VMEMMAP=y +CONFIG_HAVE_MEMBLOCK=y +CONFIG_HAVE_MEMBLOCK_NODE_MAP=y +CONFIG_ARCH_DISCARD_MEMBLOCK=y +CONFIG_MEMORY_ISOLATION=y +CONFIG_HAVE_BOOTMEM_INFO_NODE=y +CONFIG_MEMORY_HOTPLUG=y +CONFIG_MEMORY_HOTPLUG_SPARSE=y +CONFIG_MEMORY_HOTREMOVE=y +CONFIG_PAGEFLAGS_EXTENDED=y +CONFIG_SPLIT_PTLOCK_CPUS=4 +CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y +CONFIG_MEMORY_BALLOON=y +# CONFIG_COMPACTION is not set +CONFIG_MIGRATION=y +CONFIG_PHYS_ADDR_T_64BIT=y +CONFIG_ZONE_DMA_FLAG=1 +CONFIG_BOUNCE=y +CONFIG_VIRT_TO_BUS=y +# CONFIG_KSM is not set +CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 +# CONFIG_TRANSPARENT_HUGEPAGE is not set +CONFIG_NEED_PER_CPU_KM=y +# CONFIG_CLEANCACHE is not set +# CONFIG_FRONTSWAP is not set +# CONFIG_CMA is not set +# CONFIG_ZPOOL is not set +# CONFIG_ZBUD is not set +# CONFIG_ZSMALLOC is not set +CONFIG_GENERIC_EARLY_IOREMAP=y +# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set +CONFIG_X86_RESERVE_LOW=64 +CONFIG_MTRR=y +CONFIG_MTRR_SANITIZER=y +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 +CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 +CONFIG_X86_PAT=y +CONFIG_ARCH_USES_PG_UNCACHED=y +CONFIG_ARCH_RANDOM=y +CONFIG_X86_SMAP=y +# CONFIG_X86_INTEL_MPX is not set +# CONFIG_EFI is not set +CONFIG_SECCOMP=y +# CONFIG_HZ_100 is not set +CONFIG_HZ_250=y +# CONFIG_HZ_300 is not set +# CONFIG_HZ_1000 is not set +CONFIG_HZ=250 +CONFIG_SCHED_HRTICK=y +# CONFIG_KEXEC is not set +# CONFIG_CRASH_DUMP is not set +CONFIG_PHYSICAL_START=0x1000000 +CONFIG_RELOCATABLE=y +# CONFIG_RANDOMIZE_BASE is not set +CONFIG_PHYSICAL_ALIGN=0x1000000 +# CONFIG_CMDLINE_BOOL is not set +CONFIG_HAVE_LIVEPATCH=y +CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y + +# +# Power management and ACPI options +# +CONFIG_SUSPEND=y +CONFIG_SUSPEND_FREEZER=y +# CONFIG_HIBERNATION is not set +CONFIG_PM_SLEEP=y +# CONFIG_PM_AUTOSLEEP is not set +# CONFIG_PM_WAKELOCKS is not set +CONFIG_PM=y +# CONFIG_PM_DEBUG is not set +# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set +CONFIG_ACPI=y +CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y +CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y +CONFIG_ACPI_SLEEP=y +# CONFIG_ACPI_PROCFS_POWER is not set +# CONFIG_ACPI_EC_DEBUGFS is not set +CONFIG_ACPI_AC=y +CONFIG_ACPI_BATTERY=y +CONFIG_ACPI_BUTTON=y +CONFIG_ACPI_FAN=y +# CONFIG_ACPI_DOCK is not set +CONFIG_ACPI_PROCESSOR=y +# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set +CONFIG_ACPI_THERMAL=y +# CONFIG_ACPI_CUSTOM_DSDT is not set +# CONFIG_ACPI_DEBUG is not set +# CONFIG_ACPI_PCI_SLOT is not set +CONFIG_X86_PM_TIMER=y +# CONFIG_ACPI_CONTAINER is not set +# CONFIG_ACPI_HOTPLUG_MEMORY is not set +CONFIG_ACPI_HOTPLUG_IOAPIC=y +# CONFIG_ACPI_SBS is not set +# CONFIG_ACPI_HED is not set +# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set +CONFIG_HAVE_ACPI_APEI=y +CONFIG_HAVE_ACPI_APEI_NMI=y +# CONFIG_ACPI_APEI is not set +# CONFIG_PMIC_OPREGION is not set +# CONFIG_SFI is not set + +# +# CPU Frequency scaling +# +# CONFIG_CPU_FREQ is not set + +# +# CPU Idle +# +CONFIG_CPU_IDLE=y +CONFIG_CPU_IDLE_GOV_LADDER=y +CONFIG_CPU_IDLE_GOV_MENU=y +# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set +# CONFIG_INTEL_IDLE is not set + +# +# Memory power savings +# +# CONFIG_I7300_IDLE is not set + +# +# Bus options (PCI etc.) +# +CONFIG_PCI=y +CONFIG_PCI_DIRECT=y +# CONFIG_PCI_MMCONFIG is not set +CONFIG_PCI_DOMAINS=y +# CONFIG_PCIEPORTBUS is not set +CONFIG_PCI_MSI=y +# CONFIG_PCI_DEBUG is not set +# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set +# CONFIG_PCI_STUB is not set +CONFIG_HT_IRQ=y +# CONFIG_PCI_IOV is not set +# CONFIG_PCI_PRI is not set +# CONFIG_PCI_PASID is not set +CONFIG_PCI_LABEL=y + +# +# PCI host controller drivers +# +CONFIG_ISA_DMA_API=y +CONFIG_AMD_NB=y +# CONFIG_PCCARD is not set +# CONFIG_HOTPLUG_PCI is not set +# CONFIG_RAPIDIO is not set +# CONFIG_X86_SYSFB is not set + +# +# Executable file formats / Emulations +# +CONFIG_BINFMT_ELF=y +CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y +# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set +CONFIG_BINFMT_SCRIPT=y +# CONFIG_HAVE_AOUT is not set +# CONFIG_BINFMT_MISC is not set +CONFIG_COREDUMP=y +# CONFIG_IA32_EMULATION is not set +CONFIG_X86_DEV_DMA_OPS=y +CONFIG_PMC_ATOM=y +CONFIG_NET=y + +# +# Networking options +# +CONFIG_PACKET=y +# CONFIG_PACKET_DIAG is not set +CONFIG_UNIX=y +# CONFIG_UNIX_DIAG is not set +CONFIG_XFRM=y +CONFIG_XFRM_ALGO=y +CONFIG_XFRM_USER=y +CONFIG_XFRM_SUB_POLICY=y +CONFIG_XFRM_MIGRATE=y +CONFIG_XFRM_STATISTICS=y +CONFIG_XFRM_IPCOMP=y +CONFIG_NET_KEY=y +CONFIG_NET_KEY_MIGRATE=y +CONFIG_INET=y +# CONFIG_IP_MULTICAST is not set +CONFIG_IP_ADVANCED_ROUTER=y +# CONFIG_IP_FIB_TRIE_STATS is not set +CONFIG_IP_MULTIPLE_TABLES=y +# CONFIG_IP_ROUTE_MULTIPATH is not set +# CONFIG_IP_ROUTE_VERBOSE is not set +CONFIG_IP_ROUTE_CLASSID=y +# CONFIG_IP_PNP is not set +# CONFIG_NET_IPIP is not set +# CONFIG_NET_IPGRE_DEMUX is not set +CONFIG_NET_IP_TUNNEL=y +# CONFIG_SYN_COOKIES is not set +# CONFIG_NET_IPVTI is not set +CONFIG_NET_UDP_TUNNEL=y +# CONFIG_NET_FOU is not set +# CONFIG_GENEVE is not set +CONFIG_INET_AH=y +CONFIG_INET_ESP=y +CONFIG_INET_IPCOMP=y +CONFIG_INET_XFRM_TUNNEL=y +CONFIG_INET_TUNNEL=y +CONFIG_INET_XFRM_MODE_TRANSPORT=y +CONFIG_INET_XFRM_MODE_TUNNEL=y +CONFIG_INET_XFRM_MODE_BEET=y +# CONFIG_INET_LRO is not set +CONFIG_INET_DIAG=y +CONFIG_INET_TCP_DIAG=y +# CONFIG_INET_UDP_DIAG is not set +# CONFIG_TCP_CONG_ADVANCED is not set +CONFIG_TCP_CONG_CUBIC=y +CONFIG_DEFAULT_TCP_CONG="cubic" +# CONFIG_TCP_MD5SIG is not set +CONFIG_IPV6=y +# CONFIG_IPV6_ROUTER_PREF is not set +CONFIG_IPV6_OPTIMISTIC_DAD=y +CONFIG_INET6_AH=y +CONFIG_INET6_ESP=y +CONFIG_INET6_IPCOMP=y +CONFIG_IPV6_MIP6=y +CONFIG_INET6_XFRM_TUNNEL=y +CONFIG_INET6_TUNNEL=y +CONFIG_INET6_XFRM_MODE_TRANSPORT=y +CONFIG_INET6_XFRM_MODE_TUNNEL=y +CONFIG_INET6_XFRM_MODE_BEET=y +# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set +# CONFIG_IPV6_VTI is not set +# CONFIG_IPV6_SIT is not set +CONFIG_IPV6_TUNNEL=y +CONFIG_IPV6_GRE=y +CONFIG_IPV6_MULTIPLE_TABLES=y +CONFIG_IPV6_SUBTREES=y +# CONFIG_IPV6_MROUTE is not set +# CONFIG_NETWORK_SECMARK is not set +# CONFIG_NET_PTP_CLASSIFY is not set +# CONFIG_NETWORK_PHY_TIMESTAMPING is not set +CONFIG_NETFILTER=y +# CONFIG_NETFILTER_DEBUG is not set +CONFIG_NETFILTER_ADVANCED=y + +# +# Core Netfilter Configuration +# +CONFIG_NETFILTER_NETLINK=y +# CONFIG_NETFILTER_NETLINK_ACCT is not set +CONFIG_NETFILTER_NETLINK_QUEUE=y +CONFIG_NETFILTER_NETLINK_LOG=y +CONFIG_NF_CONNTRACK=y +CONFIG_NF_LOG_COMMON=y +CONFIG_NF_CONNTRACK_MARK=y +# CONFIG_NF_CONNTRACK_ZONES is not set +CONFIG_NF_CONNTRACK_PROCFS=y +CONFIG_NF_CONNTRACK_EVENTS=y +# CONFIG_NF_CONNTRACK_TIMEOUT is not set +# CONFIG_NF_CONNTRACK_TIMESTAMP is not set +# CONFIG_NF_CT_PROTO_DCCP is not set +# CONFIG_NF_CT_PROTO_SCTP is not set +CONFIG_NF_CT_PROTO_UDPLITE=y +# CONFIG_NF_CONNTRACK_AMANDA is not set +# CONFIG_NF_CONNTRACK_FTP is not set +# CONFIG_NF_CONNTRACK_H323 is not set +# CONFIG_NF_CONNTRACK_IRC is not set +# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set +# CONFIG_NF_CONNTRACK_SNMP is not set +# CONFIG_NF_CONNTRACK_PPTP is not set +CONFIG_NF_CONNTRACK_SANE=y +# CONFIG_NF_CONNTRACK_SIP is not set +# CONFIG_NF_CONNTRACK_TFTP is not set +CONFIG_NF_CT_NETLINK=y +# CONFIG_NF_CT_NETLINK_TIMEOUT is not set +# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set +CONFIG_NF_NAT=y +CONFIG_NF_NAT_NEEDED=y +CONFIG_NF_NAT_PROTO_UDPLITE=y +# CONFIG_NF_NAT_AMANDA is not set +# CONFIG_NF_NAT_FTP is not set +# CONFIG_NF_NAT_IRC is not set +# CONFIG_NF_NAT_SIP is not set +# CONFIG_NF_NAT_TFTP is not set +CONFIG_NF_NAT_REDIRECT=y +# CONFIG_NF_TABLES is not set +CONFIG_NETFILTER_XTABLES=y + +# +# Xtables combined modules +# +CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_CONNMARK=y +CONFIG_NETFILTER_XT_SET=y + +# +# Xtables targets +# +# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set +CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y +CONFIG_NETFILTER_XT_TARGET_CONNMARK=y +CONFIG_NETFILTER_XT_TARGET_CT=y +CONFIG_NETFILTER_XT_TARGET_DSCP=y +CONFIG_NETFILTER_XT_TARGET_HL=y +# CONFIG_NETFILTER_XT_TARGET_HMARK is not set +# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set +CONFIG_NETFILTER_XT_TARGET_LOG=y +CONFIG_NETFILTER_XT_TARGET_MARK=y +CONFIG_NETFILTER_XT_NAT=y +CONFIG_NETFILTER_XT_TARGET_NETMAP=y +CONFIG_NETFILTER_XT_TARGET_NFLOG=y +CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y +CONFIG_NETFILTER_XT_TARGET_NOTRACK=y +# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set +CONFIG_NETFILTER_XT_TARGET_REDIRECT=y +# CONFIG_NETFILTER_XT_TARGET_TEE is not set +# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set +CONFIG_NETFILTER_XT_TARGET_TRACE=y +CONFIG_NETFILTER_XT_TARGET_TCPMSS=y +# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set + +# +# Xtables matches +# +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +# CONFIG_NETFILTER_XT_MATCH_BPF is not set +CONFIG_NETFILTER_XT_MATCH_CLUSTER=y +CONFIG_NETFILTER_XT_MATCH_COMMENT=y +CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y +# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set +CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y +CONFIG_NETFILTER_XT_MATCH_CONNMARK=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +# CONFIG_NETFILTER_XT_MATCH_CPU is not set +CONFIG_NETFILTER_XT_MATCH_DCCP=y +CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y +CONFIG_NETFILTER_XT_MATCH_DSCP=y +CONFIG_NETFILTER_XT_MATCH_ECN=y +CONFIG_NETFILTER_XT_MATCH_ESP=y +CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y +CONFIG_NETFILTER_XT_MATCH_HELPER=y +CONFIG_NETFILTER_XT_MATCH_HL=y +# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set +# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set +CONFIG_NETFILTER_XT_MATCH_L2TP=y +CONFIG_NETFILTER_XT_MATCH_LENGTH=y +CONFIG_NETFILTER_XT_MATCH_LIMIT=y +CONFIG_NETFILTER_XT_MATCH_MAC=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y +# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set +# CONFIG_NETFILTER_XT_MATCH_OSF is not set +# CONFIG_NETFILTER_XT_MATCH_OWNER is not set +CONFIG_NETFILTER_XT_MATCH_POLICY=y +CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y +CONFIG_NETFILTER_XT_MATCH_QUOTA=y +# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set +CONFIG_NETFILTER_XT_MATCH_REALM=y +# CONFIG_NETFILTER_XT_MATCH_RECENT is not set +CONFIG_NETFILTER_XT_MATCH_SCTP=y +# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set +CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_MATCH_STATISTIC=y +CONFIG_NETFILTER_XT_MATCH_STRING=y +CONFIG_NETFILTER_XT_MATCH_TCPMSS=y +# CONFIG_NETFILTER_XT_MATCH_TIME is not set +CONFIG_NETFILTER_XT_MATCH_U32=y +CONFIG_IP_SET=y +CONFIG_IP_SET_MAX=256 +CONFIG_IP_SET_BITMAP_IP=y +CONFIG_IP_SET_BITMAP_IPMAC=y +CONFIG_IP_SET_BITMAP_PORT=y +CONFIG_IP_SET_HASH_IP=y +# CONFIG_IP_SET_HASH_IPMARK is not set +CONFIG_IP_SET_HASH_IPPORT=y +CONFIG_IP_SET_HASH_IPPORTIP=y +CONFIG_IP_SET_HASH_IPPORTNET=y +# CONFIG_IP_SET_HASH_MAC is not set +# CONFIG_IP_SET_HASH_NETPORTNET is not set +CONFIG_IP_SET_HASH_NET=y +# CONFIG_IP_SET_HASH_NETNET is not set +CONFIG_IP_SET_HASH_NETPORT=y +# CONFIG_IP_SET_HASH_NETIFACE is not set +CONFIG_IP_SET_LIST_SET=y +# CONFIG_IP_VS is not set + +# +# IP: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV4=y +CONFIG_NF_CONNTRACK_IPV4=y +CONFIG_NF_CONNTRACK_PROC_COMPAT=y +# CONFIG_NF_LOG_ARP is not set +CONFIG_NF_LOG_IPV4=y +CONFIG_NF_REJECT_IPV4=y +CONFIG_NF_NAT_IPV4=y +CONFIG_NF_NAT_MASQUERADE_IPV4=y +# CONFIG_NF_NAT_PPTP is not set +# CONFIG_NF_NAT_H323 is not set +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_MATCH_AH=y +CONFIG_IP_NF_MATCH_ECN=y +# CONFIG_IP_NF_MATCH_RPFILTER is not set +CONFIG_IP_NF_MATCH_TTL=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_TARGET_REJECT=y +# CONFIG_IP_NF_TARGET_SYNPROXY is not set +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_NETMAP=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_TARGET_CLUSTERIP=y +CONFIG_IP_NF_TARGET_ECN=y +CONFIG_IP_NF_TARGET_TTL=y +CONFIG_IP_NF_RAW=y +CONFIG_IP_NF_ARPTABLES=y +CONFIG_IP_NF_ARPFILTER=y +CONFIG_IP_NF_ARP_MANGLE=y + +# +# IPv6: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV6=y +CONFIG_NF_CONNTRACK_IPV6=y +CONFIG_NF_REJECT_IPV6=y +CONFIG_NF_LOG_IPV6=y +CONFIG_NF_NAT_IPV6=y +CONFIG_NF_NAT_MASQUERADE_IPV6=y +CONFIG_IP6_NF_IPTABLES=y +CONFIG_IP6_NF_MATCH_AH=y +CONFIG_IP6_NF_MATCH_EUI64=y +CONFIG_IP6_NF_MATCH_FRAG=y +CONFIG_IP6_NF_MATCH_OPTS=y +CONFIG_IP6_NF_MATCH_HL=y +CONFIG_IP6_NF_MATCH_IPV6HEADER=y +CONFIG_IP6_NF_MATCH_MH=y +# CONFIG_IP6_NF_MATCH_RPFILTER is not set +CONFIG_IP6_NF_MATCH_RT=y +CONFIG_IP6_NF_TARGET_HL=y +CONFIG_IP6_NF_FILTER=y +CONFIG_IP6_NF_TARGET_REJECT=y +# CONFIG_IP6_NF_TARGET_SYNPROXY is not set +CONFIG_IP6_NF_MANGLE=y +CONFIG_IP6_NF_RAW=y +# CONFIG_IP6_NF_NAT is not set +# CONFIG_IP_DCCP is not set +# CONFIG_IP_SCTP is not set +# CONFIG_RDS is not set +# CONFIG_TIPC is not set +# CONFIG_ATM is not set +CONFIG_L2TP=y +# CONFIG_L2TP_V3 is not set +# CONFIG_BRIDGE is not set +CONFIG_HAVE_NET_DSA=y +# CONFIG_VLAN_8021Q is not set +# CONFIG_DECNET is not set +# CONFIG_LLC2 is not set +# CONFIG_IPX is not set +# CONFIG_ATALK is not set +# CONFIG_X25 is not set +# CONFIG_LAPB is not set +# CONFIG_PHONET is not set +# CONFIG_6LOWPAN is not set +# CONFIG_IEEE802154 is not set +# CONFIG_NET_SCHED is not set +# CONFIG_DCB is not set +# CONFIG_BATMAN_ADV is not set +# CONFIG_OPENVSWITCH is not set +# CONFIG_VSOCKETS is not set +# CONFIG_NETLINK_MMAP is not set +# CONFIG_NETLINK_DIAG is not set +# CONFIG_NET_MPLS_GSO is not set +# CONFIG_HSR is not set +# CONFIG_NET_SWITCHDEV is not set +CONFIG_NET_RX_BUSY_POLL=y +CONFIG_BQL=y + +# +# Network testing +# +# CONFIG_NET_PKTGEN is not set +# CONFIG_HAMRADIO is not set +# CONFIG_CAN is not set +# CONFIG_IRDA is not set +# CONFIG_BT is not set +# CONFIG_AF_RXRPC is not set +CONFIG_FIB_RULES=y +CONFIG_WIRELESS=y +# CONFIG_CFG80211 is not set +# CONFIG_LIB80211 is not set + +# +# CFG80211 needs to be enabled for MAC80211 +# +# CONFIG_WIMAX is not set +# CONFIG_RFKILL is not set +CONFIG_NET_9P=y +CONFIG_NET_9P_VIRTIO=y +# CONFIG_NET_9P_DEBUG is not set +# CONFIG_CAIF is not set +# CONFIG_CEPH_LIB is not set +# CONFIG_NFC is not set +CONFIG_HAVE_BPF_JIT=y + +# +# Device Drivers +# + +# +# Generic Driver Options +# +CONFIG_UEVENT_HELPER=y +CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug" +# CONFIG_DEVTMPFS is not set +CONFIG_STANDALONE=y +CONFIG_PREVENT_FIRMWARE_BUILD=y +CONFIG_FW_LOADER=y +CONFIG_FIRMWARE_IN_KERNEL=y +CONFIG_EXTRA_FIRMWARE="" +# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set +CONFIG_ALLOW_DEV_COREDUMP=y +# CONFIG_DEBUG_DRIVER is not set +# CONFIG_DEBUG_DEVRES is not set +# CONFIG_SYS_HYPERVISOR is not set +# CONFIG_GENERIC_CPU_DEVICES is not set +CONFIG_GENERIC_CPU_AUTOPROBE=y +# CONFIG_DMA_SHARED_BUFFER is not set + +# +# Bus devices +# +# CONFIG_CONNECTOR is not set +# CONFIG_MTD is not set +CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y +# CONFIG_PARPORT is not set +CONFIG_PNP=y +CONFIG_PNP_DEBUG_MESSAGES=y + +# +# Protocols +# +CONFIG_PNPACPI=y +CONFIG_BLK_DEV=y +# CONFIG_BLK_DEV_NULL_BLK is not set +# CONFIG_BLK_DEV_FD is not set +# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set +# CONFIG_BLK_CPQ_CISS_DA is not set +# CONFIG_BLK_DEV_DAC960 is not set +# CONFIG_BLK_DEV_UMEM is not set +# CONFIG_BLK_DEV_COW_COMMON is not set +CONFIG_BLK_DEV_LOOP=y +CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 +# CONFIG_BLK_DEV_CRYPTOLOOP is not set +# CONFIG_BLK_DEV_DRBD is not set +CONFIG_BLK_DEV_NBD=y +# CONFIG_BLK_DEV_NVME is not set +# CONFIG_BLK_DEV_SKD is not set +# CONFIG_BLK_DEV_SX8 is not set +# CONFIG_BLK_DEV_RAM is not set +# CONFIG_CDROM_PKTCDVD is not set +# CONFIG_ATA_OVER_ETH is not set +CONFIG_VIRTIO_BLK=y +# CONFIG_BLK_DEV_HD is not set +# CONFIG_BLK_DEV_RBD is not set +# CONFIG_BLK_DEV_RSXX is not set + +# +# Misc devices +# +# CONFIG_SENSORS_LIS3LV02D is not set +# CONFIG_DUMMY_IRQ is not set +# CONFIG_IBM_ASM is not set +# CONFIG_PHANTOM is not set +# CONFIG_SGI_IOC4 is not set +# CONFIG_TIFM_CORE is not set +# CONFIG_ENCLOSURE_SERVICES is not set +# CONFIG_HP_ILO is not set +# CONFIG_SRAM is not set +# CONFIG_C2PORT is not set + +# +# EEPROM support +# +# CONFIG_EEPROM_93CX6 is not set +# CONFIG_CB710_CORE is not set + +# +# Texas Instruments shared transport line discipline +# + +# +# Altera FPGA firmware download module +# +# CONFIG_VMWARE_VMCI is not set + +# +# Intel MIC Bus Driver +# +# CONFIG_INTEL_MIC_BUS is not set + +# +# Intel MIC Host Driver +# + +# +# Intel MIC Card Driver +# +# CONFIG_GENWQE is not set +# CONFIG_ECHO is not set +# CONFIG_CXL_BASE is not set +CONFIG_HAVE_IDE=y +# CONFIG_IDE is not set + +# +# SCSI device support +# +CONFIG_SCSI_MOD=y +# CONFIG_RAID_ATTRS is not set +# CONFIG_SCSI is not set +# CONFIG_SCSI_DMA is not set +# CONFIG_SCSI_NETLINK is not set +# CONFIG_ATA is not set +# CONFIG_MD is not set +# CONFIG_FUSION is not set + +# +# IEEE 1394 (FireWire) support +# +# CONFIG_FIREWIRE is not set +# CONFIG_FIREWIRE_NOSY is not set +# CONFIG_MACINTOSH_DRIVERS is not set +CONFIG_NETDEVICES=y +CONFIG_NET_CORE=y +# CONFIG_BONDING is not set +CONFIG_DUMMY=y +# CONFIG_EQUALIZER is not set +# CONFIG_NET_TEAM is not set +# CONFIG_MACVLAN is not set +# CONFIG_IPVLAN is not set +# CONFIG_VXLAN is not set +# CONFIG_NETCONSOLE is not set +# CONFIG_NETPOLL is not set +# CONFIG_NET_POLL_CONTROLLER is not set +CONFIG_TUN=y +# CONFIG_VETH is not set +CONFIG_VIRTIO_NET=y +# CONFIG_NLMON is not set +# CONFIG_ARCNET is not set + +# +# CAIF transport drivers +# +# CONFIG_VHOST_NET is not set + +# +# Distributed Switch Architecture drivers +# +# CONFIG_NET_DSA_MV88E6XXX is not set +# CONFIG_NET_DSA_MV88E6060 is not set +# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set +# CONFIG_NET_DSA_MV88E6131 is not set +# CONFIG_NET_DSA_MV88E6123_61_65 is not set +# CONFIG_NET_DSA_MV88E6171 is not set +# CONFIG_NET_DSA_MV88E6352 is not set +# CONFIG_NET_DSA_BCM_SF2 is not set +CONFIG_ETHERNET=y +CONFIG_NET_VENDOR_3COM=y +# CONFIG_VORTEX is not set +# CONFIG_TYPHOON is not set +CONFIG_NET_VENDOR_ADAPTEC=y +# CONFIG_ADAPTEC_STARFIRE is not set +CONFIG_NET_VENDOR_AGERE=y +# CONFIG_ET131X is not set +CONFIG_NET_VENDOR_ALTEON=y +# CONFIG_ACENIC is not set +# CONFIG_ALTERA_TSE is not set +CONFIG_NET_VENDOR_AMD=y +# CONFIG_AMD8111_ETH is not set +# CONFIG_PCNET32 is not set +# CONFIG_AMD_XGBE is not set +# CONFIG_NET_XGENE is not set +# CONFIG_NET_VENDOR_ARC is not set +CONFIG_NET_VENDOR_ATHEROS=y +# CONFIG_ATL2 is not set +# CONFIG_ATL1 is not set +# CONFIG_ATL1E is not set +# CONFIG_ATL1C is not set +# CONFIG_ALX is not set +CONFIG_NET_VENDOR_BROADCOM=y +# CONFIG_B44 is not set +# CONFIG_BCMGENET is not set +# CONFIG_BNX2 is not set +# CONFIG_CNIC is not set +# CONFIG_TIGON3 is not set +# CONFIG_BNX2X is not set +CONFIG_NET_VENDOR_BROCADE=y +# CONFIG_BNA is not set +CONFIG_NET_VENDOR_CHELSIO=y +# CONFIG_CHELSIO_T1 is not set +# CONFIG_CHELSIO_T3 is not set +# CONFIG_CHELSIO_T4 is not set +# CONFIG_CHELSIO_T4VF is not set +CONFIG_NET_VENDOR_CISCO=y +# CONFIG_ENIC is not set +# CONFIG_CX_ECAT is not set +# CONFIG_DNET is not set +CONFIG_NET_VENDOR_DEC=y +# CONFIG_NET_TULIP is not set +CONFIG_NET_VENDOR_DLINK=y +# CONFIG_DL2K is not set +# CONFIG_SUNDANCE is not set +CONFIG_NET_VENDOR_EMULEX=y +# CONFIG_BE2NET is not set +CONFIG_NET_VENDOR_EXAR=y +# CONFIG_S2IO is not set +# CONFIG_VXGE is not set +CONFIG_NET_VENDOR_HP=y +# CONFIG_HP100 is not set +CONFIG_NET_VENDOR_INTEL=y +# CONFIG_E100 is not set +# CONFIG_E1000 is not set +# CONFIG_E1000E is not set +# CONFIG_IGB is not set +# CONFIG_IGBVF is not set +# CONFIG_IXGB is not set +# CONFIG_IXGBE is not set +# CONFIG_IXGBEVF is not set +# CONFIG_I40E is not set +# CONFIG_I40EVF is not set +# CONFIG_FM10K is not set +CONFIG_NET_VENDOR_I825XX=y +# CONFIG_IP1000 is not set +# CONFIG_JME is not set +CONFIG_NET_VENDOR_MARVELL=y +# CONFIG_MVMDIO is not set +# CONFIG_SKGE is not set +# CONFIG_SKY2 is not set +CONFIG_NET_VENDOR_MELLANOX=y +# CONFIG_MLX4_EN is not set +# CONFIG_MLX4_CORE is not set +# CONFIG_MLX5_CORE is not set +CONFIG_NET_VENDOR_MICREL=y +# CONFIG_KS8851_MLL is not set +# CONFIG_KSZ884X_PCI is not set +CONFIG_NET_VENDOR_MYRI=y +# CONFIG_MYRI10GE is not set +# CONFIG_FEALNX is not set +CONFIG_NET_VENDOR_NATSEMI=y +# CONFIG_NATSEMI is not set +# CONFIG_NS83820 is not set +CONFIG_NET_VENDOR_8390=y +# CONFIG_NE2K_PCI is not set +CONFIG_NET_VENDOR_NVIDIA=y +# CONFIG_FORCEDETH is not set +CONFIG_NET_VENDOR_OKI=y +# CONFIG_ETHOC is not set +CONFIG_NET_PACKET_ENGINE=y +# CONFIG_HAMACHI is not set +# CONFIG_YELLOWFIN is not set +CONFIG_NET_VENDOR_QLOGIC=y +# CONFIG_QLA3XXX is not set +# CONFIG_QLCNIC is not set +# CONFIG_QLGE is not set +# CONFIG_NETXEN_NIC is not set +CONFIG_NET_VENDOR_QUALCOMM=y +CONFIG_NET_VENDOR_REALTEK=y +# CONFIG_8139CP is not set +# CONFIG_8139TOO is not set +# CONFIG_R8169 is not set +CONFIG_NET_VENDOR_RDC=y +# CONFIG_R6040 is not set +CONFIG_NET_VENDOR_ROCKER=y +CONFIG_NET_VENDOR_SAMSUNG=y +# CONFIG_SXGBE_ETH is not set +CONFIG_NET_VENDOR_SEEQ=y +CONFIG_NET_VENDOR_SILAN=y +# CONFIG_SC92031 is not set +CONFIG_NET_VENDOR_SIS=y +# CONFIG_SIS900 is not set +# CONFIG_SIS190 is not set +# CONFIG_SFC is not set +CONFIG_NET_VENDOR_SMSC=y +# CONFIG_EPIC100 is not set +# CONFIG_SMSC911X is not set +# CONFIG_SMSC9420 is not set +CONFIG_NET_VENDOR_STMICRO=y +# CONFIG_STMMAC_ETH is not set +CONFIG_NET_VENDOR_SUN=y +# CONFIG_HAPPYMEAL is not set +# CONFIG_SUNGEM is not set +# CONFIG_CASSINI is not set +# CONFIG_NIU is not set +CONFIG_NET_VENDOR_TEHUTI=y +# CONFIG_TEHUTI is not set +CONFIG_NET_VENDOR_TI=y +# CONFIG_TI_CPSW_ALE is not set +# CONFIG_TLAN is not set +CONFIG_NET_VENDOR_VIA=y +# CONFIG_VIA_RHINE is not set +# CONFIG_VIA_VELOCITY is not set +CONFIG_NET_VENDOR_WIZNET=y +# CONFIG_WIZNET_W5100 is not set +# CONFIG_WIZNET_W5300 is not set +# CONFIG_FDDI is not set +# CONFIG_HIPPI is not set +# CONFIG_NET_SB1000 is not set +# CONFIG_PHYLIB is not set +# CONFIG_PPP is not set +# CONFIG_SLIP is not set + +# +# Host-side USB support is needed for USB Network Adapter support +# +CONFIG_WLAN=y +# CONFIG_PRISM54 is not set +# CONFIG_HOSTAP is not set +# CONFIG_WL_TI is not set + +# +# Enable WiMAX (Networking options) to see the WiMAX drivers +# +# CONFIG_WAN is not set +# CONFIG_VMXNET3 is not set +# CONFIG_ISDN is not set + +# +# Input device support +# +CONFIG_INPUT=y +# CONFIG_INPUT_FF_MEMLESS is not set +# CONFIG_INPUT_POLLDEV is not set +# CONFIG_INPUT_SPARSEKMAP is not set +# CONFIG_INPUT_MATRIXKMAP is not set + +# +# Userland interfaces +# +CONFIG_INPUT_MOUSEDEV=y +CONFIG_INPUT_MOUSEDEV_PSAUX=y +CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 +CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 +# CONFIG_INPUT_JOYDEV is not set +CONFIG_INPUT_EVDEV=y +# CONFIG_INPUT_EVBUG is not set + +# +# Input Device Drivers +# +CONFIG_INPUT_KEYBOARD=y +CONFIG_KEYBOARD_ATKBD=y +# CONFIG_KEYBOARD_LKKBD is not set +# CONFIG_KEYBOARD_NEWTON is not set +# CONFIG_KEYBOARD_OPENCORES is not set +# CONFIG_KEYBOARD_STOWAWAY is not set +# CONFIG_KEYBOARD_SUNKBD is not set +# CONFIG_KEYBOARD_XTKBD is not set +CONFIG_INPUT_MOUSE=y +CONFIG_MOUSE_PS2=y +CONFIG_MOUSE_PS2_ALPS=y +CONFIG_MOUSE_PS2_LOGIPS2PP=y +CONFIG_MOUSE_PS2_SYNAPTICS=y +CONFIG_MOUSE_PS2_CYPRESS=y +CONFIG_MOUSE_PS2_LIFEBOOK=y +CONFIG_MOUSE_PS2_TRACKPOINT=y +# CONFIG_MOUSE_PS2_ELANTECH is not set +# CONFIG_MOUSE_PS2_SENTELIC is not set +# CONFIG_MOUSE_PS2_TOUCHKIT is not set +CONFIG_MOUSE_PS2_FOCALTECH=y +# CONFIG_MOUSE_SERIAL is not set +# CONFIG_MOUSE_APPLETOUCH is not set +# CONFIG_MOUSE_BCM5974 is not set +# CONFIG_MOUSE_VSXXXAA is not set +# CONFIG_MOUSE_SYNAPTICS_USB is not set +# CONFIG_INPUT_JOYSTICK is not set +# CONFIG_INPUT_TABLET is not set +# CONFIG_INPUT_TOUCHSCREEN is not set +# CONFIG_INPUT_MISC is not set + +# +# Hardware I/O ports +# +CONFIG_SERIO=y +CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y +CONFIG_SERIO_I8042=y +CONFIG_SERIO_SERPORT=y +# CONFIG_SERIO_CT82C710 is not set +# CONFIG_SERIO_PCIPS2 is not set +CONFIG_SERIO_LIBPS2=y +# CONFIG_SERIO_RAW is not set +# CONFIG_SERIO_ALTERA_PS2 is not set +# CONFIG_SERIO_PS2MULT is not set +# CONFIG_SERIO_ARC_PS2 is not set +# CONFIG_GAMEPORT is not set + +# +# Character devices +# +CONFIG_TTY=y +CONFIG_VT=y +CONFIG_CONSOLE_TRANSLATIONS=y +CONFIG_VT_CONSOLE=y +CONFIG_VT_CONSOLE_SLEEP=y +CONFIG_HW_CONSOLE=y +# CONFIG_VT_HW_CONSOLE_BINDING is not set +CONFIG_UNIX98_PTYS=y +# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set +CONFIG_LEGACY_PTYS=y +CONFIG_LEGACY_PTY_COUNT=256 +# CONFIG_SERIAL_NONSTANDARD is not set +# CONFIG_NOZOMI is not set +# CONFIG_N_GSM is not set +# CONFIG_TRACE_SINK is not set +CONFIG_DEVMEM=y +CONFIG_DEVKMEM=y + +# +# Serial drivers +# +# CONFIG_SERIAL_8250 is not set + +# +# Non-8250 serial port support +# +# CONFIG_SERIAL_MFD_HSU is not set +# CONFIG_SERIAL_JSM is not set +# CONFIG_SERIAL_SCCNXP is not set +# CONFIG_SERIAL_ALTERA_JTAGUART is not set +# CONFIG_SERIAL_ALTERA_UART is not set +# CONFIG_SERIAL_ARC is not set +# CONFIG_SERIAL_RP2 is not set +# CONFIG_SERIAL_FSL_LPUART is not set +CONFIG_HVC_DRIVER=y +CONFIG_VIRTIO_CONSOLE=y +# CONFIG_IPMI_HANDLER is not set +# CONFIG_HW_RANDOM is not set +# CONFIG_NVRAM is not set +# CONFIG_R3964 is not set +# CONFIG_APPLICOM is not set +# CONFIG_MWAVE is not set +# CONFIG_RAW_DRIVER is not set +# CONFIG_HPET is not set +# CONFIG_HANGCHECK_TIMER is not set +# CONFIG_TCG_TPM is not set +# CONFIG_TELCLOCK is not set +CONFIG_DEVPORT=y +# CONFIG_XILLYBUS is not set + +# +# I2C support +# +# CONFIG_I2C is not set +# CONFIG_SPI is not set +# CONFIG_SPMI is not set +# CONFIG_HSI is not set + +# +# PPS support +# +# CONFIG_PPS is not set + +# +# PPS generators support +# + +# +# PTP clock support +# +# CONFIG_PTP_1588_CLOCK is not set + +# +# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks. +# +CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y +# CONFIG_GPIOLIB is not set +# CONFIG_W1 is not set +CONFIG_POWER_SUPPLY=y +# CONFIG_POWER_SUPPLY_DEBUG is not set +# CONFIG_PDA_POWER is not set +# CONFIG_TEST_POWER is not set +# CONFIG_BATTERY_DS2780 is not set +# CONFIG_BATTERY_DS2781 is not set +# CONFIG_BATTERY_BQ27x00 is not set +# CONFIG_CHARGER_MAX8903 is not set +# CONFIG_POWER_RESET is not set +# CONFIG_POWER_AVS is not set +CONFIG_HWMON=y +# CONFIG_HWMON_VID is not set +# CONFIG_HWMON_DEBUG_CHIP is not set + +# +# Native drivers +# +# CONFIG_SENSORS_ABITUGURU is not set +# CONFIG_SENSORS_ABITUGURU3 is not set +# CONFIG_SENSORS_K8TEMP is not set +# CONFIG_SENSORS_K10TEMP is not set +# CONFIG_SENSORS_FAM15H_POWER is not set +# CONFIG_SENSORS_APPLESMC is not set +# CONFIG_SENSORS_I5K_AMB is not set +# CONFIG_SENSORS_F71805F is not set +# CONFIG_SENSORS_F71882FG is not set +# CONFIG_SENSORS_I5500 is not set +# CONFIG_SENSORS_CORETEMP is not set +# CONFIG_SENSORS_IT87 is not set +# CONFIG_SENSORS_MAX197 is not set +# CONFIG_SENSORS_PC87360 is not set +# CONFIG_SENSORS_PC87427 is not set +# CONFIG_SENSORS_NTC_THERMISTOR is not set +# CONFIG_SENSORS_NCT6683 is not set +# CONFIG_SENSORS_NCT6775 is not set +# CONFIG_SENSORS_SIS5595 is not set +# CONFIG_SENSORS_SMSC47M1 is not set +# CONFIG_SENSORS_SMSC47B397 is not set +# CONFIG_SENSORS_SCH56XX_COMMON is not set +# CONFIG_SENSORS_VIA_CPUTEMP is not set +# CONFIG_SENSORS_VIA686A is not set +# CONFIG_SENSORS_VT1211 is not set +# CONFIG_SENSORS_VT8231 is not set +# CONFIG_SENSORS_W83627HF is not set +# CONFIG_SENSORS_W83627EHF is not set + +# +# ACPI drivers +# +# CONFIG_SENSORS_ACPI_POWER is not set +# CONFIG_SENSORS_ATK0110 is not set +CONFIG_THERMAL=y +CONFIG_THERMAL_HWMON=y +CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y +# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set +# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set +# CONFIG_THERMAL_GOV_FAIR_SHARE is not set +CONFIG_THERMAL_GOV_STEP_WISE=y +# CONFIG_THERMAL_GOV_BANG_BANG is not set +# CONFIG_THERMAL_GOV_USER_SPACE is not set +# CONFIG_THERMAL_EMULATION is not set +# CONFIG_INTEL_POWERCLAMP is not set +# CONFIG_INTEL_SOC_DTS_THERMAL is not set +# CONFIG_INT340X_THERMAL is not set + +# +# Texas Instruments thermal drivers +# +# CONFIG_WATCHDOG is not set +CONFIG_SSB_POSSIBLE=y + +# +# Sonics Silicon Backplane +# +# CONFIG_SSB is not set +CONFIG_BCMA_POSSIBLE=y + +# +# Broadcom specific AMBA +# +# CONFIG_BCMA is not set + +# +# Multifunction device drivers +# +# CONFIG_MFD_CORE is not set +# CONFIG_MFD_CROS_EC is not set +# CONFIG_HTC_PASIC3 is not set +# CONFIG_LPC_ICH is not set +# CONFIG_LPC_SCH is not set +# CONFIG_MFD_JANZ_CMODIO is not set +# CONFIG_MFD_KEMPLD is not set +# CONFIG_MFD_RDC321X is not set +# CONFIG_MFD_RTSX_PCI is not set +# CONFIG_MFD_SM501 is not set +# CONFIG_ABX500_CORE is not set +# CONFIG_MFD_SYSCON is not set +# CONFIG_MFD_TI_AM335X_TSCADC is not set +# CONFIG_MFD_TMIO is not set +# CONFIG_MFD_VX855 is not set +# CONFIG_REGULATOR is not set +# CONFIG_MEDIA_SUPPORT is not set + +# +# Graphics support +# +# CONFIG_AGP is not set +CONFIG_VGA_ARB=y +CONFIG_VGA_ARB_MAX_GPUS=16 +# CONFIG_VGA_SWITCHEROO is not set + +# +# Direct Rendering Manager +# +# CONFIG_DRM is not set + +# +# Frame buffer Devices +# +# CONFIG_FB is not set +# CONFIG_BACKLIGHT_LCD_SUPPORT is not set +# CONFIG_VGASTATE is not set + +# +# Console display driver support +# +CONFIG_VGA_CONSOLE=y +# CONFIG_VGACON_SOFT_SCROLLBACK is not set +CONFIG_DUMMY_CONSOLE=y +CONFIG_DUMMY_CONSOLE_COLUMNS=80 +CONFIG_DUMMY_CONSOLE_ROWS=25 +CONFIG_SOUND=y +# CONFIG_SOUND_OSS_CORE is not set +# CONFIG_SND is not set +# CONFIG_SOUND_PRIME is not set + +# +# HID support +# +CONFIG_HID=y +# CONFIG_HID_BATTERY_STRENGTH is not set +# CONFIG_HIDRAW is not set +# CONFIG_UHID is not set +CONFIG_HID_GENERIC=y + +# +# Special HID drivers +# +CONFIG_HID_A4TECH=y +# CONFIG_HID_ACRUX is not set +CONFIG_HID_APPLE=y +# CONFIG_HID_AUREAL is not set +CONFIG_HID_BELKIN=y +CONFIG_HID_CHERRY=y +CONFIG_HID_CHICONY=y +CONFIG_HID_CYPRESS=y +# CONFIG_HID_DRAGONRISE is not set +# CONFIG_HID_EMS_FF is not set +# CONFIG_HID_ELECOM is not set +CONFIG_HID_EZKEY=y +# CONFIG_HID_KEYTOUCH is not set +# CONFIG_HID_KYE is not set +# CONFIG_HID_UCLOGIC is not set +# CONFIG_HID_WALTOP is not set +# CONFIG_HID_GYRATION is not set +# CONFIG_HID_ICADE is not set +# CONFIG_HID_TWINHAN is not set +CONFIG_HID_KENSINGTON=y +# CONFIG_HID_LCPOWER is not set +# CONFIG_HID_LENOVO is not set +CONFIG_HID_LOGITECH=y +# CONFIG_HID_LOGITECH_HIDPP is not set +# CONFIG_LOGITECH_FF is not set +# CONFIG_LOGIRUMBLEPAD2_FF is not set +# CONFIG_LOGIG940_FF is not set +# CONFIG_LOGIWHEELS_FF is not set +# CONFIG_HID_MAGICMOUSE is not set +CONFIG_HID_MICROSOFT=y +CONFIG_HID_MONTEREY=y +# CONFIG_HID_MULTITOUCH is not set +# CONFIG_HID_ORTEK is not set +# CONFIG_HID_PANTHERLORD is not set +# CONFIG_HID_PETALYNX is not set +# CONFIG_HID_PICOLCD is not set +CONFIG_HID_PLANTRONICS=y +# CONFIG_HID_PRIMAX is not set +# CONFIG_HID_SAITEK is not set +# CONFIG_HID_SAMSUNG is not set +# CONFIG_HID_SPEEDLINK is not set +# CONFIG_HID_STEELSERIES is not set +# CONFIG_HID_SUNPLUS is not set +# CONFIG_HID_RMI is not set +# CONFIG_HID_GREENASIA is not set +# CONFIG_HID_SMARTJOYPLUS is not set +# CONFIG_HID_TIVO is not set +# CONFIG_HID_TOPSEED is not set +# CONFIG_HID_THRUSTMASTER is not set +# CONFIG_HID_WACOM is not set +# CONFIG_HID_XINMO is not set +# CONFIG_HID_ZEROPLUS is not set +# CONFIG_HID_ZYDACRON is not set +# CONFIG_HID_SENSOR_HUB is not set +CONFIG_USB_OHCI_LITTLE_ENDIAN=y +CONFIG_USB_SUPPORT=y +CONFIG_USB_ARCH_HAS_HCD=y +# CONFIG_USB is not set + +# +# USB port drivers +# + +# +# USB Physical Layer drivers +# +# CONFIG_USB_PHY is not set +# CONFIG_NOP_USB_XCEIV is not set +# CONFIG_USB_GADGET is not set +# CONFIG_UWB is not set +# CONFIG_MMC is not set +# CONFIG_MEMSTICK is not set +# CONFIG_NEW_LEDS is not set +# CONFIG_ACCESSIBILITY is not set +# CONFIG_INFINIBAND is not set +# CONFIG_EDAC is not set +CONFIG_RTC_LIB=y +# CONFIG_RTC_CLASS is not set +# CONFIG_DMADEVICES is not set +# CONFIG_AUXDISPLAY is not set +# CONFIG_UIO is not set +# CONFIG_VIRT_DRIVERS is not set +CONFIG_VIRTIO=y + +# +# Virtio drivers +# +CONFIG_VIRTIO_PCI=y +CONFIG_VIRTIO_PCI_LEGACY=y +CONFIG_VIRTIO_BALLOON=y +CONFIG_VIRTIO_MMIO=y +# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set + +# +# Microsoft Hyper-V guest support +# +# CONFIG_STAGING is not set +CONFIG_X86_PLATFORM_DEVICES=y +# CONFIG_ACERHDF is not set +# CONFIG_ASUS_LAPTOP is not set +# CONFIG_DELL_SMO8800 is not set +# CONFIG_FUJITSU_TABLET is not set +# CONFIG_HP_ACCEL is not set +# CONFIG_HP_WIRELESS is not set +# CONFIG_THINKPAD_ACPI is not set +# CONFIG_SENSORS_HDAPS is not set +# CONFIG_INTEL_MENLOW is not set +# CONFIG_ACPI_WMI is not set +# CONFIG_TOPSTAR_LAPTOP is not set +# CONFIG_TOSHIBA_BT_RFKILL is not set +# CONFIG_TOSHIBA_HAPS is not set +# CONFIG_ACPI_CMPC is not set +# CONFIG_INTEL_IPS is not set +# CONFIG_IBM_RTL is not set +# CONFIG_SAMSUNG_Q10 is not set +# CONFIG_INTEL_RST is not set +# CONFIG_INTEL_SMARTCONNECT is not set +# CONFIG_PVPANIC is not set +# CONFIG_CHROME_PLATFORMS is not set + +# +# Hardware Spinlock drivers +# + +# +# Clock Source drivers +# +CONFIG_CLKEVT_I8253=y +CONFIG_I8253_LOCK=y +CONFIG_CLKBLD_I8253=y +# CONFIG_ATMEL_PIT is not set +# CONFIG_SH_TIMER_CMT is not set +# CONFIG_SH_TIMER_MTU2 is not set +# CONFIG_SH_TIMER_TMU is not set +# CONFIG_EM_TIMER_STI is not set +# CONFIG_MAILBOX is not set +CONFIG_IOMMU_SUPPORT=y + +# +# Generic IOMMU Pagetable Support +# +# CONFIG_AMD_IOMMU is not set +# CONFIG_INTEL_IOMMU is not set +# CONFIG_IRQ_REMAP is not set + +# +# Remoteproc drivers +# +# CONFIG_STE_MODEM_RPROC is not set + +# +# Rpmsg drivers +# + +# +# SOC (System On Chip) specific Drivers +# +# CONFIG_SOC_TI is not set +# CONFIG_PM_DEVFREQ is not set +# CONFIG_EXTCON is not set +# CONFIG_MEMORY is not set +# CONFIG_IIO is not set +# CONFIG_NTB is not set +# CONFIG_VME_BUS is not set +# CONFIG_PWM is not set +# CONFIG_IPACK_BUS is not set +# CONFIG_RESET_CONTROLLER is not set +# CONFIG_FMC is not set + +# +# PHY Subsystem +# +# CONFIG_GENERIC_PHY is not set +# CONFIG_BCM_KONA_USB2_PHY is not set +# CONFIG_POWERCAP is not set +# CONFIG_MCB is not set +# CONFIG_THUNDERBOLT is not set + +# +# Android +# +# CONFIG_ANDROID is not set + +# +# Firmware Drivers +# +# CONFIG_EDD is not set +CONFIG_FIRMWARE_MEMMAP=y +# CONFIG_DELL_RBU is not set +# CONFIG_DCDBAS is not set +CONFIG_DMIID=y +# CONFIG_DMI_SYSFS is not set +CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y +# CONFIG_ISCSI_IBFT_FIND is not set +# CONFIG_GOOGLE_FIRMWARE is not set + +# +# File systems +# +CONFIG_DCACHE_WORD_ACCESS=y +CONFIG_EXT2_FS=y +# CONFIG_EXT2_FS_XATTR is not set +CONFIG_EXT3_FS=y +# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set +# CONFIG_EXT3_FS_XATTR is not set +# CONFIG_EXT4_FS is not set +CONFIG_JBD=y +CONFIG_REISERFS_FS=y +# CONFIG_REISERFS_CHECK is not set +# CONFIG_REISERFS_PROC_INFO is not set +# CONFIG_REISERFS_FS_XATTR is not set +# CONFIG_JFS_FS is not set +# CONFIG_XFS_FS is not set +# CONFIG_GFS2_FS is not set +# CONFIG_BTRFS_FS is not set +# CONFIG_NILFS2_FS is not set +# CONFIG_FS_DAX is not set +CONFIG_FS_POSIX_ACL=y +CONFIG_FILE_LOCKING=y +CONFIG_FSNOTIFY=y +CONFIG_DNOTIFY=y +CONFIG_INOTIFY_USER=y +# CONFIG_FANOTIFY is not set +CONFIG_QUOTA=y +# CONFIG_QUOTA_NETLINK_INTERFACE is not set +CONFIG_PRINT_QUOTA_WARNING=y +# CONFIG_QUOTA_DEBUG is not set +# CONFIG_QFMT_V1 is not set +# CONFIG_QFMT_V2 is not set +CONFIG_QUOTACTL=y +CONFIG_AUTOFS4_FS=y +# CONFIG_FUSE_FS is not set +# CONFIG_OVERLAY_FS is not set + +# +# Caches +# +# CONFIG_FSCACHE is not set + +# +# CD-ROM/DVD Filesystems +# +CONFIG_ISO9660_FS=y +CONFIG_JOLIET=y +# CONFIG_ZISOFS is not set +# CONFIG_UDF_FS is not set + +# +# DOS/FAT/NT Filesystems +# +# CONFIG_MSDOS_FS is not set +# CONFIG_VFAT_FS is not set +# CONFIG_NTFS_FS is not set + +# +# Pseudo filesystems +# +CONFIG_PROC_FS=y +CONFIG_PROC_KCORE=y +CONFIG_PROC_SYSCTL=y +CONFIG_PROC_PAGE_MONITOR=y +CONFIG_KERNFS=y +CONFIG_SYSFS=y +CONFIG_TMPFS=y +# CONFIG_TMPFS_POSIX_ACL is not set +# CONFIG_TMPFS_XATTR is not set +# CONFIG_HUGETLBFS is not set +# CONFIG_HUGETLB_PAGE is not set +# CONFIG_CONFIGFS_FS is not set +CONFIG_MISC_FILESYSTEMS=y +# CONFIG_ADFS_FS is not set +# CONFIG_AFFS_FS is not set +# CONFIG_HFS_FS is not set +# CONFIG_HFSPLUS_FS is not set +# CONFIG_BEFS_FS is not set +# CONFIG_BFS_FS is not set +# CONFIG_EFS_FS is not set +# CONFIG_LOGFS is not set +# CONFIG_CRAMFS is not set +# CONFIG_SQUASHFS is not set +# CONFIG_VXFS_FS is not set +# CONFIG_MINIX_FS is not set +# CONFIG_OMFS_FS is not set +# CONFIG_HPFS_FS is not set +# CONFIG_QNX4FS_FS is not set +# CONFIG_QNX6FS_FS is not set +# CONFIG_ROMFS_FS is not set +# CONFIG_PSTORE is not set +# CONFIG_SYSV_FS is not set +# CONFIG_UFS_FS is not set +# CONFIG_F2FS_FS is not set +CONFIG_NETWORK_FILESYSTEMS=y +# CONFIG_NFS_FS is not set +# CONFIG_NFSD is not set +# CONFIG_CEPH_FS is not set +# CONFIG_CIFS is not set +# CONFIG_NCP_FS is not set +# CONFIG_CODA_FS is not set +# CONFIG_AFS_FS is not set +CONFIG_9P_FS=y +CONFIG_9P_FS_POSIX_ACL=y +# CONFIG_9P_FS_SECURITY is not set +CONFIG_NLS=y +CONFIG_NLS_DEFAULT="iso8859-1" +# CONFIG_NLS_CODEPAGE_437 is not set +# CONFIG_NLS_CODEPAGE_737 is not set +# CONFIG_NLS_CODEPAGE_775 is not set +# CONFIG_NLS_CODEPAGE_850 is not set +# CONFIG_NLS_CODEPAGE_852 is not set +# CONFIG_NLS_CODEPAGE_855 is not set +# CONFIG_NLS_CODEPAGE_857 is not set +# CONFIG_NLS_CODEPAGE_860 is not set +# CONFIG_NLS_CODEPAGE_861 is not set +# CONFIG_NLS_CODEPAGE_862 is not set +# CONFIG_NLS_CODEPAGE_863 is not set +# CONFIG_NLS_CODEPAGE_864 is not set +# CONFIG_NLS_CODEPAGE_865 is not set +# CONFIG_NLS_CODEPAGE_866 is not set +# CONFIG_NLS_CODEPAGE_869 is not set +# CONFIG_NLS_CODEPAGE_936 is not set +# CONFIG_NLS_CODEPAGE_950 is not set +# CONFIG_NLS_CODEPAGE_932 is not set +# CONFIG_NLS_CODEPAGE_949 is not set +# CONFIG_NLS_CODEPAGE_874 is not set +# CONFIG_NLS_ISO8859_8 is not set +# CONFIG_NLS_CODEPAGE_1250 is not set +# CONFIG_NLS_CODEPAGE_1251 is not set +# CONFIG_NLS_ASCII is not set +# CONFIG_NLS_ISO8859_1 is not set +# CONFIG_NLS_ISO8859_2 is not set +# CONFIG_NLS_ISO8859_3 is not set +# CONFIG_NLS_ISO8859_4 is not set +# CONFIG_NLS_ISO8859_5 is not set +# CONFIG_NLS_ISO8859_6 is not set +# CONFIG_NLS_ISO8859_7 is not set +# CONFIG_NLS_ISO8859_9 is not set +# CONFIG_NLS_ISO8859_13 is not set +# CONFIG_NLS_ISO8859_14 is not set +# CONFIG_NLS_ISO8859_15 is not set +# CONFIG_NLS_KOI8_R is not set +# CONFIG_NLS_KOI8_U is not set +# CONFIG_NLS_MAC_ROMAN is not set +# CONFIG_NLS_MAC_CELTIC is not set +# CONFIG_NLS_MAC_CENTEURO is not set +# CONFIG_NLS_MAC_CROATIAN is not set +# CONFIG_NLS_MAC_CYRILLIC is not set +# CONFIG_NLS_MAC_GAELIC is not set +# CONFIG_NLS_MAC_GREEK is not set +# CONFIG_NLS_MAC_ICELAND is not set +# CONFIG_NLS_MAC_INUIT is not set +# CONFIG_NLS_MAC_ROMANIAN is not set +# CONFIG_NLS_MAC_TURKISH is not set +# CONFIG_NLS_UTF8 is not set + +# +# Kernel hacking +# +CONFIG_TRACE_IRQFLAGS_SUPPORT=y + +# +# printk and dmesg options +# +# CONFIG_PRINTK_TIME is not set +CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 +# CONFIG_BOOT_PRINTK_DELAY is not set + +# +# Compile-time checks and compiler options +# +CONFIG_DEBUG_INFO=y +# CONFIG_DEBUG_INFO_REDUCED is not set +# CONFIG_DEBUG_INFO_SPLIT is not set +# CONFIG_DEBUG_INFO_DWARF4 is not set +# CONFIG_GDB_SCRIPTS is not set +CONFIG_ENABLE_WARN_DEPRECATED=y +CONFIG_ENABLE_MUST_CHECK=y +CONFIG_FRAME_WARN=1024 +# CONFIG_STRIP_ASM_SYMS is not set +# CONFIG_READABLE_ASM is not set +# CONFIG_UNUSED_SYMBOLS is not set +# CONFIG_PAGE_OWNER is not set +# CONFIG_DEBUG_FS is not set +# CONFIG_HEADERS_CHECK is not set +# CONFIG_DEBUG_SECTION_MISMATCH is not set +CONFIG_ARCH_WANT_FRAME_POINTERS=y +CONFIG_FRAME_POINTER=y +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +# CONFIG_MAGIC_SYSRQ is not set +CONFIG_DEBUG_KERNEL=y + +# +# Memory Debugging +# +# CONFIG_PAGE_EXTENSION is not set +# CONFIG_DEBUG_PAGEALLOC is not set +# CONFIG_DEBUG_OBJECTS is not set +# CONFIG_DEBUG_SLAB is not set +CONFIG_HAVE_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set +# CONFIG_DEBUG_STACK_USAGE is not set +# CONFIG_DEBUG_VM is not set +# CONFIG_DEBUG_VIRTUAL is not set +CONFIG_DEBUG_MEMORY_INIT=y +CONFIG_HAVE_DEBUG_STACKOVERFLOW=y +# CONFIG_DEBUG_STACKOVERFLOW is not set +CONFIG_HAVE_ARCH_KMEMCHECK=y +CONFIG_HAVE_ARCH_KASAN=y +CONFIG_KASAN_SHADOW_OFFSET=0xdffffc0000000000 +# CONFIG_DEBUG_SHIRQ is not set + +# +# Debug Lockups and Hangs +# +# CONFIG_LOCKUP_DETECTOR is not set +CONFIG_DETECT_HUNG_TASK=y +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 +# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set +CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0 +# CONFIG_PANIC_ON_OOPS is not set +CONFIG_PANIC_ON_OOPS_VALUE=0 +CONFIG_PANIC_TIMEOUT=0 +# CONFIG_SCHED_DEBUG is not set +# CONFIG_SCHEDSTATS is not set +# CONFIG_SCHED_STACK_END_CHECK is not set +# CONFIG_TIMER_STATS is not set + +# +# Lock Debugging (spinlocks, mutexes, etc...) +# +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_PROVE_LOCKING is not set +# CONFIG_LOCK_STAT is not set +# CONFIG_DEBUG_ATOMIC_SLEEP is not set +# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set +# CONFIG_LOCK_TORTURE_TEST is not set +# CONFIG_STACKTRACE is not set +# CONFIG_DEBUG_KOBJECT is not set +CONFIG_DEBUG_BUGVERBOSE=y +# CONFIG_DEBUG_LIST is not set +# CONFIG_DEBUG_PI_LIST is not set +# CONFIG_DEBUG_SG is not set +# CONFIG_DEBUG_NOTIFIERS is not set +# CONFIG_DEBUG_CREDENTIALS is not set + +# +# RCU Debugging +# +# CONFIG_SPARSE_RCU_POINTER is not set +# CONFIG_TORTURE_TEST is not set +# CONFIG_RCU_TORTURE_TEST is not set +# CONFIG_RCU_TRACE is not set +# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set +# CONFIG_NOTIFIER_ERROR_INJECTION is not set +# CONFIG_FAULT_INJECTION is not set +# CONFIG_LATENCYTOP is not set +CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y +# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set +CONFIG_USER_STACKTRACE_SUPPORT=y +CONFIG_HAVE_FUNCTION_TRACER=y +CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y +CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y +CONFIG_HAVE_DYNAMIC_FTRACE=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y +CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y +CONFIG_HAVE_SYSCALL_TRACEPOINTS=y +CONFIG_HAVE_FENTRY=y +CONFIG_HAVE_C_RECORDMCOUNT=y +CONFIG_TRACING_SUPPORT=y +CONFIG_FTRACE=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_IRQSOFF_TRACER is not set +# CONFIG_SCHED_TRACER is not set +# CONFIG_ENABLE_DEFAULT_TRACERS is not set +# CONFIG_FTRACE_SYSCALLS is not set +# CONFIG_TRACER_SNAPSHOT is not set +CONFIG_BRANCH_PROFILE_NONE=y +# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set +# CONFIG_PROFILE_ALL_BRANCHES is not set +# CONFIG_STACK_TRACER is not set +# CONFIG_BLK_DEV_IO_TRACE is not set +# CONFIG_UPROBE_EVENT is not set +# CONFIG_PROBE_EVENTS is not set +# CONFIG_MMIOTRACE is not set +# CONFIG_TRACEPOINT_BENCHMARK is not set + +# +# Runtime Testing +# +# CONFIG_TEST_LIST_SORT is not set +# CONFIG_BACKTRACE_SELF_TEST is not set +# CONFIG_RBTREE_TEST is not set +# CONFIG_ATOMIC64_SELFTEST is not set +# CONFIG_TEST_HEXDUMP is not set +# CONFIG_TEST_STRING_HELPERS is not set +# CONFIG_TEST_KSTRTOX is not set +# CONFIG_TEST_RHASHTABLE is not set +# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set +# CONFIG_DMA_API_DEBUG is not set +# CONFIG_TEST_FIRMWARE is not set +# CONFIG_TEST_UDELAY is not set +# CONFIG_SAMPLES is not set +CONFIG_HAVE_ARCH_KGDB=y +# CONFIG_KGDB is not set +# CONFIG_STRICT_DEVMEM is not set +CONFIG_X86_VERBOSE_BOOTUP=y +CONFIG_EARLY_PRINTK=y +# CONFIG_EARLY_PRINTK_DBGP is not set +# CONFIG_X86_PTDUMP is not set +CONFIG_DEBUG_RODATA=y +CONFIG_DEBUG_RODATA_TEST=y +CONFIG_DOUBLEFAULT=y +# CONFIG_DEBUG_TLBFLUSH is not set +# CONFIG_IOMMU_DEBUG is not set +# CONFIG_IOMMU_STRESS is not set +CONFIG_HAVE_MMIOTRACE_SUPPORT=y +CONFIG_IO_DELAY_TYPE_0X80=0 +CONFIG_IO_DELAY_TYPE_0XED=1 +CONFIG_IO_DELAY_TYPE_UDELAY=2 +CONFIG_IO_DELAY_TYPE_NONE=3 +CONFIG_IO_DELAY_0X80=y +# CONFIG_IO_DELAY_0XED is not set +# CONFIG_IO_DELAY_UDELAY is not set +# CONFIG_IO_DELAY_NONE is not set +CONFIG_DEFAULT_IO_DELAY_TYPE=0 +# CONFIG_CPA_DEBUG is not set +# CONFIG_OPTIMIZE_INLINING is not set +# CONFIG_DEBUG_NMI_SELFTEST is not set +# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set + +# +# Security options +# +# CONFIG_KEYS is not set +# CONFIG_SECURITY_DMESG_RESTRICT is not set +# CONFIG_SECURITY is not set +# CONFIG_SECURITYFS is not set +CONFIG_DEFAULT_SECURITY_DAC=y +CONFIG_DEFAULT_SECURITY="" +CONFIG_CRYPTO=y + +# +# Crypto core or helper +# +CONFIG_CRYPTO_ALGAPI=y +CONFIG_CRYPTO_ALGAPI2=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_AEAD2=y +CONFIG_CRYPTO_BLKCIPHER=y +CONFIG_CRYPTO_BLKCIPHER2=y +CONFIG_CRYPTO_HASH=y +CONFIG_CRYPTO_HASH2=y +CONFIG_CRYPTO_RNG=y +CONFIG_CRYPTO_RNG2=y +CONFIG_CRYPTO_PCOMP=y +CONFIG_CRYPTO_PCOMP2=y +CONFIG_CRYPTO_MANAGER=y +CONFIG_CRYPTO_MANAGER2=y +CONFIG_CRYPTO_USER=y +CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y +CONFIG_CRYPTO_GF128MUL=y +CONFIG_CRYPTO_NULL=y +CONFIG_CRYPTO_WORKQUEUE=y +CONFIG_CRYPTO_CRYPTD=y +# CONFIG_CRYPTO_MCRYPTD is not set +CONFIG_CRYPTO_AUTHENC=y +CONFIG_CRYPTO_ABLK_HELPER=y +CONFIG_CRYPTO_GLUE_HELPER_X86=y + +# +# Authenticated Encryption with Associated Data +# +CONFIG_CRYPTO_CCM=y +CONFIG_CRYPTO_GCM=y +CONFIG_CRYPTO_SEQIV=y + +# +# Block modes +# +CONFIG_CRYPTO_CBC=y +CONFIG_CRYPTO_CTR=y +# CONFIG_CRYPTO_CTS is not set +CONFIG_CRYPTO_ECB=y +CONFIG_CRYPTO_LRW=y +CONFIG_CRYPTO_PCBC=y +CONFIG_CRYPTO_XTS=y + +# +# Hash modes +# +CONFIG_CRYPTO_CMAC=y +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_XCBC=y +# CONFIG_CRYPTO_VMAC is not set + +# +# Digest +# +CONFIG_CRYPTO_CRC32C=y +# CONFIG_CRYPTO_CRC32C_INTEL is not set +# CONFIG_CRYPTO_CRC32 is not set +# CONFIG_CRYPTO_CRC32_PCLMUL is not set +# CONFIG_CRYPTO_CRCT10DIF is not set +CONFIG_CRYPTO_GHASH=y +CONFIG_CRYPTO_MD4=y +CONFIG_CRYPTO_MD5=y +CONFIG_CRYPTO_MICHAEL_MIC=y +CONFIG_CRYPTO_RMD128=y +CONFIG_CRYPTO_RMD160=y +CONFIG_CRYPTO_RMD256=y +CONFIG_CRYPTO_RMD320=y +CONFIG_CRYPTO_SHA1=y +# CONFIG_CRYPTO_SHA1_SSSE3 is not set +CONFIG_CRYPTO_SHA256_SSSE3=y +CONFIG_CRYPTO_SHA512_SSSE3=y +# CONFIG_CRYPTO_SHA1_MB is not set +CONFIG_CRYPTO_SHA256=y +CONFIG_CRYPTO_SHA512=y +CONFIG_CRYPTO_TGR192=y +CONFIG_CRYPTO_WP512=y +# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set + +# +# Ciphers +# +CONFIG_CRYPTO_AES=y +CONFIG_CRYPTO_AES_X86_64=y +CONFIG_CRYPTO_AES_NI_INTEL=y +CONFIG_CRYPTO_ANUBIS=y +CONFIG_CRYPTO_ARC4=y +CONFIG_CRYPTO_BLOWFISH=y +CONFIG_CRYPTO_BLOWFISH_COMMON=y +CONFIG_CRYPTO_BLOWFISH_X86_64=y +CONFIG_CRYPTO_CAMELLIA=y +CONFIG_CRYPTO_CAMELLIA_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y +CONFIG_CRYPTO_CAST_COMMON=y +CONFIG_CRYPTO_CAST5=y +CONFIG_CRYPTO_CAST5_AVX_X86_64=y +CONFIG_CRYPTO_CAST6=y +CONFIG_CRYPTO_CAST6_AVX_X86_64=y +CONFIG_CRYPTO_DES=y +# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set +CONFIG_CRYPTO_FCRYPT=y +CONFIG_CRYPTO_KHAZAD=y +CONFIG_CRYPTO_SALSA20=y +CONFIG_CRYPTO_SALSA20_X86_64=y +CONFIG_CRYPTO_SEED=y +CONFIG_CRYPTO_SERPENT=y +CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y +CONFIG_CRYPTO_TEA=y +CONFIG_CRYPTO_TWOFISH=y +CONFIG_CRYPTO_TWOFISH_COMMON=y +CONFIG_CRYPTO_TWOFISH_X86_64=y +CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y +CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y + +# +# Compression +# +CONFIG_CRYPTO_DEFLATE=y +CONFIG_CRYPTO_ZLIB=y +CONFIG_CRYPTO_LZO=y +CONFIG_CRYPTO_LZ4=y +CONFIG_CRYPTO_LZ4HC=y + +# +# Random Number Generation +# +# CONFIG_CRYPTO_ANSI_CPRNG is not set +# CONFIG_CRYPTO_DRBG_MENU is not set +CONFIG_CRYPTO_USER_API=y +CONFIG_CRYPTO_USER_API_HASH=y +CONFIG_CRYPTO_USER_API_SKCIPHER=y +# CONFIG_CRYPTO_USER_API_RNG is not set +# CONFIG_CRYPTO_HW is not set +CONFIG_HAVE_KVM=y +CONFIG_VIRTUALIZATION=y +# CONFIG_KVM is not set +# CONFIG_BINARY_PRINTF is not set + +# +# Library routines +# +CONFIG_BITREVERSE=y +# CONFIG_HAVE_ARCH_BITREVERSE is not set +CONFIG_GENERIC_STRNCPY_FROM_USER=y +CONFIG_GENERIC_STRNLEN_USER=y +CONFIG_GENERIC_NET_UTILS=y +CONFIG_GENERIC_FIND_FIRST_BIT=y +CONFIG_GENERIC_PCI_IOMAP=y +CONFIG_GENERIC_IOMAP=y +CONFIG_GENERIC_IO=y +CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y +CONFIG_ARCH_HAS_FAST_MULTIPLIER=y +CONFIG_CRC_CCITT=y +CONFIG_CRC16=y +# CONFIG_CRC_T10DIF is not set +CONFIG_CRC_ITU_T=y +CONFIG_CRC32=y +# CONFIG_CRC32_SELFTEST is not set +CONFIG_CRC32_SLICEBY8=y +# CONFIG_CRC32_SLICEBY4 is not set +# CONFIG_CRC32_SARWATE is not set +# CONFIG_CRC32_BIT is not set +CONFIG_CRC7=y +CONFIG_LIBCRC32C=y +# CONFIG_CRC8 is not set +# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set +# CONFIG_RANDOM32_SELFTEST is not set +CONFIG_ZLIB_INFLATE=y +CONFIG_ZLIB_DEFLATE=y +CONFIG_LZO_COMPRESS=y +CONFIG_LZO_DECOMPRESS=y +CONFIG_LZ4_COMPRESS=y +CONFIG_LZ4HC_COMPRESS=y +CONFIG_LZ4_DECOMPRESS=y +# CONFIG_XZ_DEC is not set +# CONFIG_XZ_DEC_BCJ is not set +CONFIG_TEXTSEARCH=y +CONFIG_TEXTSEARCH_KMP=y +CONFIG_TEXTSEARCH_BM=y +CONFIG_TEXTSEARCH_FSM=y +CONFIG_HAS_IOMEM=y +CONFIG_HAS_IOPORT_MAP=y +CONFIG_HAS_DMA=y +CONFIG_DQL=y +CONFIG_NLATTR=y +CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y +CONFIG_AVERAGE=y +# CONFIG_CORDIC is not set +# CONFIG_DDR is not set +CONFIG_ARCH_HAS_SG_CHAIN=y diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt index 25f57370c..13510bac5 100644 --- a/testing/hosts/winnetou/etc/openssl/research/index.txt +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt @@ -3,8 +3,9 @@ R 100615195710Z 100703145747Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU= R 120323210330Z 140324140605Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org R 140323203747Z 140324142334Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org R 151103161503Z 141128215838Z,superseded 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA -V 150406092057Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +R 150406092057Z 150426102340Z,superseded 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org V 150702151839Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA V 190323140633Z 08 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org V 190323142352Z 09 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org V 190401220708Z 0A unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA +V 190403102504Z 0B unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old index 3fc101e9e..dc1c912aa 100644 --- a/testing/hosts/winnetou/etc/openssl/research/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old @@ -3,7 +3,8 @@ R 100615195710Z 100703145747Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU= R 120323210330Z 140324140605Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org R 140323203747Z 140324142334Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org R 151103161503Z 141128215838Z,superseded 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA -V 150406092057Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +R 150406092057Z 150426102340Z,superseded 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org V 150702151839Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA V 190323140633Z 08 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org V 190323142352Z 09 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org +V 190401220708Z 0A unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/0B.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/0B.pem new file mode 100644 index 000000000..698e47cc0 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/0B.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE1MDQyNjEwMjUwNFoXDTE5MDQwMzEwMjUw +NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKupuHqUUqSufsEtjSTZEkTF +sTGWXQkwZoLbAPNlZ4PV0Dx1ju3xRvVtjQHN3Tsx6IsB1JO3k/dMExwttbeBA8HK +oKYw+CFG8+6XWUU+tBT5xlwa5sdVUHIo8On1x7Rb3s+RDhJ2/YvCf/H13aOtqG+L +7Xyt7OwRQZNx4Gx60sgU2Zhr9WsMslWJQeS92va6UiGYN4c6qRNyrS9zTZEJ0yib +tflhd07LLcgz+jHqCdUcPK4g8+TH8HCtek0n2QRu3IfbEM+i6EaZjUJq1kp6k9HA +IgKR48r9HVk3zBsWJBo6sxUn8/avFM54vdwD8NAClNn9xobEXsO3jwGljc5mb40C +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRd +qfnvgHGNOog5OOLebmYkmJ/faTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA +TgUJbXL83e11Fzo+XGMQ24FfxdUvlex9IcnnNZnjsy4cYaUhofdI1AIkOhdh7R4i +9dtdfbFLLQR3qc2jmL9ubdQP83FiZZQOXX55XV5/Gb4E4g2T2ZU8ahby+ZzQsEcI +jGeot7fRfbxUrcjnIKxZd7JsQSaR45rMrNcUOQpFT212urojUngrEoAeaC5USEiX +sF11P654UejR8DCczwLi4QBvjRTH3bcMC57FjsWt1n/KCB08dS0ojD+T+6lN7/1K +yLreeRNynXzc1GAln5G03Ivwm9STFT1mYjkBMOCY+3ihEOpzlR9pWCWl9p728db3 +mk0VsDm1jdOf3PK1Xd2PJw== +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial index eb589e9da..d73cdef37 100644 --- a/testing/hosts/winnetou/etc/openssl/research/serial +++ b/testing/hosts/winnetou/etc/openssl/research/serial @@ -1 +1 @@ -0B +0C diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old index d9bb888f8..eb589e9da 100644 --- a/testing/hosts/winnetou/etc/openssl/research/serial.old +++ b/testing/hosts/winnetou/etc/openssl/research/serial.old @@ -1 +1 @@ -0A +0B diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt b/testing/hosts/winnetou/etc/openssl/sales/index.txt index 36b24a619..c4ff334eb 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/index.txt +++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt @@ -2,7 +2,8 @@ R 100322071017Z 100407093948Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU= R 100615195536Z 100703150410Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA R 120323211811Z 140324141327Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org R 140323211053Z 140324141726Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org -V 150406094241Z 05 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org +R 150406094241Z 150426095935Z,superseded 05 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org V 150702152829Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA V 190323141524Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org V 190323152702Z 08 unknown /C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org +V 190403102220Z 09 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old index 1db0072db..46d4c4bbb 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old @@ -2,6 +2,7 @@ R 100322071017Z 100407093948Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU= R 100615195536Z 100703150410Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA R 120323211811Z 140324141327Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org R 140323211053Z 140324141726Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org -V 150406094241Z 05 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org +R 150406094241Z 150426095935Z,superseded 05 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org V 150702152829Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA V 190323141524Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org +V 190323152702Z 08 unknown /C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/09.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/09.pem new file mode 100644 index 000000000..4718e7a16 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/09.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEHDCCAwSgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTE1MDQyNjEwMjIyMFoXDTE5MDQwMzEwMjIyMFowVjEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT +BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPk +UE6ijIn++yyhaZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER +0/APr9KmXfnmFddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN +5GGh1u34R/9JDCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8 +XOynqCNW9Ii0Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecA +V2HsNtCGecj/OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSBwMHfoTTG9g4LmkL/ +kBl3thRfxzBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 +YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC5VfuhrOErCX6nlfnzgXIB +HheWTfcuobNz1cRatdIGRZVBLIktkQjABsX62t0wcCJ4gUMgT0DxgR/bZQDv9tp5 +q6bo5XJM+bFkuf0NiPme+w9Or+VYcuyiljHnHF3rihK2ZFOBXl2kY667tiGFML3B +jhaYQVHA0ZsSfe3Auxccku0U25dJNLq1+ATjeDuye8/NJqS95YBcMZzWiwG/VgMF +mCeiygAobWmIk2LOijFFpNN2ySCiLimueQp/DO3kBdWlhael3Ee9lkA5bqoFchpb +HH8eQKyOLhRnB2Lk/RhC3mGIFjW127sJdjdWkroyULepnULLyQQA6jy+tEu4XZ2C +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial b/testing/hosts/winnetou/etc/openssl/sales/serial index 86397e5c1..d9bb888f8 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/serial +++ b/testing/hosts/winnetou/etc/openssl/sales/serial @@ -1 +1 @@ -09 +0A diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial.old b/testing/hosts/winnetou/etc/openssl/sales/serial.old index adb9de8ee..86397e5c1 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/serial.old +++ b/testing/hosts/winnetou/etc/openssl/sales/serial.old @@ -1 +1 @@ -08 +09 diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage index c927934f1..d9500cb35 100755 --- a/testing/scripts/build-baseimage +++ b/testing/scripts/build-baseimage @@ -16,9 +16,9 @@ INC=automake,autoconf,libtool,bison,flex,gperf,pkg-config,gettext INC=$INC,build-essential,libgmp-dev,libldap2-dev,libcurl4-openssl-dev,ethtool INC=$INC,libxml2-dev,libtspi-dev,libsqlite3-dev,openssh-server,tcpdump,psmisc INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libxerces-c2-dev,libltdl-dev -INC=$INC,liblog4cxx10-dev,libboost-thread-dev,libboost-system-dev,git-core +INC=$INC,liblog4cxx10-dev,libboost-thread-dev,libboost-system-dev,git-core,iperf INC=$INC,less,acpid,acpi-support-base,libldns-dev,libunbound-dev,dnsutils,screen -INC=$INC,gnat,gprbuild,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev +INC=$INC,gnat,gprbuild,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev,htop INC=$INC,libalog0.4.1-base-dev,hostapd,libsoup2.4-dev,ca-certificates,unzip INC=$INC,python,python-setuptools,python-dev,python-pip INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi,iptables-dev diff --git a/testing/scripts/build-guestkernel b/testing/scripts/build-guestkernel index 40aa1b4f1..17f22bd83 100755 --- a/testing/scripts/build-guestkernel +++ b/testing/scripts/build-guestkernel @@ -14,7 +14,7 @@ cd $BUILDDIR if [ ! -f "$KERNELTARBALL" ] then - url=ftp://ftp.kernel.org/pub/linux/kernel/v3.x/$KERNELTARBALL + url=ftp://ftp.kernel.org/pub/linux/kernel/v${KERNELVERSION:0:1}.x/$KERNELTARBALL log_action "Downloading $url" execute "wget -q $url" fi diff --git a/testing/scripts/recipes/005_anet.mk b/testing/scripts/recipes/005_anet.mk index 2d982d091..b02d63094 100644 --- a/testing/scripts/recipes/005_anet.mk +++ b/testing/scripts/recipes/005_anet.mk @@ -2,7 +2,7 @@ PKG = anet SRC = http://git.codelabs.ch/git/$(PKG).git -REV = v0.2.2 +REV = v0.3.1 PREFIX = /usr/local/ada diff --git a/testing/scripts/recipes/006_tkm-rpc.mk b/testing/scripts/recipes/006_tkm-rpc.mk index 6c4aae0c5..5c98123d6 100644 --- a/testing/scripts/recipes/006_tkm-rpc.mk +++ b/testing/scripts/recipes/006_tkm-rpc.mk @@ -2,7 +2,7 @@ PKG = tkm-rpc SRC = http://git.codelabs.ch/git/$(PKG).git -REV = v0.1 +REV = v0.2 PREFIX = /usr/local/ada diff --git a/testing/scripts/recipes/010_tkm.mk b/testing/scripts/recipes/010_tkm.mk index 12eafd6c8..5abd2178b 100644 --- a/testing/scripts/recipes/010_tkm.mk +++ b/testing/scripts/recipes/010_tkm.mk @@ -2,7 +2,7 @@ PKG = tkm SRC = http://git.codelabs.ch/git/$(PKG).git -REV = v0.1.1 +REV = v0.1.2 export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat diff --git a/testing/scripts/recipes/012_openssl.mk b/testing/scripts/recipes/012_openssl.mk index 9312445ce..16aec239d 100644 --- a/testing/scripts/recipes/012_openssl.mk +++ b/testing/scripts/recipes/012_openssl.mk @@ -7,7 +7,7 @@ SRC = http://download.strongswan.org/testing/openssl-fips/ all: install $(PKG): - wget -r $(SRC) --no-directories --directory-prefix $(PKG) --accept deb + wget -r $(SRC) --no-directories --directory-prefix $(PKG) --accept deb --no-parent install: $(PKG) cd $(PKG) && dpkg -i *.deb diff --git a/testing/testing.conf b/testing/testing.conf index f5e65b2d8..737bcae23 100644 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -24,14 +24,14 @@ fi : ${TESTDIR=/srv/strongswan-testing} # Kernel configuration -: ${KERNELVERSION=3.15.1} +: ${KERNELVERSION=4.0} : ${KERNEL=linux-$KERNELVERSION} : ${KERNELTARBALL=$KERNEL.tar.xz} -: ${KERNELCONFIG=$DIR/../config/kernel/config-3.15} -: ${KERNELPATCH=ha-3.15-ah-abicompat.patch.bz2} +: ${KERNELCONFIG=$DIR/../config/kernel/config-4.0} +: ${KERNELPATCH=ha-3.18-abicompat.patch.bz2} # strongSwan version used in tests -: ${SWANVERSION=5.2.0} +: ${SWANVERSION=5.3.1} # Build directory where the guest kernel and images will be built : ${BUILDDIR=$TESTDIR/build} diff --git a/testing/tests/af-alg/rw-cert/pretest.dat b/testing/tests/af-alg/rw-cert/pretest.dat index 8bbea1412..c582e030d 100644 --- a/testing/tests/af-alg/rw-cert/pretest.dat +++ b/testing/tests/af-alg/rw-cert/pretest.dat @@ -4,6 +4,6 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::sleep 3 carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat index 8bbea1412..c582e030d 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat +++ b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat @@ -4,6 +4,6 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::sleep 3 carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/ha/active-passive/description.txt b/testing/tests/ha/active-passive/description.txt new file mode 100644 index 000000000..519fa3313 --- /dev/null +++ b/testing/tests/ha/active-passive/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each +to the virtual gateway mars implemented by the two real gateways +alice and moon in a High Availability (HA) setup +based on ClusterIP. The HA synchronisation link between the two +gatways is secured by an IPsec transport connection. At the outset +alice is the active and moon is the passive gateway. +After alice gets killed moon automatically takes over +all existing IKE_SAs and CHILD_SAs. diff --git a/testing/tests/ha/active-passive/evaltest.dat b/testing/tests/ha/active-passive/evaltest.dat new file mode 100644 index 000000000..448f283f1 --- /dev/null +++ b/testing/tests/ha/active-passive/evaltest.dat @@ -0,0 +1,32 @@ +alice::cat /var/log/daemon.log::HA segment 1 was not handled, taking::YES +moon:: cat /var/log/daemon.log::remote node takes segment 1::YES +alice::ipsec status 2> /dev/null::ha.*ESTABLISHED.*10.1.0.10.*10.1.0.1::YES +alice::ipsec status 2> /dev/null::rw.*ESTABLISHED.*mars.strongswan.org.*carol@strongswan.org::YES +alice::ipsec status 2> /dev/null::rw.*ESTABLISHED.*mars.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::ha.*ESTABLISHED.*10.1.0.1.*10.1.0.10::YES +moon:: ipsec status 2> /dev/null::rw.*PASSIVE.*mars.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*PASSIVE.*mars.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*mars.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*mars.strongswan.org::YES +alice::cat /var/log/daemon.log::HA segment 1 activated::YES +alice::cat /var/log/daemon.log::handling HA CHILD_SA::YES +moon:: cat /var/log/daemon.log::installed HA CHILD_SA::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +alice::ip xfrm policy flush::no output expected::NO +alice::ip xfrm state flush::no output expected::NO +alice::killall -9 starter charon::no output expected::NO +carol::sleep 3::no output expected::NO +moon:: cat /var/log/daemon.log::no heartbeat received, taking all segments::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*mars.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*mars.strongswan.org.*dave@strongswan.org::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +carol::tcpdump::IP carol.strongswan.org > mars.strongswan.org: ESP::YES +carol::tcpdump::IP mars.strongswan.org > carol.strongswan.org: ESP::YES +dave::tcpdump::IP dave.strongswan.org > mars.strongswan.org: ESP::YES +dave::tcpdump::IP mars.strongswan.org > dave.strongswan.org: ESP::YES +venus::tcpdump::IP carol.strongswan.org > venus.strongswan.org: ICMP echo request::YES +venus::tcpdump::IP venus.strongswan.org > carol.strongswan.org: ICMP echo reply::YES +venus::tcpdump::IP dave.strongswan.org > venus.strongswan.org: ICMP echo request::YES +venus::tcpdump::IP venus.strongswan.org > dave.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ha/active-passive/hosts/alice/etc/ipsec.conf b/testing/tests/ha/active-passive/hosts/alice/etc/ipsec.conf new file mode 100644 index 000000000..363473bdd --- /dev/null +++ b/testing/tests/ha/active-passive/hosts/alice/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=192.168.0.5 + leftcert=marsCert.pem + leftid=@mars.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ha/active-passive/hosts/alice/etc/ipsec.d/certs/marsCert.pem b/testing/tests/ha/active-passive/hosts/alice/etc/ipsec.d/certs/marsCert.pem new file mode 100644 index 000000000..5077ab15d --- /dev/null +++ b/testing/tests/ha/active-passive/hosts/alice/etc/ipsec.d/certs/marsCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQDCCAyigAwIBAgIBIzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMTEyMDE2NTkyMloXDTE1MTExOTE2NTkyMlowZDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1 +YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNOzGeYVXLzZv43dinLxAC67D +l/1pUIwZIT7pzWGTbbeYBgRQDIV46HAAJTxnYWEq2eEecTbLQhgX7QPUeOJXk9vU +j5FeCrNXkv01FPsjwRdvBCWwEHYhGczeP9/8Gg7zU36t3EySv5ZRYKqv6O42lrg+ +E79wm2BwdPik7G5mCLmXn3Bg1IKNJhBJWKkP366dpAukywP1gGMwmW3MqfVm2fXB +QVDlqCJjpvyNiJhW6UqOf+NkKZPugjlfWMQKyFxEC6krBDT4WdnoKj5S0hyyeAvG +7HlL5YSiPhd1DNaxV0OX/aBwYFW0zMZOVmYLv2cwRVf3LlP/3Nv66BtjtxwZAgMB +AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUuo7D +ahZ1x1JvkUAc2aAHvlfUu7EwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou +Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu +MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy +cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw +MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js +MA0GCSqGSIb3DQEBCwUAA4IBAQCMaii+mvarQiElzu5VmIPQfrec+S5DUun9Di9/ +n23B8UdYtoITtu38vm2kHIo/oaYBFtUziBTFb48zyMJxVqc42JbwQ0CCO7TekJ2R +atGO72QG69hZkspfNijZr1576jBYyNxCfOOAXlf0zQpkVc0dcuxgQM1IrFH+cz+7 +ekupVdM2IZoouqWDU0M2nAze4du1rKAgG0Cuy3I4tCN43PR4BmggfaaKBOzU8Ju1 +b/FUFKKdPTrTfi52OywgzcDMZPyWgmHZb60koH7jXiVyP30OHVwMzU6kNXxOx2Le +i2lQE1/k8yL3k1ht48upXfuTZU4gUVCUc2CYUVHOOjNHk3BU +-----END CERTIFICATE----- diff --git a/testing/tests/ha/active-passive/hosts/alice/etc/ipsec.d/private/marsKey.pem b/testing/tests/ha/active-passive/hosts/alice/etc/ipsec.d/private/marsKey.pem new file mode 100644 index 000000000..9196315a3 --- /dev/null +++ b/testing/tests/ha/active-passive/hosts/alice/etc/ipsec.d/private/marsKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0jTsxnmFVy82b+N3Ypy8QAuuw5f9aVCMGSE+6c1hk223mAYE +UAyFeOhwACU8Z2FhKtnhHnE2y0IYF+0D1HjiV5Pb1I+RXgqzV5L9NRT7I8EXbwQl +sBB2IRnM3j/f/BoO81N+rdxMkr+WUWCqr+juNpa4PhO/cJtgcHT4pOxuZgi5l59w +YNSCjSYQSVipD9+unaQLpMsD9YBjMJltzKn1Ztn1wUFQ5agiY6b8jYiYVulKjn/j +ZCmT7oI5X1jECshcRAupKwQ0+FnZ6Co+UtIcsngLxux5S+WEoj4XdQzWsVdDl/2g +cGBVtMzGTlZmC79nMEVX9y5T/9zb+ugbY7ccGQIDAQABAoIBAHmuW1W06KQEV33D +bctusWZdnOfqZq39C2xMm2+aDR7bh0iASyTPasAHxTXAWEv7ydSVVURbAv38H5hS +AkKPS26oz7sm9F480X4jP2Hn6EzVLKx9+RcHIGqe1cHdtdnod7kRHyajfMwCDZDD +5Wp46tQ8wSBmLA6SUuwmOfy2RF3ZKGSYUxZEA3Pj7oMuCwgUVg62MN5kbOdviW1u +DpRAWO3UE64nHYSFYeRiVRYmrZ0pOF2oBkfuALn2frcGX0v97xxNH9mpJfc1T6Km +KwfSpKtB5BlF4QRukZC3smoiO0aXI4ZuxuuRzujYIHJvp21+Lg5UybwOu/w4R1nB +UnaCZHUCgYEA7/5Q06+Mpn9UxxcP5tNGeeGEV5EVhXzLHq8IyTb+Dp8AnJ+EXuHK +QAiyxvavorZCQN9xAa3IOi1789NeaVWU7DKWI4pMfXETkFGYI2q08bf16XYAvSgt +AOeEKzILADHaqOKbLJhFxUIAGLJ4LP+IBapKrTHF5qELW6jO4YYaH1cCgYEA4DoG +3MgDnmCsikmDkP7Z/HS6XwAqKKF6CMlJW05Dq5J/wgWIXfBU9QdWbHl2H2fa/n1b +M8u3M4wA9NY7kKtan3VBDFxEARRcSX50YB1TCLnplDVO3IxYUkjfKhTjBFF9R0Iv +2nj8QXAnb+vbx+30Pbi7bkvb93nSe4yzXPFtKg8CgYEAuZso7Z5eG8JsUZEvdig9 +4DMehA6r41IRUUizddK3B53G/lqMKEldfsp7YU8VpLRqZvunzVGWgg/9RiRZZwOO +KmIxJYlnALj8FWhVTkbPbAYHBKiDh8dTjth+ql2Ijn0ADA89TW7yvsz9gBw+vyZd +D2yVVn8g++3e9+OFJHvvJf8CgYBHEn18W7Wx7Mij6JtYST+FIua0GBRE3rIUuOCU +nWEbsAroz+IijHwRUqsVJQbI+51RjyBqcYb3QshG0uT8fSPzaTIeHdy8TtzVusxe +bs0T9gHQpXkCtUWFh22dJBO1GbNQ8+zBHhovD8KgWi1G2OjS64wVcNwfPDD4UmfD +7Q6CBwKBgBOeDK7R5mGwC4nV1Y+KDBgvE/W8BloZpcD+d7sfZsrU8w7LemBKreDa +qT1vgk1ZOeHFkvwdWH7LSxRUEGRd+HmqOFKv/hfmxXHlepdnjqt4JMNo9UyddXmX +onErIOM7BXcBmqvY77ODDOk8ER3zUjKHvYUzxz4PPuEM3hGTTRbQ +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ha/active-passive/hosts/alice/etc/ipsec.secrets b/testing/tests/ha/active-passive/hosts/alice/etc/ipsec.secrets new file mode 100644 index 000000000..d65b96e34 --- /dev/null +++ b/testing/tests/ha/active-passive/hosts/alice/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA marsKey.pem diff --git a/testing/tests/ha/active-passive/hosts/alice/etc/iptables.rules b/testing/tests/ha/active-passive/hosts/alice/etc/iptables.rules new file mode 100644 index 000000000..873578632 --- /dev/null +++ b/testing/tests/ha/active-passive/hosts/alice/etc/iptables.rules @@ -0,0 +1,57 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# forward ESP-tunneled traffic +-A FORWARD -i eth1 -m policy --dir in --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT +-A FORWARD -i eth1 -m policy --dir in --pol ipsec --proto esp -s PH_IP_DAVE -j ACCEPT +-A FORWARD -o eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT + +# clusterip rules +-A INPUT -i eth1 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:c0:a8:00:05 --total-nodes 1 --local-node 0 +-A INPUT -i eth0 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:0a:01:00:05 --total-nodes 1 --local-node 0 + +# allow esp +-A INPUT -p 50 -j ACCEPT +-A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT +-A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT + +# allow esp on internal interface +-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p 50 -j ACCEPT + +# allow IKE on internal interface +-A INPUT -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow IKE +-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow heartbeat +-A INPUT -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT +-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT + +# allow ICMP type 3 +-A INPUT -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT +-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT + +# allow IGMP multicasts +-A INPUT -d 224.0.0.1 -p igmp -j ACCEPT +-A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +COMMIT diff --git a/testing/tests/ha/active-passive/hosts/alice/etc/strongswan.conf b/testing/tests/ha/active-passive/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..d6d453948 --- /dev/null +++ b/testing/tests/ha/active-passive/hosts/alice/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default ha + plugins { + ha { + local = PH_IP_ALICE + remote = PH_IP_MOON1 + secret = PliyxREnfoPaSXDJx1NrlH0kkKXT/LWZ + segment_count = 1 + fifo_interface = yes + monitor = yes + } + } +} + diff --git a/testing/tests/ha/active-passive/hosts/carol/etc/ipsec.conf b/testing/tests/ha/active-passive/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..3040f6afa --- /dev/null +++ b/testing/tests/ha/active-passive/hosts/carol/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=192.168.0.5 + rightid=@mars.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ha/active-passive/hosts/carol/etc/strongswan.conf b/testing/tests/ha/active-passive/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..e58af9efd --- /dev/null +++ b/testing/tests/ha/active-passive/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ha/active-passive/hosts/dave/etc/ipsec.conf b/testing/tests/ha/active-passive/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..27d6b8d99 --- /dev/null +++ b/testing/tests/ha/active-passive/hosts/dave/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=192.168.0.5 + rightid=@mars.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ha/active-passive/hosts/dave/etc/strongswan.conf b/testing/tests/ha/active-passive/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ecbad665c --- /dev/null +++ b/testing/tests/ha/active-passive/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +} + diff --git a/testing/tests/ha/active-passive/hosts/moon/etc/ipsec.conf b/testing/tests/ha/active-passive/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..363473bdd --- /dev/null +++ b/testing/tests/ha/active-passive/hosts/moon/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=192.168.0.5 + leftcert=marsCert.pem + leftid=@mars.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ha/active-passive/hosts/moon/etc/ipsec.d/certs/marsCert.pem b/testing/tests/ha/active-passive/hosts/moon/etc/ipsec.d/certs/marsCert.pem new file mode 100644 index 000000000..5077ab15d --- /dev/null +++ b/testing/tests/ha/active-passive/hosts/moon/etc/ipsec.d/certs/marsCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQDCCAyigAwIBAgIBIzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMTEyMDE2NTkyMloXDTE1MTExOTE2NTkyMlowZDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1 +YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNOzGeYVXLzZv43dinLxAC67D +l/1pUIwZIT7pzWGTbbeYBgRQDIV46HAAJTxnYWEq2eEecTbLQhgX7QPUeOJXk9vU +j5FeCrNXkv01FPsjwRdvBCWwEHYhGczeP9/8Gg7zU36t3EySv5ZRYKqv6O42lrg+ +E79wm2BwdPik7G5mCLmXn3Bg1IKNJhBJWKkP366dpAukywP1gGMwmW3MqfVm2fXB +QVDlqCJjpvyNiJhW6UqOf+NkKZPugjlfWMQKyFxEC6krBDT4WdnoKj5S0hyyeAvG +7HlL5YSiPhd1DNaxV0OX/aBwYFW0zMZOVmYLv2cwRVf3LlP/3Nv66BtjtxwZAgMB +AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUuo7D +ahZ1x1JvkUAc2aAHvlfUu7EwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou +Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu +MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy +cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw +MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js +MA0GCSqGSIb3DQEBCwUAA4IBAQCMaii+mvarQiElzu5VmIPQfrec+S5DUun9Di9/ +n23B8UdYtoITtu38vm2kHIo/oaYBFtUziBTFb48zyMJxVqc42JbwQ0CCO7TekJ2R +atGO72QG69hZkspfNijZr1576jBYyNxCfOOAXlf0zQpkVc0dcuxgQM1IrFH+cz+7 +ekupVdM2IZoouqWDU0M2nAze4du1rKAgG0Cuy3I4tCN43PR4BmggfaaKBOzU8Ju1 +b/FUFKKdPTrTfi52OywgzcDMZPyWgmHZb60koH7jXiVyP30OHVwMzU6kNXxOx2Le +i2lQE1/k8yL3k1ht48upXfuTZU4gUVCUc2CYUVHOOjNHk3BU +-----END CERTIFICATE----- diff --git a/testing/tests/ha/active-passive/hosts/moon/etc/ipsec.d/private/marsKey.pem b/testing/tests/ha/active-passive/hosts/moon/etc/ipsec.d/private/marsKey.pem new file mode 100644 index 000000000..9196315a3 --- /dev/null +++ b/testing/tests/ha/active-passive/hosts/moon/etc/ipsec.d/private/marsKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0jTsxnmFVy82b+N3Ypy8QAuuw5f9aVCMGSE+6c1hk223mAYE +UAyFeOhwACU8Z2FhKtnhHnE2y0IYF+0D1HjiV5Pb1I+RXgqzV5L9NRT7I8EXbwQl +sBB2IRnM3j/f/BoO81N+rdxMkr+WUWCqr+juNpa4PhO/cJtgcHT4pOxuZgi5l59w +YNSCjSYQSVipD9+unaQLpMsD9YBjMJltzKn1Ztn1wUFQ5agiY6b8jYiYVulKjn/j +ZCmT7oI5X1jECshcRAupKwQ0+FnZ6Co+UtIcsngLxux5S+WEoj4XdQzWsVdDl/2g +cGBVtMzGTlZmC79nMEVX9y5T/9zb+ugbY7ccGQIDAQABAoIBAHmuW1W06KQEV33D +bctusWZdnOfqZq39C2xMm2+aDR7bh0iASyTPasAHxTXAWEv7ydSVVURbAv38H5hS +AkKPS26oz7sm9F480X4jP2Hn6EzVLKx9+RcHIGqe1cHdtdnod7kRHyajfMwCDZDD +5Wp46tQ8wSBmLA6SUuwmOfy2RF3ZKGSYUxZEA3Pj7oMuCwgUVg62MN5kbOdviW1u +DpRAWO3UE64nHYSFYeRiVRYmrZ0pOF2oBkfuALn2frcGX0v97xxNH9mpJfc1T6Km +KwfSpKtB5BlF4QRukZC3smoiO0aXI4ZuxuuRzujYIHJvp21+Lg5UybwOu/w4R1nB +UnaCZHUCgYEA7/5Q06+Mpn9UxxcP5tNGeeGEV5EVhXzLHq8IyTb+Dp8AnJ+EXuHK +QAiyxvavorZCQN9xAa3IOi1789NeaVWU7DKWI4pMfXETkFGYI2q08bf16XYAvSgt +AOeEKzILADHaqOKbLJhFxUIAGLJ4LP+IBapKrTHF5qELW6jO4YYaH1cCgYEA4DoG +3MgDnmCsikmDkP7Z/HS6XwAqKKF6CMlJW05Dq5J/wgWIXfBU9QdWbHl2H2fa/n1b +M8u3M4wA9NY7kKtan3VBDFxEARRcSX50YB1TCLnplDVO3IxYUkjfKhTjBFF9R0Iv +2nj8QXAnb+vbx+30Pbi7bkvb93nSe4yzXPFtKg8CgYEAuZso7Z5eG8JsUZEvdig9 +4DMehA6r41IRUUizddK3B53G/lqMKEldfsp7YU8VpLRqZvunzVGWgg/9RiRZZwOO +KmIxJYlnALj8FWhVTkbPbAYHBKiDh8dTjth+ql2Ijn0ADA89TW7yvsz9gBw+vyZd +D2yVVn8g++3e9+OFJHvvJf8CgYBHEn18W7Wx7Mij6JtYST+FIua0GBRE3rIUuOCU +nWEbsAroz+IijHwRUqsVJQbI+51RjyBqcYb3QshG0uT8fSPzaTIeHdy8TtzVusxe +bs0T9gHQpXkCtUWFh22dJBO1GbNQ8+zBHhovD8KgWi1G2OjS64wVcNwfPDD4UmfD +7Q6CBwKBgBOeDK7R5mGwC4nV1Y+KDBgvE/W8BloZpcD+d7sfZsrU8w7LemBKreDa +qT1vgk1ZOeHFkvwdWH7LSxRUEGRd+HmqOFKv/hfmxXHlepdnjqt4JMNo9UyddXmX +onErIOM7BXcBmqvY77ODDOk8ER3zUjKHvYUzxz4PPuEM3hGTTRbQ +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ha/active-passive/hosts/moon/etc/ipsec.secrets b/testing/tests/ha/active-passive/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..d65b96e34 --- /dev/null +++ b/testing/tests/ha/active-passive/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA marsKey.pem diff --git a/testing/tests/ha/active-passive/hosts/moon/etc/iptables.rules b/testing/tests/ha/active-passive/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..09df2225c --- /dev/null +++ b/testing/tests/ha/active-passive/hosts/moon/etc/iptables.rules @@ -0,0 +1,57 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# forward ESP-tunneled traffic +-A FORWARD -m policy -i eth0 --dir in --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT +-A FORWARD -m policy -i eth0 --dir in --pol ipsec --proto esp -s PH_IP_DAVE -j ACCEPT +-A FORWARD -m policy -o eth0 --dir out --pol ipsec --proto esp -j ACCEPT + +# clusterip rules +-A INPUT -i eth0 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:c0:a8:00:05 --total-nodes 1 --local-node 0 +-A INPUT -i eth1 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:0a:01:00:05 --total-nodes 1 --local-node 0 + +# allow esp +-A INPUT -p 50 -j ACCEPT +-A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT +-A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT + +# allow esp on internal interface +-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p 50 -j ACCEPT + +# allow IKE on internal interface +-A INPUT -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p udp --dport 500 --sport 500 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow heartbeat +-A INPUT -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT +-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT + +# allow ICMP type 3 +-A INPUT -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT +-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT + +# allow IGMP multicasts +-A INPUT -d 224.0.0.1 -p igmp -j ACCEPT +-A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +COMMIT diff --git a/testing/tests/ha/active-passive/hosts/moon/etc/strongswan.conf b/testing/tests/ha/active-passive/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..198f3a01d --- /dev/null +++ b/testing/tests/ha/active-passive/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default ha + plugins { + ha { + local = PH_IP_MOON1 + remote = PH_IP_ALICE + secret = PliyxREnfoPaSXDJx1NrlH0kkKXT/LWZ + segment_count = 1 + fifo_interface = yes + monitor = yes + } + } +} diff --git a/testing/tests/ha/active-passive/posttest.dat b/testing/tests/ha/active-passive/posttest.dat new file mode 100644 index 000000000..c21aac9aa --- /dev/null +++ b/testing/tests/ha/active-passive/posttest.dat @@ -0,0 +1,15 @@ +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop +alice::rm /var/run/charon.pid /var/run/starter.charon.pid +moon::iptables-restore < /etc/iptables.flush +alice::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip addr del 192.168.0.5/24 dev eth0 +moon::ip addr del 10.1.0.5/16 dev eth1 +alice::ip addr del 192.168.0.5/24 dev eth1 +alice::ip addr del 10.1.0.5/16 dev eth0 +alice::ifdown eth1 +venus::ip route del default via 10.1.0.5 dev eth0 +venus::ip route add default via 10.1.0.1 dev eth0 diff --git a/testing/tests/ha/active-passive/pretest.dat b/testing/tests/ha/active-passive/pretest.dat new file mode 100644 index 000000000..d0efb76f7 --- /dev/null +++ b/testing/tests/ha/active-passive/pretest.dat @@ -0,0 +1,21 @@ +moon::ip addr add 192.168.0.5/24 dev eth0 +moon::ip addr add 10.1.0.5/16 dev eth1 +alice::ifup eth1 +alice::ip addr add 192.168.0.5/24 dev eth1 +alice::ip addr add 10.1.0.5/16 dev eth0 +venus::ip route del default via 10.1.0.1 dev eth0 +venus::ip route add default via 10.1.0.5 dev eth0 +moon::iptables-restore < /etc/iptables.rules +alice::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +alice::ipsec start +moon::ipsec start +moon::sleep 2 +alice::echo "+1" > /var/run/charon.ha +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ha/active-passive/test.conf b/testing/tests/ha/active-passive/test.conf new file mode 100644 index 000000000..8056d9ce4 --- /dev/null +++ b/testing/tests/ha/active-passive/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="venus carol dave" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice moon carol dave" diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem index 69e5c05e3..698e47cc0 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MIIELDCCAxSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1 -N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE1MDQyNjEwMjUwNFoXDTE5MDQwMzEwMjUw +NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy -dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD -hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9 -HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n -3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz -Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C -AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE -AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKupuHqUUqSufsEtjSTZEkTF +sTGWXQkwZoLbAPNlZ4PV0Dx1ju3xRvVtjQHN3Tsx6IsB1JO3k/dMExwttbeBA8HK +oKYw+CFG8+6XWUU+tBT5xlwa5sdVUHIo8On1x7Rb3s+RDhJ2/YvCf/H13aOtqG+L +7Xyt7OwRQZNx4Gx60sgU2Zhr9WsMslWJQeS92va6UiGYN4c6qRNyrS9zTZEJ0yib +tflhd07LLcgz+jHqCdUcPK4g8+TH8HCtek0n2QRu3IfbEM+i6EaZjUJq1kp6k9HA +IgKR48r9HVk3zBsWJBo6sxUn8/avFM54vdwD8NAClNn9xobEXsO3jwGljc5mb40C +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRd +qfnvgHGNOog5OOLebmYkmJ/faTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA -ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG -il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC -CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU -n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq -8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/ -pwU12A3BovJKUaR0B7Uy2A== +TgUJbXL83e11Fzo+XGMQ24FfxdUvlex9IcnnNZnjsy4cYaUhofdI1AIkOhdh7R4i +9dtdfbFLLQR3qc2jmL9ubdQP83FiZZQOXX55XV5/Gb4E4g2T2ZU8ahby+ZzQsEcI +jGeot7fRfbxUrcjnIKxZd7JsQSaR45rMrNcUOQpFT212urojUngrEoAeaC5USEiX +sF11P654UejR8DCczwLi4QBvjRTH3bcMC57FjsWt1n/KCB08dS0ojD+T+6lN7/1K +yLreeRNynXzc1GAln5G03Ivwm9STFT1mYjkBMOCY+3ihEOpzlR9pWCWl9p728db3 +mk0VsDm1jdOf3PK1Xd2PJw== -----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem index 53e18680b..3a5d7c487 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq -azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP -nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk -b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4 -H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm -GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9 -N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r -er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC -kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV -BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+ -Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN -DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp -waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt -1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw -RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm -CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM -eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl -FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO -auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx -rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8 -iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx -qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv -/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA -hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2 -5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw= +MIIEpAIBAAKCAQEAq6m4epRSpK5+wS2NJNkSRMWxMZZdCTBmgtsA82Vng9XQPHWO +7fFG9W2NAc3dOzHoiwHUk7eT90wTHC21t4EDwcqgpjD4IUbz7pdZRT60FPnGXBrm +x1VQcijw6fXHtFvez5EOEnb9i8J/8fXdo62ob4vtfK3s7BFBk3HgbHrSyBTZmGv1 +awyyVYlB5L3a9rpSIZg3hzqpE3KtL3NNkQnTKJu1+WF3TsstyDP6MeoJ1Rw8riDz +5MfwcK16TSfZBG7ch9sQz6LoRpmNQmrWSnqT0cAiApHjyv0dWTfMGxYkGjqzFSfz +9q8Uzni93APw0AKU2f3GhsRew7ePAaWNzmZvjQIDAQABAoIBAEJqa+GhOUhV6ty6 +zv0Ory7EfgX9cwl3HHJMYVXKSf6L3wFFSoNs8lNKi1/DUnDwolQF5UUxpaHsYQhp +9wCEffugdf9WuunFFeOd0wAjfnEPIlvIXLmKnJFOnccnPJjfYplUOemS+A32tqHa +ymHlcmGV9dBjSmMbWg+942KVMrAOHtCnAk0yT2WlE+9efLTuXoZIQCx+Ico6Lwp8 +JCmZYW2pfUk9co9di6UCl50C+A5RcvpsE7CZcXCzEAqz06eFz4imgQuzQSLaedup +F77cyPd13nD2N7+YGfWrWKbdqGMuQnmfrOQWZf94rlOsQjyCzbHIeItJsXT+DBKT +0SwEIQECgYEA1mcoUiCYOcQcA+FtSO8byzSu0uQZO1cS/VES5mbtRIuLo33L0P0y +bVnBIfk3iaBq70GU98XjhCGUwNwQDQm+zbLK+p+j+4L2ayvjtOV5ql0b2gk6eyRZ +oX14evsmxC2OFqGmGD+VePN4pP+Q39QMCFvf26BMtKHyXQnkwA61G30CgYEAzPfH +Lp3iT9xLqpp9zP9j2m9Ts6m6/Uzzuazpzl7rYMlLkd6fBWBquQ46qbO5Wv+SO7yZ +aWU7OuWGe6zng1VWSrLBZlRMfu+ze1uEETNdedRI858nv1bMlHmt9+RiZgOgZe7H +3D4dLphrQrJC8tlsaP0GWYRZkf64n+37KZX2QVECgYEAyKcmbyYeEQHeDius8XMF +mfmmG6xpiMWG+hgkDgkJyPqoJswWMXKk/P3g6ACq31yId33zAqfqs8ARzSSmyOzz +6uKHYGKDP2FjaQ1cP/H7GVumMzorxw9P6vjYBpCByVuw/LEwFsV7CAUkRZcAaNm0 +oSYKrSqqXuqpPjWCJdQd3qkCgYAdIf6ylohLN5GdrxXAZHBp5Lbt62sDg8OEmZol +1gH4oMPX+N97YSfqI6ac5kmrMHY1fWoEu/m+Nk92Fq5VUXTRazTn+YVh6WoGV4ye +8UERBuZTkkSRAqJTXDQo7tI5k7xhoJ3RpRZ6v/lG4pV3dQXeqlATuycMBDtzp9yy +HXmB8QKBgQCut7SsOJ0DtgpzjatYzKBh43WgwjbeRyReyT6OWuPiLUiKQYN8W5od +pZ51zorvFxu6iEMjAzXs0k1zbM4/EaQwwatTEZF0ZQMYMvm46f0ndhN3fY0O0ENY +zZES5DrfCgboPlmrWoVexU3xEDCWO8hO0fLmwqIK8F4EU8ByOVsHcg== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem index 91df37a81..4718e7a16 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ +MIIEHDCCAwSgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV -BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL +BAMTCFNhbGVzIENBMB4XDTE1MDQyNjEwMjIyMFoXDTE5MDQwMzEwMjIyMFowVjEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi -0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6 -J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz -VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH -K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/ -5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8 -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV -MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPk +UE6ijIn++yyhaZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER +0/APr9KmXfnmFddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN +5GGh1u34R/9JDCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8 +XOynqCNW9Ii0Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecA +V2HsNtCGecj/OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSBwMHfoTTG9g4LmkL/ +kBl3thRfxzBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v -cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq -OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5 -xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb -E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e -q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+ -JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+ +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC5VfuhrOErCX6nlfnzgXIB +HheWTfcuobNz1cRatdIGRZVBLIktkQjABsX62t0wcCJ4gUMgT0DxgR/bZQDv9tp5 +q6bo5XJM+bFkuf0NiPme+w9Or+VYcuyiljHnHF3rihK2ZFOBXl2kY667tiGFML3B +jhaYQVHA0ZsSfe3Auxccku0U25dJNLq1+ATjeDuye8/NJqS95YBcMZzWiwG/VgMF +mCeiygAobWmIk2LOijFFpNN2ySCiLimueQp/DO3kBdWlhael3Ee9lkA5bqoFchpb +HH8eQKyOLhRnB2Lk/RhC3mGIFjW127sJdjdWkroyULepnULLyQQA6jy+tEu4XZ2C -----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem index 86740e86a..ebba49cae 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi0umR7a1jysVv -MgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6J7T76/4YhpII -s8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLzVsxxKDkLaivn -J16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMHK6yPTRaOccvF -VrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/5/rOIH+16CGf -anXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABAoIBAQCZSpoP1cN0Zvbk -lykne3NTsdSuEDUvx4VlSj173bnWEBOO9idEQYtUP5Y12GZi5r6ClV+94ZCSA2Bn -PcmMCTGAjOgb31po3DfZHv4z5Mx4g9I7D8fBJsm5dbKsEwpfz7k5lXVAauGbCaph -6jp/qxQBRqnHhlzpiH00n6eDYHhPHDoFHe+vGbnjWzJKsvs6EZiXpfJ/WKd1eQah -sGF7g+9qV5xqwshCBKf25LZ2XjdvZDt78HS4hsSaStnemetK9NVJGJqmLzehQ16m -RXAr8Ybk9g7/MSFhpwGPGjcqm2/szL4Cs9IMtYSxiroY3QL+DZydG9+K9g5NF7lX -lbEX9HXRAoGBAOduCSLaoEJsgZathny9kSsBtDmTAuiVZukqRdMjDN2I0kOsRsIw -CEF1DIvFsX7nfHkKve8+XyTc05y7LTXmX1AEjMgzFel7uy5HjS7AsJZgTippC8g/ -l2jGq+s59zATNZ2el9Q9dbeK2lBdrVy+jqNITdQge9BigFfhWbkAGFRPAoGBAOTQ -if2+Yrh0zDPO53I6kShehaZvNtPmQxmmhvH4HGMY8EyRajFOSMpV1w3VYDuTA47v -yol+90BWMY8ZslrXq+Bmwx2ocSc2feyUYcJoOoRL/b+b1lY2Vnog3Hs5BQLsULzH -dwkEuK8wjjw1g4ksuIMbX/X9nEvJs0xemzh7Ju/pAoGACNI24u82YJHGNroSgDqx -h9QezHsAB2F6dLS5yJxzZxZJ/W5ZnBk8l1Ig0ksMwuuL4Qk5yB62fa81GapAxOct -Bt3Fh/P6h9XBgrgTd468rF6rXA549n8GBGZeMy8Ybuqshn9/BgX5sK9INvv7Gafh -w/ODk+xRC9ZVUgQy6UxJoR0CgYEAybmYjl40xo4iIWK95ZUAuGhsx8iwu6v7aDfK -LLUiwbMQ11A0IPf1cHyxNf7x8lOwBWoeU43eCZhz5Mcw2KnfW9z9E76W041VAyfl -7/DX9h7QvQZ0tlj9cHpcJz6jzmns3CG2Lfs9nyXdn/NF3b/Rg7S0qzhFfQN70U5u -5iKct1ECgYEAmR/0IbYGh1YJ7Z9im44MTSz6H7bTnmIDjM3/+IVydSVgFbzcoVG6 -4sQ5fIViMLtz9PHDRRKbs8TBzpy7C/wC1qRqpq9I17INSQzvm3DpZ2PlR0SeN2dA -fO9XtkE73cEff/gI7JWOouy/vczizfRemnWlNK5Ui29Fe0QlGC9TyX0= +MIIEpAIBAAKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPkUE6ijIn++yyh +aZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER0/APr9KmXfnm +FddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN5GGh1u34R/9J +DCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8XOynqCNW9Ii0 +Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecAV2HsNtCGecj/ +OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABAoIBAAeecxXVqaaMSIlF +qASCFtSdzDShJvE6sEHSNN/YjE5HMvZHMqvj2+1BlvepD0QXxkpIFTCqWnXob3iU +dOyqRRZJYTZXU9lt2Z3a7XEzei6JvRSFhHbVHgHSK4ijeV/2gKfbVXfa+6cx2qGQ +DV3kEdr3zhEqYzrg7hYSEuFn3vOgzFu7PgZYU9b4XQ/nlVaXIH+0Mqrjx9WscLFR ++9Z9WPHx9lzL52ggAoCSHla/NWTe9RZXYX8Px8Ho5rxJ33IXvdQ4A2SiN5s6BhTM +BfC4TVvdcjEUQpCNjW4us9XUEQQ6RSZr7CMDdap4rLENfR51GiMHlDDRWkxqfevI +JYHXpGECgYEA7cZwenYQ/IN2SmBEMCCSh45B6E3pkII+yoLac2phQVRWi0yOwLwp +L2BiWn+HnSdO+d44aiR69MpTF4pEeBbs2bOEU1RO5ywU82kbU0Jzru1nfjYpkzqP +VFEeFshZubqO345cUMsnlECQsmsDmMdllRiXsj14Gp3w8IIVxyZQ420CgYEAy1OC +Plwrr57PEhQWwjRhpqpPO9CD265m7/7Ru6TDjdPw98ANxNn01pRk4X2VcFp0ICgV +b/orF9QZMPyntGRs9m2fzKGYkTAYQX1XyChvK3vSSdY1DgK2KRAQXbHl1w5VqGbd +6QTcIpjF3aNE9jdBj7M+VzUI0AF21ceWUbKDAWsCgYEA1xTTldLK1r/L9sdRpv8v +zLLf51Ti27cVOXZYSGKICuJRTrw3vRv3XUWgciA9+egexmM/QLQzDM8fjoGiIccL +BHogTohKv03evbfr4cqQfkF9hmtT/DvSfwDJaO5eS2T37D0IQIUkDjTBLsMig8aK +mu2d+rsjs1//HG9vZ6+/J5kCgYEAxt/JlwFEYaSt2Xr4v7/Ie+I9Wb4cGvW9DaVq +s2T3OXRCT7H0RcUCLBg9jCjv0FNJHmLWhQ5mtAnrEfUue812npqfIOI2flxSfUwC +Xm7ePeQAzePNRQT187gYqexlaTJGKk9jYpY0U0qmzqDxxPpLECk8IsRm+D1WZMex +iftXFD0CgYB9EZErbxigNj3qlLEMNoEYgPCRfrM0/n/1XgXTnReExrX+gLDwqddD +L9VQMPoNJ6cFWdu1tHerJnD0w7C3NqIgUbOFbA0G9HskfivXsRVwlH7/21NVe2w2 +mAtK0sAKmNmOpx6+lrwWA44Pkdf4aoS0B8ehmvcnVYlj2W51oiSY+w== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem index 69e5c05e3..698e47cc0 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MIIELDCCAxSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1 -N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE1MDQyNjEwMjUwNFoXDTE5MDQwMzEwMjUw +NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy -dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD -hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9 -HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n -3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz -Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C -AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE -AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKupuHqUUqSufsEtjSTZEkTF +sTGWXQkwZoLbAPNlZ4PV0Dx1ju3xRvVtjQHN3Tsx6IsB1JO3k/dMExwttbeBA8HK +oKYw+CFG8+6XWUU+tBT5xlwa5sdVUHIo8On1x7Rb3s+RDhJ2/YvCf/H13aOtqG+L +7Xyt7OwRQZNx4Gx60sgU2Zhr9WsMslWJQeS92va6UiGYN4c6qRNyrS9zTZEJ0yib +tflhd07LLcgz+jHqCdUcPK4g8+TH8HCtek0n2QRu3IfbEM+i6EaZjUJq1kp6k9HA +IgKR48r9HVk3zBsWJBo6sxUn8/avFM54vdwD8NAClNn9xobEXsO3jwGljc5mb40C +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRd +qfnvgHGNOog5OOLebmYkmJ/faTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA -ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG -il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC -CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU -n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq -8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/ -pwU12A3BovJKUaR0B7Uy2A== +TgUJbXL83e11Fzo+XGMQ24FfxdUvlex9IcnnNZnjsy4cYaUhofdI1AIkOhdh7R4i +9dtdfbFLLQR3qc2jmL9ubdQP83FiZZQOXX55XV5/Gb4E4g2T2ZU8ahby+ZzQsEcI +jGeot7fRfbxUrcjnIKxZd7JsQSaR45rMrNcUOQpFT212urojUngrEoAeaC5USEiX +sF11P654UejR8DCczwLi4QBvjRTH3bcMC57FjsWt1n/KCB08dS0ojD+T+6lN7/1K +yLreeRNynXzc1GAln5G03Ivwm9STFT1mYjkBMOCY+3ihEOpzlR9pWCWl9p728db3 +mk0VsDm1jdOf3PK1Xd2PJw== -----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem index 53e18680b..3a5d7c487 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq -azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP -nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk -b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4 -H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm -GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9 -N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r -er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC -kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV -BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+ -Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN -DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp -waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt -1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw -RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm -CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM -eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl -FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO -auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx -rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8 -iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx -qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv -/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA -hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2 -5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw= +MIIEpAIBAAKCAQEAq6m4epRSpK5+wS2NJNkSRMWxMZZdCTBmgtsA82Vng9XQPHWO +7fFG9W2NAc3dOzHoiwHUk7eT90wTHC21t4EDwcqgpjD4IUbz7pdZRT60FPnGXBrm +x1VQcijw6fXHtFvez5EOEnb9i8J/8fXdo62ob4vtfK3s7BFBk3HgbHrSyBTZmGv1 +awyyVYlB5L3a9rpSIZg3hzqpE3KtL3NNkQnTKJu1+WF3TsstyDP6MeoJ1Rw8riDz +5MfwcK16TSfZBG7ch9sQz6LoRpmNQmrWSnqT0cAiApHjyv0dWTfMGxYkGjqzFSfz +9q8Uzni93APw0AKU2f3GhsRew7ePAaWNzmZvjQIDAQABAoIBAEJqa+GhOUhV6ty6 +zv0Ory7EfgX9cwl3HHJMYVXKSf6L3wFFSoNs8lNKi1/DUnDwolQF5UUxpaHsYQhp +9wCEffugdf9WuunFFeOd0wAjfnEPIlvIXLmKnJFOnccnPJjfYplUOemS+A32tqHa +ymHlcmGV9dBjSmMbWg+942KVMrAOHtCnAk0yT2WlE+9efLTuXoZIQCx+Ico6Lwp8 +JCmZYW2pfUk9co9di6UCl50C+A5RcvpsE7CZcXCzEAqz06eFz4imgQuzQSLaedup +F77cyPd13nD2N7+YGfWrWKbdqGMuQnmfrOQWZf94rlOsQjyCzbHIeItJsXT+DBKT +0SwEIQECgYEA1mcoUiCYOcQcA+FtSO8byzSu0uQZO1cS/VES5mbtRIuLo33L0P0y +bVnBIfk3iaBq70GU98XjhCGUwNwQDQm+zbLK+p+j+4L2ayvjtOV5ql0b2gk6eyRZ +oX14evsmxC2OFqGmGD+VePN4pP+Q39QMCFvf26BMtKHyXQnkwA61G30CgYEAzPfH +Lp3iT9xLqpp9zP9j2m9Ts6m6/Uzzuazpzl7rYMlLkd6fBWBquQ46qbO5Wv+SO7yZ +aWU7OuWGe6zng1VWSrLBZlRMfu+ze1uEETNdedRI858nv1bMlHmt9+RiZgOgZe7H +3D4dLphrQrJC8tlsaP0GWYRZkf64n+37KZX2QVECgYEAyKcmbyYeEQHeDius8XMF +mfmmG6xpiMWG+hgkDgkJyPqoJswWMXKk/P3g6ACq31yId33zAqfqs8ARzSSmyOzz +6uKHYGKDP2FjaQ1cP/H7GVumMzorxw9P6vjYBpCByVuw/LEwFsV7CAUkRZcAaNm0 +oSYKrSqqXuqpPjWCJdQd3qkCgYAdIf6ylohLN5GdrxXAZHBp5Lbt62sDg8OEmZol +1gH4oMPX+N97YSfqI6ac5kmrMHY1fWoEu/m+Nk92Fq5VUXTRazTn+YVh6WoGV4ye +8UERBuZTkkSRAqJTXDQo7tI5k7xhoJ3RpRZ6v/lG4pV3dQXeqlATuycMBDtzp9yy +HXmB8QKBgQCut7SsOJ0DtgpzjatYzKBh43WgwjbeRyReyT6OWuPiLUiKQYN8W5od +pZ51zorvFxu6iEMjAzXs0k1zbM4/EaQwwatTEZF0ZQMYMvm46f0ndhN3fY0O0ENY +zZES5DrfCgboPlmrWoVexU3xEDCWO8hO0fLmwqIK8F4EU8ByOVsHcg== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem index 91df37a81..4718e7a16 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ +MIIEHDCCAwSgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV -BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL +BAMTCFNhbGVzIENBMB4XDTE1MDQyNjEwMjIyMFoXDTE5MDQwMzEwMjIyMFowVjEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi -0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6 -J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz -VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH -K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/ -5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8 -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV -MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPk +UE6ijIn++yyhaZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER +0/APr9KmXfnmFddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN +5GGh1u34R/9JDCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8 +XOynqCNW9Ii0Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecA +V2HsNtCGecj/OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSBwMHfoTTG9g4LmkL/ +kBl3thRfxzBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v -cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq -OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5 -xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb -E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e -q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+ -JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+ +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC5VfuhrOErCX6nlfnzgXIB +HheWTfcuobNz1cRatdIGRZVBLIktkQjABsX62t0wcCJ4gUMgT0DxgR/bZQDv9tp5 +q6bo5XJM+bFkuf0NiPme+w9Or+VYcuyiljHnHF3rihK2ZFOBXl2kY667tiGFML3B +jhaYQVHA0ZsSfe3Auxccku0U25dJNLq1+ATjeDuye8/NJqS95YBcMZzWiwG/VgMF +mCeiygAobWmIk2LOijFFpNN2ySCiLimueQp/DO3kBdWlhael3Ee9lkA5bqoFchpb +HH8eQKyOLhRnB2Lk/RhC3mGIFjW127sJdjdWkroyULepnULLyQQA6jy+tEu4XZ2C -----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem index 86740e86a..ebba49cae 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi0umR7a1jysVv -MgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6J7T76/4YhpII -s8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLzVsxxKDkLaivn -J16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMHK6yPTRaOccvF -VrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/5/rOIH+16CGf -anXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABAoIBAQCZSpoP1cN0Zvbk -lykne3NTsdSuEDUvx4VlSj173bnWEBOO9idEQYtUP5Y12GZi5r6ClV+94ZCSA2Bn -PcmMCTGAjOgb31po3DfZHv4z5Mx4g9I7D8fBJsm5dbKsEwpfz7k5lXVAauGbCaph -6jp/qxQBRqnHhlzpiH00n6eDYHhPHDoFHe+vGbnjWzJKsvs6EZiXpfJ/WKd1eQah -sGF7g+9qV5xqwshCBKf25LZ2XjdvZDt78HS4hsSaStnemetK9NVJGJqmLzehQ16m -RXAr8Ybk9g7/MSFhpwGPGjcqm2/szL4Cs9IMtYSxiroY3QL+DZydG9+K9g5NF7lX -lbEX9HXRAoGBAOduCSLaoEJsgZathny9kSsBtDmTAuiVZukqRdMjDN2I0kOsRsIw -CEF1DIvFsX7nfHkKve8+XyTc05y7LTXmX1AEjMgzFel7uy5HjS7AsJZgTippC8g/ -l2jGq+s59zATNZ2el9Q9dbeK2lBdrVy+jqNITdQge9BigFfhWbkAGFRPAoGBAOTQ -if2+Yrh0zDPO53I6kShehaZvNtPmQxmmhvH4HGMY8EyRajFOSMpV1w3VYDuTA47v -yol+90BWMY8ZslrXq+Bmwx2ocSc2feyUYcJoOoRL/b+b1lY2Vnog3Hs5BQLsULzH -dwkEuK8wjjw1g4ksuIMbX/X9nEvJs0xemzh7Ju/pAoGACNI24u82YJHGNroSgDqx -h9QezHsAB2F6dLS5yJxzZxZJ/W5ZnBk8l1Ig0ksMwuuL4Qk5yB62fa81GapAxOct -Bt3Fh/P6h9XBgrgTd468rF6rXA549n8GBGZeMy8Ybuqshn9/BgX5sK9INvv7Gafh -w/ODk+xRC9ZVUgQy6UxJoR0CgYEAybmYjl40xo4iIWK95ZUAuGhsx8iwu6v7aDfK -LLUiwbMQ11A0IPf1cHyxNf7x8lOwBWoeU43eCZhz5Mcw2KnfW9z9E76W041VAyfl -7/DX9h7QvQZ0tlj9cHpcJz6jzmns3CG2Lfs9nyXdn/NF3b/Rg7S0qzhFfQN70U5u -5iKct1ECgYEAmR/0IbYGh1YJ7Z9im44MTSz6H7bTnmIDjM3/+IVydSVgFbzcoVG6 -4sQ5fIViMLtz9PHDRRKbs8TBzpy7C/wC1qRqpq9I17INSQzvm3DpZ2PlR0SeN2dA -fO9XtkE73cEff/gI7JWOouy/vczizfRemnWlNK5Ui29Fe0QlGC9TyX0= +MIIEpAIBAAKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPkUE6ijIn++yyh +aZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER0/APr9KmXfnm +FddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN5GGh1u34R/9J +DCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8XOynqCNW9Ii0 +Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecAV2HsNtCGecj/ +OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABAoIBAAeecxXVqaaMSIlF +qASCFtSdzDShJvE6sEHSNN/YjE5HMvZHMqvj2+1BlvepD0QXxkpIFTCqWnXob3iU +dOyqRRZJYTZXU9lt2Z3a7XEzei6JvRSFhHbVHgHSK4ijeV/2gKfbVXfa+6cx2qGQ +DV3kEdr3zhEqYzrg7hYSEuFn3vOgzFu7PgZYU9b4XQ/nlVaXIH+0Mqrjx9WscLFR ++9Z9WPHx9lzL52ggAoCSHla/NWTe9RZXYX8Px8Ho5rxJ33IXvdQ4A2SiN5s6BhTM +BfC4TVvdcjEUQpCNjW4us9XUEQQ6RSZr7CMDdap4rLENfR51GiMHlDDRWkxqfevI +JYHXpGECgYEA7cZwenYQ/IN2SmBEMCCSh45B6E3pkII+yoLac2phQVRWi0yOwLwp +L2BiWn+HnSdO+d44aiR69MpTF4pEeBbs2bOEU1RO5ywU82kbU0Jzru1nfjYpkzqP +VFEeFshZubqO345cUMsnlECQsmsDmMdllRiXsj14Gp3w8IIVxyZQ420CgYEAy1OC +Plwrr57PEhQWwjRhpqpPO9CD265m7/7Ru6TDjdPw98ANxNn01pRk4X2VcFp0ICgV +b/orF9QZMPyntGRs9m2fzKGYkTAYQX1XyChvK3vSSdY1DgK2KRAQXbHl1w5VqGbd +6QTcIpjF3aNE9jdBj7M+VzUI0AF21ceWUbKDAWsCgYEA1xTTldLK1r/L9sdRpv8v +zLLf51Ti27cVOXZYSGKICuJRTrw3vRv3XUWgciA9+egexmM/QLQzDM8fjoGiIccL +BHogTohKv03evbfr4cqQfkF9hmtT/DvSfwDJaO5eS2T37D0IQIUkDjTBLsMig8aK +mu2d+rsjs1//HG9vZ6+/J5kCgYEAxt/JlwFEYaSt2Xr4v7/Ie+I9Wb4cGvW9DaVq +s2T3OXRCT7H0RcUCLBg9jCjv0FNJHmLWhQ5mtAnrEfUue812npqfIOI2flxSfUwC +Xm7ePeQAzePNRQT187gYqexlaTJGKk9jYpY0U0qmzqDxxPpLECk8IsRm+D1WZMex +iftXFD0CgYB9EZErbxigNj3qlLEMNoEYgPCRfrM0/n/1XgXTnReExrX+gLDwqddD +L9VQMPoNJ6cFWdu1tHerJnD0w7C3NqIgUbOFbA0G9HskfivXsRVwlH7/21NVe2w2 +mAtK0sAKmNmOpx6+lrwWA44Pkdf4aoS0B8ehmvcnVYlj2W51oiSY+w== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem index 69e5c05e3..698e47cc0 100644 --- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MIIELDCCAxSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1 -N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE1MDQyNjEwMjUwNFoXDTE5MDQwMzEwMjUw +NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy -dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD -hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9 -HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n -3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz -Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C -AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE -AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKupuHqUUqSufsEtjSTZEkTF +sTGWXQkwZoLbAPNlZ4PV0Dx1ju3xRvVtjQHN3Tsx6IsB1JO3k/dMExwttbeBA8HK +oKYw+CFG8+6XWUU+tBT5xlwa5sdVUHIo8On1x7Rb3s+RDhJ2/YvCf/H13aOtqG+L +7Xyt7OwRQZNx4Gx60sgU2Zhr9WsMslWJQeS92va6UiGYN4c6qRNyrS9zTZEJ0yib +tflhd07LLcgz+jHqCdUcPK4g8+TH8HCtek0n2QRu3IfbEM+i6EaZjUJq1kp6k9HA +IgKR48r9HVk3zBsWJBo6sxUn8/avFM54vdwD8NAClNn9xobEXsO3jwGljc5mb40C +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRd +qfnvgHGNOog5OOLebmYkmJ/faTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA -ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG -il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC -CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU -n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq -8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/ -pwU12A3BovJKUaR0B7Uy2A== +TgUJbXL83e11Fzo+XGMQ24FfxdUvlex9IcnnNZnjsy4cYaUhofdI1AIkOhdh7R4i +9dtdfbFLLQR3qc2jmL9ubdQP83FiZZQOXX55XV5/Gb4E4g2T2ZU8ahby+ZzQsEcI +jGeot7fRfbxUrcjnIKxZd7JsQSaR45rMrNcUOQpFT212urojUngrEoAeaC5USEiX +sF11P654UejR8DCczwLi4QBvjRTH3bcMC57FjsWt1n/KCB08dS0ojD+T+6lN7/1K +yLreeRNynXzc1GAln5G03Ivwm9STFT1mYjkBMOCY+3ihEOpzlR9pWCWl9p728db3 +mk0VsDm1jdOf3PK1Xd2PJw== -----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem index 53e18680b..3a5d7c487 100644 --- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq -azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP -nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk -b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4 -H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm -GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9 -N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r -er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC -kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV -BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+ -Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN -DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp -waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt -1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw -RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm -CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM -eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl -FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO -auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx -rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8 -iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx -qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv -/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA -hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2 -5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw= +MIIEpAIBAAKCAQEAq6m4epRSpK5+wS2NJNkSRMWxMZZdCTBmgtsA82Vng9XQPHWO +7fFG9W2NAc3dOzHoiwHUk7eT90wTHC21t4EDwcqgpjD4IUbz7pdZRT60FPnGXBrm +x1VQcijw6fXHtFvez5EOEnb9i8J/8fXdo62ob4vtfK3s7BFBk3HgbHrSyBTZmGv1 +awyyVYlB5L3a9rpSIZg3hzqpE3KtL3NNkQnTKJu1+WF3TsstyDP6MeoJ1Rw8riDz +5MfwcK16TSfZBG7ch9sQz6LoRpmNQmrWSnqT0cAiApHjyv0dWTfMGxYkGjqzFSfz +9q8Uzni93APw0AKU2f3GhsRew7ePAaWNzmZvjQIDAQABAoIBAEJqa+GhOUhV6ty6 +zv0Ory7EfgX9cwl3HHJMYVXKSf6L3wFFSoNs8lNKi1/DUnDwolQF5UUxpaHsYQhp +9wCEffugdf9WuunFFeOd0wAjfnEPIlvIXLmKnJFOnccnPJjfYplUOemS+A32tqHa +ymHlcmGV9dBjSmMbWg+942KVMrAOHtCnAk0yT2WlE+9efLTuXoZIQCx+Ico6Lwp8 +JCmZYW2pfUk9co9di6UCl50C+A5RcvpsE7CZcXCzEAqz06eFz4imgQuzQSLaedup +F77cyPd13nD2N7+YGfWrWKbdqGMuQnmfrOQWZf94rlOsQjyCzbHIeItJsXT+DBKT +0SwEIQECgYEA1mcoUiCYOcQcA+FtSO8byzSu0uQZO1cS/VES5mbtRIuLo33L0P0y +bVnBIfk3iaBq70GU98XjhCGUwNwQDQm+zbLK+p+j+4L2ayvjtOV5ql0b2gk6eyRZ +oX14evsmxC2OFqGmGD+VePN4pP+Q39QMCFvf26BMtKHyXQnkwA61G30CgYEAzPfH +Lp3iT9xLqpp9zP9j2m9Ts6m6/Uzzuazpzl7rYMlLkd6fBWBquQ46qbO5Wv+SO7yZ +aWU7OuWGe6zng1VWSrLBZlRMfu+ze1uEETNdedRI858nv1bMlHmt9+RiZgOgZe7H +3D4dLphrQrJC8tlsaP0GWYRZkf64n+37KZX2QVECgYEAyKcmbyYeEQHeDius8XMF +mfmmG6xpiMWG+hgkDgkJyPqoJswWMXKk/P3g6ACq31yId33zAqfqs8ARzSSmyOzz +6uKHYGKDP2FjaQ1cP/H7GVumMzorxw9P6vjYBpCByVuw/LEwFsV7CAUkRZcAaNm0 +oSYKrSqqXuqpPjWCJdQd3qkCgYAdIf6ylohLN5GdrxXAZHBp5Lbt62sDg8OEmZol +1gH4oMPX+N97YSfqI6ac5kmrMHY1fWoEu/m+Nk92Fq5VUXTRazTn+YVh6WoGV4ye +8UERBuZTkkSRAqJTXDQo7tI5k7xhoJ3RpRZ6v/lG4pV3dQXeqlATuycMBDtzp9yy +HXmB8QKBgQCut7SsOJ0DtgpzjatYzKBh43WgwjbeRyReyT6OWuPiLUiKQYN8W5od +pZ51zorvFxu6iEMjAzXs0k1zbM4/EaQwwatTEZF0ZQMYMvm46f0ndhN3fY0O0ENY +zZES5DrfCgboPlmrWoVexU3xEDCWO8hO0fLmwqIK8F4EU8ByOVsHcg== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem index 91df37a81..4718e7a16 100644 --- a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ +MIIEHDCCAwSgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV -BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL +BAMTCFNhbGVzIENBMB4XDTE1MDQyNjEwMjIyMFoXDTE5MDQwMzEwMjIyMFowVjEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi -0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6 -J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz -VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH -K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/ -5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8 -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV -MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPk +UE6ijIn++yyhaZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER +0/APr9KmXfnmFddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN +5GGh1u34R/9JDCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8 +XOynqCNW9Ii0Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecA +V2HsNtCGecj/OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSBwMHfoTTG9g4LmkL/ +kBl3thRfxzBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v -cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq -OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5 -xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb -E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e -q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+ -JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+ +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC5VfuhrOErCX6nlfnzgXIB +HheWTfcuobNz1cRatdIGRZVBLIktkQjABsX62t0wcCJ4gUMgT0DxgR/bZQDv9tp5 +q6bo5XJM+bFkuf0NiPme+w9Or+VYcuyiljHnHF3rihK2ZFOBXl2kY667tiGFML3B +jhaYQVHA0ZsSfe3Auxccku0U25dJNLq1+ATjeDuye8/NJqS95YBcMZzWiwG/VgMF +mCeiygAobWmIk2LOijFFpNN2ySCiLimueQp/DO3kBdWlhael3Ee9lkA5bqoFchpb +HH8eQKyOLhRnB2Lk/RhC3mGIFjW127sJdjdWkroyULepnULLyQQA6jy+tEu4XZ2C -----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem index 86740e86a..ebba49cae 100644 --- a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi0umR7a1jysVv -MgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6J7T76/4YhpII -s8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLzVsxxKDkLaivn -J16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMHK6yPTRaOccvF -VrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/5/rOIH+16CGf -anXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABAoIBAQCZSpoP1cN0Zvbk -lykne3NTsdSuEDUvx4VlSj173bnWEBOO9idEQYtUP5Y12GZi5r6ClV+94ZCSA2Bn -PcmMCTGAjOgb31po3DfZHv4z5Mx4g9I7D8fBJsm5dbKsEwpfz7k5lXVAauGbCaph -6jp/qxQBRqnHhlzpiH00n6eDYHhPHDoFHe+vGbnjWzJKsvs6EZiXpfJ/WKd1eQah -sGF7g+9qV5xqwshCBKf25LZ2XjdvZDt78HS4hsSaStnemetK9NVJGJqmLzehQ16m -RXAr8Ybk9g7/MSFhpwGPGjcqm2/szL4Cs9IMtYSxiroY3QL+DZydG9+K9g5NF7lX -lbEX9HXRAoGBAOduCSLaoEJsgZathny9kSsBtDmTAuiVZukqRdMjDN2I0kOsRsIw -CEF1DIvFsX7nfHkKve8+XyTc05y7LTXmX1AEjMgzFel7uy5HjS7AsJZgTippC8g/ -l2jGq+s59zATNZ2el9Q9dbeK2lBdrVy+jqNITdQge9BigFfhWbkAGFRPAoGBAOTQ -if2+Yrh0zDPO53I6kShehaZvNtPmQxmmhvH4HGMY8EyRajFOSMpV1w3VYDuTA47v -yol+90BWMY8ZslrXq+Bmwx2ocSc2feyUYcJoOoRL/b+b1lY2Vnog3Hs5BQLsULzH -dwkEuK8wjjw1g4ksuIMbX/X9nEvJs0xemzh7Ju/pAoGACNI24u82YJHGNroSgDqx -h9QezHsAB2F6dLS5yJxzZxZJ/W5ZnBk8l1Ig0ksMwuuL4Qk5yB62fa81GapAxOct -Bt3Fh/P6h9XBgrgTd468rF6rXA549n8GBGZeMy8Ybuqshn9/BgX5sK9INvv7Gafh -w/ODk+xRC9ZVUgQy6UxJoR0CgYEAybmYjl40xo4iIWK95ZUAuGhsx8iwu6v7aDfK -LLUiwbMQ11A0IPf1cHyxNf7x8lOwBWoeU43eCZhz5Mcw2KnfW9z9E76W041VAyfl -7/DX9h7QvQZ0tlj9cHpcJz6jzmns3CG2Lfs9nyXdn/NF3b/Rg7S0qzhFfQN70U5u -5iKct1ECgYEAmR/0IbYGh1YJ7Z9im44MTSz6H7bTnmIDjM3/+IVydSVgFbzcoVG6 -4sQ5fIViMLtz9PHDRRKbs8TBzpy7C/wC1qRqpq9I17INSQzvm3DpZ2PlR0SeN2dA -fO9XtkE73cEff/gI7JWOouy/vczizfRemnWlNK5Ui29Fe0QlGC9TyX0= +MIIEpAIBAAKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPkUE6ijIn++yyh +aZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER0/APr9KmXfnm +FddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN5GGh1u34R/9J +DCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8XOynqCNW9Ii0 +Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecAV2HsNtCGecj/ +OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABAoIBAAeecxXVqaaMSIlF +qASCFtSdzDShJvE6sEHSNN/YjE5HMvZHMqvj2+1BlvepD0QXxkpIFTCqWnXob3iU +dOyqRRZJYTZXU9lt2Z3a7XEzei6JvRSFhHbVHgHSK4ijeV/2gKfbVXfa+6cx2qGQ +DV3kEdr3zhEqYzrg7hYSEuFn3vOgzFu7PgZYU9b4XQ/nlVaXIH+0Mqrjx9WscLFR ++9Z9WPHx9lzL52ggAoCSHla/NWTe9RZXYX8Px8Ho5rxJ33IXvdQ4A2SiN5s6BhTM +BfC4TVvdcjEUQpCNjW4us9XUEQQ6RSZr7CMDdap4rLENfR51GiMHlDDRWkxqfevI +JYHXpGECgYEA7cZwenYQ/IN2SmBEMCCSh45B6E3pkII+yoLac2phQVRWi0yOwLwp +L2BiWn+HnSdO+d44aiR69MpTF4pEeBbs2bOEU1RO5ywU82kbU0Jzru1nfjYpkzqP +VFEeFshZubqO345cUMsnlECQsmsDmMdllRiXsj14Gp3w8IIVxyZQ420CgYEAy1OC +Plwrr57PEhQWwjRhpqpPO9CD265m7/7Ru6TDjdPw98ANxNn01pRk4X2VcFp0ICgV +b/orF9QZMPyntGRs9m2fzKGYkTAYQX1XyChvK3vSSdY1DgK2KRAQXbHl1w5VqGbd +6QTcIpjF3aNE9jdBj7M+VzUI0AF21ceWUbKDAWsCgYEA1xTTldLK1r/L9sdRpv8v +zLLf51Ti27cVOXZYSGKICuJRTrw3vRv3XUWgciA9+egexmM/QLQzDM8fjoGiIccL +BHogTohKv03evbfr4cqQfkF9hmtT/DvSfwDJaO5eS2T37D0IQIUkDjTBLsMig8aK +mu2d+rsjs1//HG9vZ6+/J5kCgYEAxt/JlwFEYaSt2Xr4v7/Ie+I9Wb4cGvW9DaVq +s2T3OXRCT7H0RcUCLBg9jCjv0FNJHmLWhQ5mtAnrEfUue812npqfIOI2flxSfUwC +Xm7ePeQAzePNRQT187gYqexlaTJGKk9jYpY0U0qmzqDxxPpLECk8IsRm+D1WZMex +iftXFD0CgYB9EZErbxigNj3qlLEMNoEYgPCRfrM0/n/1XgXTnReExrX+gLDwqddD +L9VQMPoNJ6cFWdu1tHerJnD0w7C3NqIgUbOFbA0G9HskfivXsRVwlH7/21NVe2w2 +mAtK0sAKmNmOpx6+lrwWA44Pkdf4aoS0B8ehmvcnVYlj2W51oiSY+w== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem index 69e5c05e3..698e47cc0 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MIIELDCCAxSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1 -N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE1MDQyNjEwMjUwNFoXDTE5MDQwMzEwMjUw +NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy -dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD -hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9 -HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n -3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz -Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C -AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE -AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKupuHqUUqSufsEtjSTZEkTF +sTGWXQkwZoLbAPNlZ4PV0Dx1ju3xRvVtjQHN3Tsx6IsB1JO3k/dMExwttbeBA8HK +oKYw+CFG8+6XWUU+tBT5xlwa5sdVUHIo8On1x7Rb3s+RDhJ2/YvCf/H13aOtqG+L +7Xyt7OwRQZNx4Gx60sgU2Zhr9WsMslWJQeS92va6UiGYN4c6qRNyrS9zTZEJ0yib +tflhd07LLcgz+jHqCdUcPK4g8+TH8HCtek0n2QRu3IfbEM+i6EaZjUJq1kp6k9HA +IgKR48r9HVk3zBsWJBo6sxUn8/avFM54vdwD8NAClNn9xobEXsO3jwGljc5mb40C +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRd +qfnvgHGNOog5OOLebmYkmJ/faTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA -ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG -il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC -CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU -n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq -8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/ -pwU12A3BovJKUaR0B7Uy2A== +TgUJbXL83e11Fzo+XGMQ24FfxdUvlex9IcnnNZnjsy4cYaUhofdI1AIkOhdh7R4i +9dtdfbFLLQR3qc2jmL9ubdQP83FiZZQOXX55XV5/Gb4E4g2T2ZU8ahby+ZzQsEcI +jGeot7fRfbxUrcjnIKxZd7JsQSaR45rMrNcUOQpFT212urojUngrEoAeaC5USEiX +sF11P654UejR8DCczwLi4QBvjRTH3bcMC57FjsWt1n/KCB08dS0ojD+T+6lN7/1K +yLreeRNynXzc1GAln5G03Ivwm9STFT1mYjkBMOCY+3ihEOpzlR9pWCWl9p728db3 +mk0VsDm1jdOf3PK1Xd2PJw== -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem index 53e18680b..3a5d7c487 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq -azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP -nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk -b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4 -H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm -GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9 -N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r -er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC -kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV -BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+ -Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN -DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp -waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt -1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw -RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm -CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM -eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl -FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO -auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx -rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8 -iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx -qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv -/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA -hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2 -5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw= +MIIEpAIBAAKCAQEAq6m4epRSpK5+wS2NJNkSRMWxMZZdCTBmgtsA82Vng9XQPHWO +7fFG9W2NAc3dOzHoiwHUk7eT90wTHC21t4EDwcqgpjD4IUbz7pdZRT60FPnGXBrm +x1VQcijw6fXHtFvez5EOEnb9i8J/8fXdo62ob4vtfK3s7BFBk3HgbHrSyBTZmGv1 +awyyVYlB5L3a9rpSIZg3hzqpE3KtL3NNkQnTKJu1+WF3TsstyDP6MeoJ1Rw8riDz +5MfwcK16TSfZBG7ch9sQz6LoRpmNQmrWSnqT0cAiApHjyv0dWTfMGxYkGjqzFSfz +9q8Uzni93APw0AKU2f3GhsRew7ePAaWNzmZvjQIDAQABAoIBAEJqa+GhOUhV6ty6 +zv0Ory7EfgX9cwl3HHJMYVXKSf6L3wFFSoNs8lNKi1/DUnDwolQF5UUxpaHsYQhp +9wCEffugdf9WuunFFeOd0wAjfnEPIlvIXLmKnJFOnccnPJjfYplUOemS+A32tqHa +ymHlcmGV9dBjSmMbWg+942KVMrAOHtCnAk0yT2WlE+9efLTuXoZIQCx+Ico6Lwp8 +JCmZYW2pfUk9co9di6UCl50C+A5RcvpsE7CZcXCzEAqz06eFz4imgQuzQSLaedup +F77cyPd13nD2N7+YGfWrWKbdqGMuQnmfrOQWZf94rlOsQjyCzbHIeItJsXT+DBKT +0SwEIQECgYEA1mcoUiCYOcQcA+FtSO8byzSu0uQZO1cS/VES5mbtRIuLo33L0P0y +bVnBIfk3iaBq70GU98XjhCGUwNwQDQm+zbLK+p+j+4L2ayvjtOV5ql0b2gk6eyRZ +oX14evsmxC2OFqGmGD+VePN4pP+Q39QMCFvf26BMtKHyXQnkwA61G30CgYEAzPfH +Lp3iT9xLqpp9zP9j2m9Ts6m6/Uzzuazpzl7rYMlLkd6fBWBquQ46qbO5Wv+SO7yZ +aWU7OuWGe6zng1VWSrLBZlRMfu+ze1uEETNdedRI858nv1bMlHmt9+RiZgOgZe7H +3D4dLphrQrJC8tlsaP0GWYRZkf64n+37KZX2QVECgYEAyKcmbyYeEQHeDius8XMF +mfmmG6xpiMWG+hgkDgkJyPqoJswWMXKk/P3g6ACq31yId33zAqfqs8ARzSSmyOzz +6uKHYGKDP2FjaQ1cP/H7GVumMzorxw9P6vjYBpCByVuw/LEwFsV7CAUkRZcAaNm0 +oSYKrSqqXuqpPjWCJdQd3qkCgYAdIf6ylohLN5GdrxXAZHBp5Lbt62sDg8OEmZol +1gH4oMPX+N97YSfqI6ac5kmrMHY1fWoEu/m+Nk92Fq5VUXTRazTn+YVh6WoGV4ye +8UERBuZTkkSRAqJTXDQo7tI5k7xhoJ3RpRZ6v/lG4pV3dQXeqlATuycMBDtzp9yy +HXmB8QKBgQCut7SsOJ0DtgpzjatYzKBh43WgwjbeRyReyT6OWuPiLUiKQYN8W5od +pZ51zorvFxu6iEMjAzXs0k1zbM4/EaQwwatTEZF0ZQMYMvm46f0ndhN3fY0O0ENY +zZES5DrfCgboPlmrWoVexU3xEDCWO8hO0fLmwqIK8F4EU8ByOVsHcg== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem index 91df37a81..4718e7a16 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ +MIIEHDCCAwSgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV -BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL +BAMTCFNhbGVzIENBMB4XDTE1MDQyNjEwMjIyMFoXDTE5MDQwMzEwMjIyMFowVjEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi -0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6 -J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz -VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH -K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/ -5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8 -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV -MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPk +UE6ijIn++yyhaZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER +0/APr9KmXfnmFddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN +5GGh1u34R/9JDCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8 +XOynqCNW9Ii0Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecA +V2HsNtCGecj/OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSBwMHfoTTG9g4LmkL/ +kBl3thRfxzBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v -cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq -OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5 -xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb -E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e -q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+ -JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+ +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC5VfuhrOErCX6nlfnzgXIB +HheWTfcuobNz1cRatdIGRZVBLIktkQjABsX62t0wcCJ4gUMgT0DxgR/bZQDv9tp5 +q6bo5XJM+bFkuf0NiPme+w9Or+VYcuyiljHnHF3rihK2ZFOBXl2kY667tiGFML3B +jhaYQVHA0ZsSfe3Auxccku0U25dJNLq1+ATjeDuye8/NJqS95YBcMZzWiwG/VgMF +mCeiygAobWmIk2LOijFFpNN2ySCiLimueQp/DO3kBdWlhael3Ee9lkA5bqoFchpb +HH8eQKyOLhRnB2Lk/RhC3mGIFjW127sJdjdWkroyULepnULLyQQA6jy+tEu4XZ2C -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem index 86740e86a..ebba49cae 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi0umR7a1jysVv -MgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6J7T76/4YhpII -s8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLzVsxxKDkLaivn -J16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMHK6yPTRaOccvF -VrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/5/rOIH+16CGf -anXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABAoIBAQCZSpoP1cN0Zvbk -lykne3NTsdSuEDUvx4VlSj173bnWEBOO9idEQYtUP5Y12GZi5r6ClV+94ZCSA2Bn -PcmMCTGAjOgb31po3DfZHv4z5Mx4g9I7D8fBJsm5dbKsEwpfz7k5lXVAauGbCaph -6jp/qxQBRqnHhlzpiH00n6eDYHhPHDoFHe+vGbnjWzJKsvs6EZiXpfJ/WKd1eQah -sGF7g+9qV5xqwshCBKf25LZ2XjdvZDt78HS4hsSaStnemetK9NVJGJqmLzehQ16m -RXAr8Ybk9g7/MSFhpwGPGjcqm2/szL4Cs9IMtYSxiroY3QL+DZydG9+K9g5NF7lX -lbEX9HXRAoGBAOduCSLaoEJsgZathny9kSsBtDmTAuiVZukqRdMjDN2I0kOsRsIw -CEF1DIvFsX7nfHkKve8+XyTc05y7LTXmX1AEjMgzFel7uy5HjS7AsJZgTippC8g/ -l2jGq+s59zATNZ2el9Q9dbeK2lBdrVy+jqNITdQge9BigFfhWbkAGFRPAoGBAOTQ -if2+Yrh0zDPO53I6kShehaZvNtPmQxmmhvH4HGMY8EyRajFOSMpV1w3VYDuTA47v -yol+90BWMY8ZslrXq+Bmwx2ocSc2feyUYcJoOoRL/b+b1lY2Vnog3Hs5BQLsULzH -dwkEuK8wjjw1g4ksuIMbX/X9nEvJs0xemzh7Ju/pAoGACNI24u82YJHGNroSgDqx -h9QezHsAB2F6dLS5yJxzZxZJ/W5ZnBk8l1Ig0ksMwuuL4Qk5yB62fa81GapAxOct -Bt3Fh/P6h9XBgrgTd468rF6rXA549n8GBGZeMy8Ybuqshn9/BgX5sK9INvv7Gafh -w/ODk+xRC9ZVUgQy6UxJoR0CgYEAybmYjl40xo4iIWK95ZUAuGhsx8iwu6v7aDfK -LLUiwbMQ11A0IPf1cHyxNf7x8lOwBWoeU43eCZhz5Mcw2KnfW9z9E76W041VAyfl -7/DX9h7QvQZ0tlj9cHpcJz6jzmns3CG2Lfs9nyXdn/NF3b/Rg7S0qzhFfQN70U5u -5iKct1ECgYEAmR/0IbYGh1YJ7Z9im44MTSz6H7bTnmIDjM3/+IVydSVgFbzcoVG6 -4sQ5fIViMLtz9PHDRRKbs8TBzpy7C/wC1qRqpq9I17INSQzvm3DpZ2PlR0SeN2dA -fO9XtkE73cEff/gI7JWOouy/vczizfRemnWlNK5Ui29Fe0QlGC9TyX0= +MIIEpAIBAAKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPkUE6ijIn++yyh +aZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER0/APr9KmXfnm +FddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN5GGh1u34R/9J +DCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8XOynqCNW9Ii0 +Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecAV2HsNtCGecj/ +OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABAoIBAAeecxXVqaaMSIlF +qASCFtSdzDShJvE6sEHSNN/YjE5HMvZHMqvj2+1BlvepD0QXxkpIFTCqWnXob3iU +dOyqRRZJYTZXU9lt2Z3a7XEzei6JvRSFhHbVHgHSK4ijeV/2gKfbVXfa+6cx2qGQ +DV3kEdr3zhEqYzrg7hYSEuFn3vOgzFu7PgZYU9b4XQ/nlVaXIH+0Mqrjx9WscLFR ++9Z9WPHx9lzL52ggAoCSHla/NWTe9RZXYX8Px8Ho5rxJ33IXvdQ4A2SiN5s6BhTM +BfC4TVvdcjEUQpCNjW4us9XUEQQ6RSZr7CMDdap4rLENfR51GiMHlDDRWkxqfevI +JYHXpGECgYEA7cZwenYQ/IN2SmBEMCCSh45B6E3pkII+yoLac2phQVRWi0yOwLwp +L2BiWn+HnSdO+d44aiR69MpTF4pEeBbs2bOEU1RO5ywU82kbU0Jzru1nfjYpkzqP +VFEeFshZubqO345cUMsnlECQsmsDmMdllRiXsj14Gp3w8IIVxyZQ420CgYEAy1OC +Plwrr57PEhQWwjRhpqpPO9CD265m7/7Ru6TDjdPw98ANxNn01pRk4X2VcFp0ICgV +b/orF9QZMPyntGRs9m2fzKGYkTAYQX1XyChvK3vSSdY1DgK2KRAQXbHl1w5VqGbd +6QTcIpjF3aNE9jdBj7M+VzUI0AF21ceWUbKDAWsCgYEA1xTTldLK1r/L9sdRpv8v +zLLf51Ti27cVOXZYSGKICuJRTrw3vRv3XUWgciA9+egexmM/QLQzDM8fjoGiIccL +BHogTohKv03evbfr4cqQfkF9hmtT/DvSfwDJaO5eS2T37D0IQIUkDjTBLsMig8aK +mu2d+rsjs1//HG9vZ6+/J5kCgYEAxt/JlwFEYaSt2Xr4v7/Ie+I9Wb4cGvW9DaVq +s2T3OXRCT7H0RcUCLBg9jCjv0FNJHmLWhQ5mtAnrEfUue812npqfIOI2flxSfUwC +Xm7ePeQAzePNRQT187gYqexlaTJGKk9jYpY0U0qmzqDxxPpLECk8IsRm+D1WZMex +iftXFD0CgYB9EZErbxigNj3qlLEMNoEYgPCRfrM0/n/1XgXTnReExrX+gLDwqddD +L9VQMPoNJ6cFWdu1tHerJnD0w7C3NqIgUbOFbA0G9HskfivXsRVwlH7/21NVe2w2 +mAtK0sAKmNmOpx6+lrwWA44Pkdf4aoS0B8ehmvcnVYlj2W51oiSY+w== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem index 69e5c05e3..698e47cc0 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MIIELDCCAxSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1 -N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE1MDQyNjEwMjUwNFoXDTE5MDQwMzEwMjUw +NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy -dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD -hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9 -HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n -3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz -Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C -AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE -AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKupuHqUUqSufsEtjSTZEkTF +sTGWXQkwZoLbAPNlZ4PV0Dx1ju3xRvVtjQHN3Tsx6IsB1JO3k/dMExwttbeBA8HK +oKYw+CFG8+6XWUU+tBT5xlwa5sdVUHIo8On1x7Rb3s+RDhJ2/YvCf/H13aOtqG+L +7Xyt7OwRQZNx4Gx60sgU2Zhr9WsMslWJQeS92va6UiGYN4c6qRNyrS9zTZEJ0yib +tflhd07LLcgz+jHqCdUcPK4g8+TH8HCtek0n2QRu3IfbEM+i6EaZjUJq1kp6k9HA +IgKR48r9HVk3zBsWJBo6sxUn8/avFM54vdwD8NAClNn9xobEXsO3jwGljc5mb40C +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRd +qfnvgHGNOog5OOLebmYkmJ/faTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA -ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG -il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC -CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU -n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq -8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/ -pwU12A3BovJKUaR0B7Uy2A== +TgUJbXL83e11Fzo+XGMQ24FfxdUvlex9IcnnNZnjsy4cYaUhofdI1AIkOhdh7R4i +9dtdfbFLLQR3qc2jmL9ubdQP83FiZZQOXX55XV5/Gb4E4g2T2ZU8ahby+ZzQsEcI +jGeot7fRfbxUrcjnIKxZd7JsQSaR45rMrNcUOQpFT212urojUngrEoAeaC5USEiX +sF11P654UejR8DCczwLi4QBvjRTH3bcMC57FjsWt1n/KCB08dS0ojD+T+6lN7/1K +yLreeRNynXzc1GAln5G03Ivwm9STFT1mYjkBMOCY+3ihEOpzlR9pWCWl9p728db3 +mk0VsDm1jdOf3PK1Xd2PJw== -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem index 53e18680b..3a5d7c487 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq -azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP -nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk -b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4 -H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm -GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9 -N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r -er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC -kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV -BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+ -Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN -DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp -waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt -1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw -RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm -CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM -eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl -FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO -auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx -rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8 -iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx -qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv -/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA -hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2 -5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw= +MIIEpAIBAAKCAQEAq6m4epRSpK5+wS2NJNkSRMWxMZZdCTBmgtsA82Vng9XQPHWO +7fFG9W2NAc3dOzHoiwHUk7eT90wTHC21t4EDwcqgpjD4IUbz7pdZRT60FPnGXBrm +x1VQcijw6fXHtFvez5EOEnb9i8J/8fXdo62ob4vtfK3s7BFBk3HgbHrSyBTZmGv1 +awyyVYlB5L3a9rpSIZg3hzqpE3KtL3NNkQnTKJu1+WF3TsstyDP6MeoJ1Rw8riDz +5MfwcK16TSfZBG7ch9sQz6LoRpmNQmrWSnqT0cAiApHjyv0dWTfMGxYkGjqzFSfz +9q8Uzni93APw0AKU2f3GhsRew7ePAaWNzmZvjQIDAQABAoIBAEJqa+GhOUhV6ty6 +zv0Ory7EfgX9cwl3HHJMYVXKSf6L3wFFSoNs8lNKi1/DUnDwolQF5UUxpaHsYQhp +9wCEffugdf9WuunFFeOd0wAjfnEPIlvIXLmKnJFOnccnPJjfYplUOemS+A32tqHa +ymHlcmGV9dBjSmMbWg+942KVMrAOHtCnAk0yT2WlE+9efLTuXoZIQCx+Ico6Lwp8 +JCmZYW2pfUk9co9di6UCl50C+A5RcvpsE7CZcXCzEAqz06eFz4imgQuzQSLaedup +F77cyPd13nD2N7+YGfWrWKbdqGMuQnmfrOQWZf94rlOsQjyCzbHIeItJsXT+DBKT +0SwEIQECgYEA1mcoUiCYOcQcA+FtSO8byzSu0uQZO1cS/VES5mbtRIuLo33L0P0y +bVnBIfk3iaBq70GU98XjhCGUwNwQDQm+zbLK+p+j+4L2ayvjtOV5ql0b2gk6eyRZ +oX14evsmxC2OFqGmGD+VePN4pP+Q39QMCFvf26BMtKHyXQnkwA61G30CgYEAzPfH +Lp3iT9xLqpp9zP9j2m9Ts6m6/Uzzuazpzl7rYMlLkd6fBWBquQ46qbO5Wv+SO7yZ +aWU7OuWGe6zng1VWSrLBZlRMfu+ze1uEETNdedRI858nv1bMlHmt9+RiZgOgZe7H +3D4dLphrQrJC8tlsaP0GWYRZkf64n+37KZX2QVECgYEAyKcmbyYeEQHeDius8XMF +mfmmG6xpiMWG+hgkDgkJyPqoJswWMXKk/P3g6ACq31yId33zAqfqs8ARzSSmyOzz +6uKHYGKDP2FjaQ1cP/H7GVumMzorxw9P6vjYBpCByVuw/LEwFsV7CAUkRZcAaNm0 +oSYKrSqqXuqpPjWCJdQd3qkCgYAdIf6ylohLN5GdrxXAZHBp5Lbt62sDg8OEmZol +1gH4oMPX+N97YSfqI6ac5kmrMHY1fWoEu/m+Nk92Fq5VUXTRazTn+YVh6WoGV4ye +8UERBuZTkkSRAqJTXDQo7tI5k7xhoJ3RpRZ6v/lG4pV3dQXeqlATuycMBDtzp9yy +HXmB8QKBgQCut7SsOJ0DtgpzjatYzKBh43WgwjbeRyReyT6OWuPiLUiKQYN8W5od +pZ51zorvFxu6iEMjAzXs0k1zbM4/EaQwwatTEZF0ZQMYMvm46f0ndhN3fY0O0ENY +zZES5DrfCgboPlmrWoVexU3xEDCWO8hO0fLmwqIK8F4EU8ByOVsHcg== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem index 91df37a81..4718e7a16 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ +MIIEHDCCAwSgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV -BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL +BAMTCFNhbGVzIENBMB4XDTE1MDQyNjEwMjIyMFoXDTE5MDQwMzEwMjIyMFowVjEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi -0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6 -J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz -VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH -K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/ -5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8 -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV -MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPk +UE6ijIn++yyhaZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER +0/APr9KmXfnmFddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN +5GGh1u34R/9JDCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8 +XOynqCNW9Ii0Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecA +V2HsNtCGecj/OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSBwMHfoTTG9g4LmkL/ +kBl3thRfxzBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v -cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq -OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5 -xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb -E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e -q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+ -JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+ +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC5VfuhrOErCX6nlfnzgXIB +HheWTfcuobNz1cRatdIGRZVBLIktkQjABsX62t0wcCJ4gUMgT0DxgR/bZQDv9tp5 +q6bo5XJM+bFkuf0NiPme+w9Or+VYcuyiljHnHF3rihK2ZFOBXl2kY667tiGFML3B +jhaYQVHA0ZsSfe3Auxccku0U25dJNLq1+ATjeDuye8/NJqS95YBcMZzWiwG/VgMF +mCeiygAobWmIk2LOijFFpNN2ySCiLimueQp/DO3kBdWlhael3Ee9lkA5bqoFchpb +HH8eQKyOLhRnB2Lk/RhC3mGIFjW127sJdjdWkroyULepnULLyQQA6jy+tEu4XZ2C -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem index 86740e86a..ebba49cae 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi0umR7a1jysVv -MgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6J7T76/4YhpII -s8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLzVsxxKDkLaivn -J16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMHK6yPTRaOccvF -VrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/5/rOIH+16CGf -anXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABAoIBAQCZSpoP1cN0Zvbk -lykne3NTsdSuEDUvx4VlSj173bnWEBOO9idEQYtUP5Y12GZi5r6ClV+94ZCSA2Bn -PcmMCTGAjOgb31po3DfZHv4z5Mx4g9I7D8fBJsm5dbKsEwpfz7k5lXVAauGbCaph -6jp/qxQBRqnHhlzpiH00n6eDYHhPHDoFHe+vGbnjWzJKsvs6EZiXpfJ/WKd1eQah -sGF7g+9qV5xqwshCBKf25LZ2XjdvZDt78HS4hsSaStnemetK9NVJGJqmLzehQ16m -RXAr8Ybk9g7/MSFhpwGPGjcqm2/szL4Cs9IMtYSxiroY3QL+DZydG9+K9g5NF7lX -lbEX9HXRAoGBAOduCSLaoEJsgZathny9kSsBtDmTAuiVZukqRdMjDN2I0kOsRsIw -CEF1DIvFsX7nfHkKve8+XyTc05y7LTXmX1AEjMgzFel7uy5HjS7AsJZgTippC8g/ -l2jGq+s59zATNZ2el9Q9dbeK2lBdrVy+jqNITdQge9BigFfhWbkAGFRPAoGBAOTQ -if2+Yrh0zDPO53I6kShehaZvNtPmQxmmhvH4HGMY8EyRajFOSMpV1w3VYDuTA47v -yol+90BWMY8ZslrXq+Bmwx2ocSc2feyUYcJoOoRL/b+b1lY2Vnog3Hs5BQLsULzH -dwkEuK8wjjw1g4ksuIMbX/X9nEvJs0xemzh7Ju/pAoGACNI24u82YJHGNroSgDqx -h9QezHsAB2F6dLS5yJxzZxZJ/W5ZnBk8l1Ig0ksMwuuL4Qk5yB62fa81GapAxOct -Bt3Fh/P6h9XBgrgTd468rF6rXA549n8GBGZeMy8Ybuqshn9/BgX5sK9INvv7Gafh -w/ODk+xRC9ZVUgQy6UxJoR0CgYEAybmYjl40xo4iIWK95ZUAuGhsx8iwu6v7aDfK -LLUiwbMQ11A0IPf1cHyxNf7x8lOwBWoeU43eCZhz5Mcw2KnfW9z9E76W041VAyfl -7/DX9h7QvQZ0tlj9cHpcJz6jzmns3CG2Lfs9nyXdn/NF3b/Rg7S0qzhFfQN70U5u -5iKct1ECgYEAmR/0IbYGh1YJ7Z9im44MTSz6H7bTnmIDjM3/+IVydSVgFbzcoVG6 -4sQ5fIViMLtz9PHDRRKbs8TBzpy7C/wC1qRqpq9I17INSQzvm3DpZ2PlR0SeN2dA -fO9XtkE73cEff/gI7JWOouy/vczizfRemnWlNK5Ui29Fe0QlGC9TyX0= +MIIEpAIBAAKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPkUE6ijIn++yyh +aZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER0/APr9KmXfnm +FddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN5GGh1u34R/9J +DCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8XOynqCNW9Ii0 +Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecAV2HsNtCGecj/ +OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABAoIBAAeecxXVqaaMSIlF +qASCFtSdzDShJvE6sEHSNN/YjE5HMvZHMqvj2+1BlvepD0QXxkpIFTCqWnXob3iU +dOyqRRZJYTZXU9lt2Z3a7XEzei6JvRSFhHbVHgHSK4ijeV/2gKfbVXfa+6cx2qGQ +DV3kEdr3zhEqYzrg7hYSEuFn3vOgzFu7PgZYU9b4XQ/nlVaXIH+0Mqrjx9WscLFR ++9Z9WPHx9lzL52ggAoCSHla/NWTe9RZXYX8Px8Ho5rxJ33IXvdQ4A2SiN5s6BhTM +BfC4TVvdcjEUQpCNjW4us9XUEQQ6RSZr7CMDdap4rLENfR51GiMHlDDRWkxqfevI +JYHXpGECgYEA7cZwenYQ/IN2SmBEMCCSh45B6E3pkII+yoLac2phQVRWi0yOwLwp +L2BiWn+HnSdO+d44aiR69MpTF4pEeBbs2bOEU1RO5ywU82kbU0Jzru1nfjYpkzqP +VFEeFshZubqO345cUMsnlECQsmsDmMdllRiXsj14Gp3w8IIVxyZQ420CgYEAy1OC +Plwrr57PEhQWwjRhpqpPO9CD265m7/7Ru6TDjdPw98ANxNn01pRk4X2VcFp0ICgV +b/orF9QZMPyntGRs9m2fzKGYkTAYQX1XyChvK3vSSdY1DgK2KRAQXbHl1w5VqGbd +6QTcIpjF3aNE9jdBj7M+VzUI0AF21ceWUbKDAWsCgYEA1xTTldLK1r/L9sdRpv8v +zLLf51Ti27cVOXZYSGKICuJRTrw3vRv3XUWgciA9+egexmM/QLQzDM8fjoGiIccL +BHogTohKv03evbfr4cqQfkF9hmtT/DvSfwDJaO5eS2T37D0IQIUkDjTBLsMig8aK +mu2d+rsjs1//HG9vZ6+/J5kCgYEAxt/JlwFEYaSt2Xr4v7/Ie+I9Wb4cGvW9DaVq +s2T3OXRCT7H0RcUCLBg9jCjv0FNJHmLWhQ5mtAnrEfUue812npqfIOI2flxSfUwC +Xm7ePeQAzePNRQT187gYqexlaTJGKk9jYpY0U0qmzqDxxPpLECk8IsRm+D1WZMex +iftXFD0CgYB9EZErbxigNj3qlLEMNoEYgPCRfrM0/n/1XgXTnReExrX+gLDwqddD +L9VQMPoNJ6cFWdu1tHerJnD0w7C3NqIgUbOFbA0G9HskfivXsRVwlH7/21NVe2w2 +mAtK0sAKmNmOpx6+lrwWA44Pkdf4aoS0B8ehmvcnVYlj2W51oiSY+w== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem index 69e5c05e3..698e47cc0 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MIIELDCCAxSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1 -N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE1MDQyNjEwMjUwNFoXDTE5MDQwMzEwMjUw +NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy -dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD -hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9 -HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n -3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz -Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C -AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE -AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKupuHqUUqSufsEtjSTZEkTF +sTGWXQkwZoLbAPNlZ4PV0Dx1ju3xRvVtjQHN3Tsx6IsB1JO3k/dMExwttbeBA8HK +oKYw+CFG8+6XWUU+tBT5xlwa5sdVUHIo8On1x7Rb3s+RDhJ2/YvCf/H13aOtqG+L +7Xyt7OwRQZNx4Gx60sgU2Zhr9WsMslWJQeS92va6UiGYN4c6qRNyrS9zTZEJ0yib +tflhd07LLcgz+jHqCdUcPK4g8+TH8HCtek0n2QRu3IfbEM+i6EaZjUJq1kp6k9HA +IgKR48r9HVk3zBsWJBo6sxUn8/avFM54vdwD8NAClNn9xobEXsO3jwGljc5mb40C +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRd +qfnvgHGNOog5OOLebmYkmJ/faTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA -ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG -il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC -CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU -n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq -8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/ -pwU12A3BovJKUaR0B7Uy2A== +TgUJbXL83e11Fzo+XGMQ24FfxdUvlex9IcnnNZnjsy4cYaUhofdI1AIkOhdh7R4i +9dtdfbFLLQR3qc2jmL9ubdQP83FiZZQOXX55XV5/Gb4E4g2T2ZU8ahby+ZzQsEcI +jGeot7fRfbxUrcjnIKxZd7JsQSaR45rMrNcUOQpFT212urojUngrEoAeaC5USEiX +sF11P654UejR8DCczwLi4QBvjRTH3bcMC57FjsWt1n/KCB08dS0ojD+T+6lN7/1K +yLreeRNynXzc1GAln5G03Ivwm9STFT1mYjkBMOCY+3ihEOpzlR9pWCWl9p728db3 +mk0VsDm1jdOf3PK1Xd2PJw== -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem index 53e18680b..3a5d7c487 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq -azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP -nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk -b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4 -H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm -GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9 -N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r -er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC -kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV -BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+ -Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN -DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp -waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt -1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw -RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm -CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM -eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl -FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO -auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx -rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8 -iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx -qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv -/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA -hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2 -5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw= +MIIEpAIBAAKCAQEAq6m4epRSpK5+wS2NJNkSRMWxMZZdCTBmgtsA82Vng9XQPHWO +7fFG9W2NAc3dOzHoiwHUk7eT90wTHC21t4EDwcqgpjD4IUbz7pdZRT60FPnGXBrm +x1VQcijw6fXHtFvez5EOEnb9i8J/8fXdo62ob4vtfK3s7BFBk3HgbHrSyBTZmGv1 +awyyVYlB5L3a9rpSIZg3hzqpE3KtL3NNkQnTKJu1+WF3TsstyDP6MeoJ1Rw8riDz +5MfwcK16TSfZBG7ch9sQz6LoRpmNQmrWSnqT0cAiApHjyv0dWTfMGxYkGjqzFSfz +9q8Uzni93APw0AKU2f3GhsRew7ePAaWNzmZvjQIDAQABAoIBAEJqa+GhOUhV6ty6 +zv0Ory7EfgX9cwl3HHJMYVXKSf6L3wFFSoNs8lNKi1/DUnDwolQF5UUxpaHsYQhp +9wCEffugdf9WuunFFeOd0wAjfnEPIlvIXLmKnJFOnccnPJjfYplUOemS+A32tqHa +ymHlcmGV9dBjSmMbWg+942KVMrAOHtCnAk0yT2WlE+9efLTuXoZIQCx+Ico6Lwp8 +JCmZYW2pfUk9co9di6UCl50C+A5RcvpsE7CZcXCzEAqz06eFz4imgQuzQSLaedup +F77cyPd13nD2N7+YGfWrWKbdqGMuQnmfrOQWZf94rlOsQjyCzbHIeItJsXT+DBKT +0SwEIQECgYEA1mcoUiCYOcQcA+FtSO8byzSu0uQZO1cS/VES5mbtRIuLo33L0P0y +bVnBIfk3iaBq70GU98XjhCGUwNwQDQm+zbLK+p+j+4L2ayvjtOV5ql0b2gk6eyRZ +oX14evsmxC2OFqGmGD+VePN4pP+Q39QMCFvf26BMtKHyXQnkwA61G30CgYEAzPfH +Lp3iT9xLqpp9zP9j2m9Ts6m6/Uzzuazpzl7rYMlLkd6fBWBquQ46qbO5Wv+SO7yZ +aWU7OuWGe6zng1VWSrLBZlRMfu+ze1uEETNdedRI858nv1bMlHmt9+RiZgOgZe7H +3D4dLphrQrJC8tlsaP0GWYRZkf64n+37KZX2QVECgYEAyKcmbyYeEQHeDius8XMF +mfmmG6xpiMWG+hgkDgkJyPqoJswWMXKk/P3g6ACq31yId33zAqfqs8ARzSSmyOzz +6uKHYGKDP2FjaQ1cP/H7GVumMzorxw9P6vjYBpCByVuw/LEwFsV7CAUkRZcAaNm0 +oSYKrSqqXuqpPjWCJdQd3qkCgYAdIf6ylohLN5GdrxXAZHBp5Lbt62sDg8OEmZol +1gH4oMPX+N97YSfqI6ac5kmrMHY1fWoEu/m+Nk92Fq5VUXTRazTn+YVh6WoGV4ye +8UERBuZTkkSRAqJTXDQo7tI5k7xhoJ3RpRZ6v/lG4pV3dQXeqlATuycMBDtzp9yy +HXmB8QKBgQCut7SsOJ0DtgpzjatYzKBh43WgwjbeRyReyT6OWuPiLUiKQYN8W5od +pZ51zorvFxu6iEMjAzXs0k1zbM4/EaQwwatTEZF0ZQMYMvm46f0ndhN3fY0O0ENY +zZES5DrfCgboPlmrWoVexU3xEDCWO8hO0fLmwqIK8F4EU8ByOVsHcg== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem index 91df37a81..4718e7a16 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ +MIIEHDCCAwSgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV -BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL +BAMTCFNhbGVzIENBMB4XDTE1MDQyNjEwMjIyMFoXDTE5MDQwMzEwMjIyMFowVjEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi -0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6 -J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz -VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH -K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/ -5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8 -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV -MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPk +UE6ijIn++yyhaZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER +0/APr9KmXfnmFddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN +5GGh1u34R/9JDCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8 +XOynqCNW9Ii0Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecA +V2HsNtCGecj/OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSBwMHfoTTG9g4LmkL/ +kBl3thRfxzBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v -cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq -OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5 -xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb -E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e -q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+ -JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+ +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC5VfuhrOErCX6nlfnzgXIB +HheWTfcuobNz1cRatdIGRZVBLIktkQjABsX62t0wcCJ4gUMgT0DxgR/bZQDv9tp5 +q6bo5XJM+bFkuf0NiPme+w9Or+VYcuyiljHnHF3rihK2ZFOBXl2kY667tiGFML3B +jhaYQVHA0ZsSfe3Auxccku0U25dJNLq1+ATjeDuye8/NJqS95YBcMZzWiwG/VgMF +mCeiygAobWmIk2LOijFFpNN2ySCiLimueQp/DO3kBdWlhael3Ee9lkA5bqoFchpb +HH8eQKyOLhRnB2Lk/RhC3mGIFjW127sJdjdWkroyULepnULLyQQA6jy+tEu4XZ2C -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem index 86740e86a..ebba49cae 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi0umR7a1jysVv -MgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6J7T76/4YhpII -s8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLzVsxxKDkLaivn -J16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMHK6yPTRaOccvF -VrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/5/rOIH+16CGf -anXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABAoIBAQCZSpoP1cN0Zvbk -lykne3NTsdSuEDUvx4VlSj173bnWEBOO9idEQYtUP5Y12GZi5r6ClV+94ZCSA2Bn -PcmMCTGAjOgb31po3DfZHv4z5Mx4g9I7D8fBJsm5dbKsEwpfz7k5lXVAauGbCaph -6jp/qxQBRqnHhlzpiH00n6eDYHhPHDoFHe+vGbnjWzJKsvs6EZiXpfJ/WKd1eQah -sGF7g+9qV5xqwshCBKf25LZ2XjdvZDt78HS4hsSaStnemetK9NVJGJqmLzehQ16m -RXAr8Ybk9g7/MSFhpwGPGjcqm2/szL4Cs9IMtYSxiroY3QL+DZydG9+K9g5NF7lX -lbEX9HXRAoGBAOduCSLaoEJsgZathny9kSsBtDmTAuiVZukqRdMjDN2I0kOsRsIw -CEF1DIvFsX7nfHkKve8+XyTc05y7LTXmX1AEjMgzFel7uy5HjS7AsJZgTippC8g/ -l2jGq+s59zATNZ2el9Q9dbeK2lBdrVy+jqNITdQge9BigFfhWbkAGFRPAoGBAOTQ -if2+Yrh0zDPO53I6kShehaZvNtPmQxmmhvH4HGMY8EyRajFOSMpV1w3VYDuTA47v -yol+90BWMY8ZslrXq+Bmwx2ocSc2feyUYcJoOoRL/b+b1lY2Vnog3Hs5BQLsULzH -dwkEuK8wjjw1g4ksuIMbX/X9nEvJs0xemzh7Ju/pAoGACNI24u82YJHGNroSgDqx -h9QezHsAB2F6dLS5yJxzZxZJ/W5ZnBk8l1Ig0ksMwuuL4Qk5yB62fa81GapAxOct -Bt3Fh/P6h9XBgrgTd468rF6rXA549n8GBGZeMy8Ybuqshn9/BgX5sK9INvv7Gafh -w/ODk+xRC9ZVUgQy6UxJoR0CgYEAybmYjl40xo4iIWK95ZUAuGhsx8iwu6v7aDfK -LLUiwbMQ11A0IPf1cHyxNf7x8lOwBWoeU43eCZhz5Mcw2KnfW9z9E76W041VAyfl -7/DX9h7QvQZ0tlj9cHpcJz6jzmns3CG2Lfs9nyXdn/NF3b/Rg7S0qzhFfQN70U5u -5iKct1ECgYEAmR/0IbYGh1YJ7Z9im44MTSz6H7bTnmIDjM3/+IVydSVgFbzcoVG6 -4sQ5fIViMLtz9PHDRRKbs8TBzpy7C/wC1qRqpq9I17INSQzvm3DpZ2PlR0SeN2dA -fO9XtkE73cEff/gI7JWOouy/vczizfRemnWlNK5Ui29Fe0QlGC9TyX0= +MIIEpAIBAAKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPkUE6ijIn++yyh +aZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER0/APr9KmXfnm +FddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN5GGh1u34R/9J +DCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8XOynqCNW9Ii0 +Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecAV2HsNtCGecj/ +OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABAoIBAAeecxXVqaaMSIlF +qASCFtSdzDShJvE6sEHSNN/YjE5HMvZHMqvj2+1BlvepD0QXxkpIFTCqWnXob3iU +dOyqRRZJYTZXU9lt2Z3a7XEzei6JvRSFhHbVHgHSK4ijeV/2gKfbVXfa+6cx2qGQ +DV3kEdr3zhEqYzrg7hYSEuFn3vOgzFu7PgZYU9b4XQ/nlVaXIH+0Mqrjx9WscLFR ++9Z9WPHx9lzL52ggAoCSHla/NWTe9RZXYX8Px8Ho5rxJ33IXvdQ4A2SiN5s6BhTM +BfC4TVvdcjEUQpCNjW4us9XUEQQ6RSZr7CMDdap4rLENfR51GiMHlDDRWkxqfevI +JYHXpGECgYEA7cZwenYQ/IN2SmBEMCCSh45B6E3pkII+yoLac2phQVRWi0yOwLwp +L2BiWn+HnSdO+d44aiR69MpTF4pEeBbs2bOEU1RO5ywU82kbU0Jzru1nfjYpkzqP +VFEeFshZubqO345cUMsnlECQsmsDmMdllRiXsj14Gp3w8IIVxyZQ420CgYEAy1OC +Plwrr57PEhQWwjRhpqpPO9CD265m7/7Ru6TDjdPw98ANxNn01pRk4X2VcFp0ICgV +b/orF9QZMPyntGRs9m2fzKGYkTAYQX1XyChvK3vSSdY1DgK2KRAQXbHl1w5VqGbd +6QTcIpjF3aNE9jdBj7M+VzUI0AF21ceWUbKDAWsCgYEA1xTTldLK1r/L9sdRpv8v +zLLf51Ti27cVOXZYSGKICuJRTrw3vRv3XUWgciA9+egexmM/QLQzDM8fjoGiIccL +BHogTohKv03evbfr4cqQfkF9hmtT/DvSfwDJaO5eS2T37D0IQIUkDjTBLsMig8aK +mu2d+rsjs1//HG9vZ6+/J5kCgYEAxt/JlwFEYaSt2Xr4v7/Ie+I9Wb4cGvW9DaVq +s2T3OXRCT7H0RcUCLBg9jCjv0FNJHmLWhQ5mtAnrEfUue812npqfIOI2flxSfUwC +Xm7ePeQAzePNRQT187gYqexlaTJGKk9jYpY0U0qmzqDxxPpLECk8IsRm+D1WZMex +iftXFD0CgYB9EZErbxigNj3qlLEMNoEYgPCRfrM0/n/1XgXTnReExrX+gLDwqddD +L9VQMPoNJ6cFWdu1tHerJnD0w7C3NqIgUbOFbA0G9HskfivXsRVwlH7/21NVe2w2 +mAtK0sAKmNmOpx6+lrwWA44Pkdf4aoS0B8ehmvcnVYlj2W51oiSY+w== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem index 69e5c05e3..698e47cc0 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MIIELDCCAxSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1 -N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE1MDQyNjEwMjUwNFoXDTE5MDQwMzEwMjUw +NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy -dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD -hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9 -HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n -3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz -Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C -AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE -AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKupuHqUUqSufsEtjSTZEkTF +sTGWXQkwZoLbAPNlZ4PV0Dx1ju3xRvVtjQHN3Tsx6IsB1JO3k/dMExwttbeBA8HK +oKYw+CFG8+6XWUU+tBT5xlwa5sdVUHIo8On1x7Rb3s+RDhJ2/YvCf/H13aOtqG+L +7Xyt7OwRQZNx4Gx60sgU2Zhr9WsMslWJQeS92va6UiGYN4c6qRNyrS9zTZEJ0yib +tflhd07LLcgz+jHqCdUcPK4g8+TH8HCtek0n2QRu3IfbEM+i6EaZjUJq1kp6k9HA +IgKR48r9HVk3zBsWJBo6sxUn8/avFM54vdwD8NAClNn9xobEXsO3jwGljc5mb40C +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRd +qfnvgHGNOog5OOLebmYkmJ/faTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA -ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG -il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC -CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU -n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq -8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/ -pwU12A3BovJKUaR0B7Uy2A== +TgUJbXL83e11Fzo+XGMQ24FfxdUvlex9IcnnNZnjsy4cYaUhofdI1AIkOhdh7R4i +9dtdfbFLLQR3qc2jmL9ubdQP83FiZZQOXX55XV5/Gb4E4g2T2ZU8ahby+ZzQsEcI +jGeot7fRfbxUrcjnIKxZd7JsQSaR45rMrNcUOQpFT212urojUngrEoAeaC5USEiX +sF11P654UejR8DCczwLi4QBvjRTH3bcMC57FjsWt1n/KCB08dS0ojD+T+6lN7/1K +yLreeRNynXzc1GAln5G03Ivwm9STFT1mYjkBMOCY+3ihEOpzlR9pWCWl9p728db3 +mk0VsDm1jdOf3PK1Xd2PJw== -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem index 53e18680b..3a5d7c487 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq -azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP -nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk -b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4 -H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm -GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9 -N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r -er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC -kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV -BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+ -Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN -DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp -waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt -1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw -RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm -CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM -eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl -FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO -auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx -rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8 -iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx -qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv -/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA -hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2 -5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw= +MIIEpAIBAAKCAQEAq6m4epRSpK5+wS2NJNkSRMWxMZZdCTBmgtsA82Vng9XQPHWO +7fFG9W2NAc3dOzHoiwHUk7eT90wTHC21t4EDwcqgpjD4IUbz7pdZRT60FPnGXBrm +x1VQcijw6fXHtFvez5EOEnb9i8J/8fXdo62ob4vtfK3s7BFBk3HgbHrSyBTZmGv1 +awyyVYlB5L3a9rpSIZg3hzqpE3KtL3NNkQnTKJu1+WF3TsstyDP6MeoJ1Rw8riDz +5MfwcK16TSfZBG7ch9sQz6LoRpmNQmrWSnqT0cAiApHjyv0dWTfMGxYkGjqzFSfz +9q8Uzni93APw0AKU2f3GhsRew7ePAaWNzmZvjQIDAQABAoIBAEJqa+GhOUhV6ty6 +zv0Ory7EfgX9cwl3HHJMYVXKSf6L3wFFSoNs8lNKi1/DUnDwolQF5UUxpaHsYQhp +9wCEffugdf9WuunFFeOd0wAjfnEPIlvIXLmKnJFOnccnPJjfYplUOemS+A32tqHa +ymHlcmGV9dBjSmMbWg+942KVMrAOHtCnAk0yT2WlE+9efLTuXoZIQCx+Ico6Lwp8 +JCmZYW2pfUk9co9di6UCl50C+A5RcvpsE7CZcXCzEAqz06eFz4imgQuzQSLaedup +F77cyPd13nD2N7+YGfWrWKbdqGMuQnmfrOQWZf94rlOsQjyCzbHIeItJsXT+DBKT +0SwEIQECgYEA1mcoUiCYOcQcA+FtSO8byzSu0uQZO1cS/VES5mbtRIuLo33L0P0y +bVnBIfk3iaBq70GU98XjhCGUwNwQDQm+zbLK+p+j+4L2ayvjtOV5ql0b2gk6eyRZ +oX14evsmxC2OFqGmGD+VePN4pP+Q39QMCFvf26BMtKHyXQnkwA61G30CgYEAzPfH +Lp3iT9xLqpp9zP9j2m9Ts6m6/Uzzuazpzl7rYMlLkd6fBWBquQ46qbO5Wv+SO7yZ +aWU7OuWGe6zng1VWSrLBZlRMfu+ze1uEETNdedRI858nv1bMlHmt9+RiZgOgZe7H +3D4dLphrQrJC8tlsaP0GWYRZkf64n+37KZX2QVECgYEAyKcmbyYeEQHeDius8XMF +mfmmG6xpiMWG+hgkDgkJyPqoJswWMXKk/P3g6ACq31yId33zAqfqs8ARzSSmyOzz +6uKHYGKDP2FjaQ1cP/H7GVumMzorxw9P6vjYBpCByVuw/LEwFsV7CAUkRZcAaNm0 +oSYKrSqqXuqpPjWCJdQd3qkCgYAdIf6ylohLN5GdrxXAZHBp5Lbt62sDg8OEmZol +1gH4oMPX+N97YSfqI6ac5kmrMHY1fWoEu/m+Nk92Fq5VUXTRazTn+YVh6WoGV4ye +8UERBuZTkkSRAqJTXDQo7tI5k7xhoJ3RpRZ6v/lG4pV3dQXeqlATuycMBDtzp9yy +HXmB8QKBgQCut7SsOJ0DtgpzjatYzKBh43WgwjbeRyReyT6OWuPiLUiKQYN8W5od +pZ51zorvFxu6iEMjAzXs0k1zbM4/EaQwwatTEZF0ZQMYMvm46f0ndhN3fY0O0ENY +zZES5DrfCgboPlmrWoVexU3xEDCWO8hO0fLmwqIK8F4EU8ByOVsHcg== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem index 69e5c05e3..698e47cc0 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MIIELDCCAxSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1 -N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE1MDQyNjEwMjUwNFoXDTE5MDQwMzEwMjUw +NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy -dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD -hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9 -HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n -3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz -Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C -AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE -AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKupuHqUUqSufsEtjSTZEkTF +sTGWXQkwZoLbAPNlZ4PV0Dx1ju3xRvVtjQHN3Tsx6IsB1JO3k/dMExwttbeBA8HK +oKYw+CFG8+6XWUU+tBT5xlwa5sdVUHIo8On1x7Rb3s+RDhJ2/YvCf/H13aOtqG+L +7Xyt7OwRQZNx4Gx60sgU2Zhr9WsMslWJQeS92va6UiGYN4c6qRNyrS9zTZEJ0yib +tflhd07LLcgz+jHqCdUcPK4g8+TH8HCtek0n2QRu3IfbEM+i6EaZjUJq1kp6k9HA +IgKR48r9HVk3zBsWJBo6sxUn8/avFM54vdwD8NAClNn9xobEXsO3jwGljc5mb40C +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRd +qfnvgHGNOog5OOLebmYkmJ/faTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA -ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG -il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC -CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU -n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq -8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/ -pwU12A3BovJKUaR0B7Uy2A== +TgUJbXL83e11Fzo+XGMQ24FfxdUvlex9IcnnNZnjsy4cYaUhofdI1AIkOhdh7R4i +9dtdfbFLLQR3qc2jmL9ubdQP83FiZZQOXX55XV5/Gb4E4g2T2ZU8ahby+ZzQsEcI +jGeot7fRfbxUrcjnIKxZd7JsQSaR45rMrNcUOQpFT212urojUngrEoAeaC5USEiX +sF11P654UejR8DCczwLi4QBvjRTH3bcMC57FjsWt1n/KCB08dS0ojD+T+6lN7/1K +yLreeRNynXzc1GAln5G03Ivwm9STFT1mYjkBMOCY+3ihEOpzlR9pWCWl9p728db3 +mk0VsDm1jdOf3PK1Xd2PJw== -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem index 53e18680b..3a5d7c487 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq -azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP -nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk -b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4 -H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm -GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9 -N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r -er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC -kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV -BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+ -Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN -DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp -waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt -1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw -RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm -CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM -eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl -FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO -auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx -rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8 -iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx -qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv -/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA -hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2 -5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw= +MIIEpAIBAAKCAQEAq6m4epRSpK5+wS2NJNkSRMWxMZZdCTBmgtsA82Vng9XQPHWO +7fFG9W2NAc3dOzHoiwHUk7eT90wTHC21t4EDwcqgpjD4IUbz7pdZRT60FPnGXBrm +x1VQcijw6fXHtFvez5EOEnb9i8J/8fXdo62ob4vtfK3s7BFBk3HgbHrSyBTZmGv1 +awyyVYlB5L3a9rpSIZg3hzqpE3KtL3NNkQnTKJu1+WF3TsstyDP6MeoJ1Rw8riDz +5MfwcK16TSfZBG7ch9sQz6LoRpmNQmrWSnqT0cAiApHjyv0dWTfMGxYkGjqzFSfz +9q8Uzni93APw0AKU2f3GhsRew7ePAaWNzmZvjQIDAQABAoIBAEJqa+GhOUhV6ty6 +zv0Ory7EfgX9cwl3HHJMYVXKSf6L3wFFSoNs8lNKi1/DUnDwolQF5UUxpaHsYQhp +9wCEffugdf9WuunFFeOd0wAjfnEPIlvIXLmKnJFOnccnPJjfYplUOemS+A32tqHa +ymHlcmGV9dBjSmMbWg+942KVMrAOHtCnAk0yT2WlE+9efLTuXoZIQCx+Ico6Lwp8 +JCmZYW2pfUk9co9di6UCl50C+A5RcvpsE7CZcXCzEAqz06eFz4imgQuzQSLaedup +F77cyPd13nD2N7+YGfWrWKbdqGMuQnmfrOQWZf94rlOsQjyCzbHIeItJsXT+DBKT +0SwEIQECgYEA1mcoUiCYOcQcA+FtSO8byzSu0uQZO1cS/VES5mbtRIuLo33L0P0y +bVnBIfk3iaBq70GU98XjhCGUwNwQDQm+zbLK+p+j+4L2ayvjtOV5ql0b2gk6eyRZ +oX14evsmxC2OFqGmGD+VePN4pP+Q39QMCFvf26BMtKHyXQnkwA61G30CgYEAzPfH +Lp3iT9xLqpp9zP9j2m9Ts6m6/Uzzuazpzl7rYMlLkd6fBWBquQ46qbO5Wv+SO7yZ +aWU7OuWGe6zng1VWSrLBZlRMfu+ze1uEETNdedRI858nv1bMlHmt9+RiZgOgZe7H +3D4dLphrQrJC8tlsaP0GWYRZkf64n+37KZX2QVECgYEAyKcmbyYeEQHeDius8XMF +mfmmG6xpiMWG+hgkDgkJyPqoJswWMXKk/P3g6ACq31yId33zAqfqs8ARzSSmyOzz +6uKHYGKDP2FjaQ1cP/H7GVumMzorxw9P6vjYBpCByVuw/LEwFsV7CAUkRZcAaNm0 +oSYKrSqqXuqpPjWCJdQd3qkCgYAdIf6ylohLN5GdrxXAZHBp5Lbt62sDg8OEmZol +1gH4oMPX+N97YSfqI6ac5kmrMHY1fWoEu/m+Nk92Fq5VUXTRazTn+YVh6WoGV4ye +8UERBuZTkkSRAqJTXDQo7tI5k7xhoJ3RpRZ6v/lG4pV3dQXeqlATuycMBDtzp9yy +HXmB8QKBgQCut7SsOJ0DtgpzjatYzKBh43WgwjbeRyReyT6OWuPiLUiKQYN8W5od +pZ51zorvFxu6iEMjAzXs0k1zbM4/EaQwwatTEZF0ZQMYMvm46f0ndhN3fY0O0ENY +zZES5DrfCgboPlmrWoVexU3xEDCWO8hO0fLmwqIK8F4EU8ByOVsHcg== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem index 69e5c05e3..698e47cc0 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MIIELDCCAxSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1 -N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE1MDQyNjEwMjUwNFoXDTE5MDQwMzEwMjUw +NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy -dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD -hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9 -HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n -3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz -Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C -AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE -AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKupuHqUUqSufsEtjSTZEkTF +sTGWXQkwZoLbAPNlZ4PV0Dx1ju3xRvVtjQHN3Tsx6IsB1JO3k/dMExwttbeBA8HK +oKYw+CFG8+6XWUU+tBT5xlwa5sdVUHIo8On1x7Rb3s+RDhJ2/YvCf/H13aOtqG+L +7Xyt7OwRQZNx4Gx60sgU2Zhr9WsMslWJQeS92va6UiGYN4c6qRNyrS9zTZEJ0yib +tflhd07LLcgz+jHqCdUcPK4g8+TH8HCtek0n2QRu3IfbEM+i6EaZjUJq1kp6k9HA +IgKR48r9HVk3zBsWJBo6sxUn8/avFM54vdwD8NAClNn9xobEXsO3jwGljc5mb40C +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRd +qfnvgHGNOog5OOLebmYkmJ/faTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA -ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG -il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC -CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU -n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq -8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/ -pwU12A3BovJKUaR0B7Uy2A== +TgUJbXL83e11Fzo+XGMQ24FfxdUvlex9IcnnNZnjsy4cYaUhofdI1AIkOhdh7R4i +9dtdfbFLLQR3qc2jmL9ubdQP83FiZZQOXX55XV5/Gb4E4g2T2ZU8ahby+ZzQsEcI +jGeot7fRfbxUrcjnIKxZd7JsQSaR45rMrNcUOQpFT212urojUngrEoAeaC5USEiX +sF11P654UejR8DCczwLi4QBvjRTH3bcMC57FjsWt1n/KCB08dS0ojD+T+6lN7/1K +yLreeRNynXzc1GAln5G03Ivwm9STFT1mYjkBMOCY+3ihEOpzlR9pWCWl9p728db3 +mk0VsDm1jdOf3PK1Xd2PJw== -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem index 53e18680b..3a5d7c487 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq -azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP -nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk -b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4 -H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm -GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9 -N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r -er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC -kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV -BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+ -Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN -DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp -waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt -1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw -RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm -CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM -eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl -FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO -auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx -rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8 -iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx -qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv -/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA -hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2 -5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw= +MIIEpAIBAAKCAQEAq6m4epRSpK5+wS2NJNkSRMWxMZZdCTBmgtsA82Vng9XQPHWO +7fFG9W2NAc3dOzHoiwHUk7eT90wTHC21t4EDwcqgpjD4IUbz7pdZRT60FPnGXBrm +x1VQcijw6fXHtFvez5EOEnb9i8J/8fXdo62ob4vtfK3s7BFBk3HgbHrSyBTZmGv1 +awyyVYlB5L3a9rpSIZg3hzqpE3KtL3NNkQnTKJu1+WF3TsstyDP6MeoJ1Rw8riDz +5MfwcK16TSfZBG7ch9sQz6LoRpmNQmrWSnqT0cAiApHjyv0dWTfMGxYkGjqzFSfz +9q8Uzni93APw0AKU2f3GhsRew7ePAaWNzmZvjQIDAQABAoIBAEJqa+GhOUhV6ty6 +zv0Ory7EfgX9cwl3HHJMYVXKSf6L3wFFSoNs8lNKi1/DUnDwolQF5UUxpaHsYQhp +9wCEffugdf9WuunFFeOd0wAjfnEPIlvIXLmKnJFOnccnPJjfYplUOemS+A32tqHa +ymHlcmGV9dBjSmMbWg+942KVMrAOHtCnAk0yT2WlE+9efLTuXoZIQCx+Ico6Lwp8 +JCmZYW2pfUk9co9di6UCl50C+A5RcvpsE7CZcXCzEAqz06eFz4imgQuzQSLaedup +F77cyPd13nD2N7+YGfWrWKbdqGMuQnmfrOQWZf94rlOsQjyCzbHIeItJsXT+DBKT +0SwEIQECgYEA1mcoUiCYOcQcA+FtSO8byzSu0uQZO1cS/VES5mbtRIuLo33L0P0y +bVnBIfk3iaBq70GU98XjhCGUwNwQDQm+zbLK+p+j+4L2ayvjtOV5ql0b2gk6eyRZ +oX14evsmxC2OFqGmGD+VePN4pP+Q39QMCFvf26BMtKHyXQnkwA61G30CgYEAzPfH +Lp3iT9xLqpp9zP9j2m9Ts6m6/Uzzuazpzl7rYMlLkd6fBWBquQ46qbO5Wv+SO7yZ +aWU7OuWGe6zng1VWSrLBZlRMfu+ze1uEETNdedRI858nv1bMlHmt9+RiZgOgZe7H +3D4dLphrQrJC8tlsaP0GWYRZkf64n+37KZX2QVECgYEAyKcmbyYeEQHeDius8XMF +mfmmG6xpiMWG+hgkDgkJyPqoJswWMXKk/P3g6ACq31yId33zAqfqs8ARzSSmyOzz +6uKHYGKDP2FjaQ1cP/H7GVumMzorxw9P6vjYBpCByVuw/LEwFsV7CAUkRZcAaNm0 +oSYKrSqqXuqpPjWCJdQd3qkCgYAdIf6ylohLN5GdrxXAZHBp5Lbt62sDg8OEmZol +1gH4oMPX+N97YSfqI6ac5kmrMHY1fWoEu/m+Nk92Fq5VUXTRazTn+YVh6WoGV4ye +8UERBuZTkkSRAqJTXDQo7tI5k7xhoJ3RpRZ6v/lG4pV3dQXeqlATuycMBDtzp9yy +HXmB8QKBgQCut7SsOJ0DtgpzjatYzKBh43WgwjbeRyReyT6OWuPiLUiKQYN8W5od +pZ51zorvFxu6iEMjAzXs0k1zbM4/EaQwwatTEZF0ZQMYMvm46f0ndhN3fY0O0ENY +zZES5DrfCgboPlmrWoVexU3xEDCWO8hO0fLmwqIK8F4EU8ByOVsHcg== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem index 91df37a81..4718e7a16 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ +MIIEHDCCAwSgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV -BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL +BAMTCFNhbGVzIENBMB4XDTE1MDQyNjEwMjIyMFoXDTE5MDQwMzEwMjIyMFowVjEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi -0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6 -J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz -VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH -K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/ -5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8 -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV -MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPk +UE6ijIn++yyhaZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER +0/APr9KmXfnmFddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN +5GGh1u34R/9JDCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8 +XOynqCNW9Ii0Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecA +V2HsNtCGecj/OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSBwMHfoTTG9g4LmkL/ +kBl3thRfxzBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v -cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq -OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5 -xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb -E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e -q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+ -JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+ +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC5VfuhrOErCX6nlfnzgXIB +HheWTfcuobNz1cRatdIGRZVBLIktkQjABsX62t0wcCJ4gUMgT0DxgR/bZQDv9tp5 +q6bo5XJM+bFkuf0NiPme+w9Or+VYcuyiljHnHF3rihK2ZFOBXl2kY667tiGFML3B +jhaYQVHA0ZsSfe3Auxccku0U25dJNLq1+ATjeDuye8/NJqS95YBcMZzWiwG/VgMF +mCeiygAobWmIk2LOijFFpNN2ySCiLimueQp/DO3kBdWlhael3Ee9lkA5bqoFchpb +HH8eQKyOLhRnB2Lk/RhC3mGIFjW127sJdjdWkroyULepnULLyQQA6jy+tEu4XZ2C -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem index 86740e86a..ebba49cae 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi0umR7a1jysVv -MgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6J7T76/4YhpII -s8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLzVsxxKDkLaivn -J16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMHK6yPTRaOccvF -VrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/5/rOIH+16CGf -anXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABAoIBAQCZSpoP1cN0Zvbk -lykne3NTsdSuEDUvx4VlSj173bnWEBOO9idEQYtUP5Y12GZi5r6ClV+94ZCSA2Bn -PcmMCTGAjOgb31po3DfZHv4z5Mx4g9I7D8fBJsm5dbKsEwpfz7k5lXVAauGbCaph -6jp/qxQBRqnHhlzpiH00n6eDYHhPHDoFHe+vGbnjWzJKsvs6EZiXpfJ/WKd1eQah -sGF7g+9qV5xqwshCBKf25LZ2XjdvZDt78HS4hsSaStnemetK9NVJGJqmLzehQ16m -RXAr8Ybk9g7/MSFhpwGPGjcqm2/szL4Cs9IMtYSxiroY3QL+DZydG9+K9g5NF7lX -lbEX9HXRAoGBAOduCSLaoEJsgZathny9kSsBtDmTAuiVZukqRdMjDN2I0kOsRsIw -CEF1DIvFsX7nfHkKve8+XyTc05y7LTXmX1AEjMgzFel7uy5HjS7AsJZgTippC8g/ -l2jGq+s59zATNZ2el9Q9dbeK2lBdrVy+jqNITdQge9BigFfhWbkAGFRPAoGBAOTQ -if2+Yrh0zDPO53I6kShehaZvNtPmQxmmhvH4HGMY8EyRajFOSMpV1w3VYDuTA47v -yol+90BWMY8ZslrXq+Bmwx2ocSc2feyUYcJoOoRL/b+b1lY2Vnog3Hs5BQLsULzH -dwkEuK8wjjw1g4ksuIMbX/X9nEvJs0xemzh7Ju/pAoGACNI24u82YJHGNroSgDqx -h9QezHsAB2F6dLS5yJxzZxZJ/W5ZnBk8l1Ig0ksMwuuL4Qk5yB62fa81GapAxOct -Bt3Fh/P6h9XBgrgTd468rF6rXA549n8GBGZeMy8Ybuqshn9/BgX5sK9INvv7Gafh -w/ODk+xRC9ZVUgQy6UxJoR0CgYEAybmYjl40xo4iIWK95ZUAuGhsx8iwu6v7aDfK -LLUiwbMQ11A0IPf1cHyxNf7x8lOwBWoeU43eCZhz5Mcw2KnfW9z9E76W041VAyfl -7/DX9h7QvQZ0tlj9cHpcJz6jzmns3CG2Lfs9nyXdn/NF3b/Rg7S0qzhFfQN70U5u -5iKct1ECgYEAmR/0IbYGh1YJ7Z9im44MTSz6H7bTnmIDjM3/+IVydSVgFbzcoVG6 -4sQ5fIViMLtz9PHDRRKbs8TBzpy7C/wC1qRqpq9I17INSQzvm3DpZ2PlR0SeN2dA -fO9XtkE73cEff/gI7JWOouy/vczizfRemnWlNK5Ui29Fe0QlGC9TyX0= +MIIEpAIBAAKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPkUE6ijIn++yyh +aZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER0/APr9KmXfnm +FddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN5GGh1u34R/9J +DCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8XOynqCNW9Ii0 +Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecAV2HsNtCGecj/ +OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABAoIBAAeecxXVqaaMSIlF +qASCFtSdzDShJvE6sEHSNN/YjE5HMvZHMqvj2+1BlvepD0QXxkpIFTCqWnXob3iU +dOyqRRZJYTZXU9lt2Z3a7XEzei6JvRSFhHbVHgHSK4ijeV/2gKfbVXfa+6cx2qGQ +DV3kEdr3zhEqYzrg7hYSEuFn3vOgzFu7PgZYU9b4XQ/nlVaXIH+0Mqrjx9WscLFR ++9Z9WPHx9lzL52ggAoCSHla/NWTe9RZXYX8Px8Ho5rxJ33IXvdQ4A2SiN5s6BhTM +BfC4TVvdcjEUQpCNjW4us9XUEQQ6RSZr7CMDdap4rLENfR51GiMHlDDRWkxqfevI +JYHXpGECgYEA7cZwenYQ/IN2SmBEMCCSh45B6E3pkII+yoLac2phQVRWi0yOwLwp +L2BiWn+HnSdO+d44aiR69MpTF4pEeBbs2bOEU1RO5ywU82kbU0Jzru1nfjYpkzqP +VFEeFshZubqO345cUMsnlECQsmsDmMdllRiXsj14Gp3w8IIVxyZQ420CgYEAy1OC +Plwrr57PEhQWwjRhpqpPO9CD265m7/7Ru6TDjdPw98ANxNn01pRk4X2VcFp0ICgV +b/orF9QZMPyntGRs9m2fzKGYkTAYQX1XyChvK3vSSdY1DgK2KRAQXbHl1w5VqGbd +6QTcIpjF3aNE9jdBj7M+VzUI0AF21ceWUbKDAWsCgYEA1xTTldLK1r/L9sdRpv8v +zLLf51Ti27cVOXZYSGKICuJRTrw3vRv3XUWgciA9+egexmM/QLQzDM8fjoGiIccL +BHogTohKv03evbfr4cqQfkF9hmtT/DvSfwDJaO5eS2T37D0IQIUkDjTBLsMig8aK +mu2d+rsjs1//HG9vZ6+/J5kCgYEAxt/JlwFEYaSt2Xr4v7/Ie+I9Wb4cGvW9DaVq +s2T3OXRCT7H0RcUCLBg9jCjv0FNJHmLWhQ5mtAnrEfUue812npqfIOI2flxSfUwC +Xm7ePeQAzePNRQT187gYqexlaTJGKk9jYpY0U0qmzqDxxPpLECk8IsRm+D1WZMex +iftXFD0CgYB9EZErbxigNj3qlLEMNoEYgPCRfrM0/n/1XgXTnReExrX+gLDwqddD +L9VQMPoNJ6cFWdu1tHerJnD0w7C3NqIgUbOFbA0G9HskfivXsRVwlH7/21NVe2w2 +mAtK0sAKmNmOpx6+lrwWA44Pkdf4aoS0B8ehmvcnVYlj2W51oiSY+w== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem index 69e5c05e3..698e47cc0 100644 --- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MIIELDCCAxSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1 -N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE1MDQyNjEwMjUwNFoXDTE5MDQwMzEwMjUw +NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy -dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD -hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9 -HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n -3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz -Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C -AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE -AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKupuHqUUqSufsEtjSTZEkTF +sTGWXQkwZoLbAPNlZ4PV0Dx1ju3xRvVtjQHN3Tsx6IsB1JO3k/dMExwttbeBA8HK +oKYw+CFG8+6XWUU+tBT5xlwa5sdVUHIo8On1x7Rb3s+RDhJ2/YvCf/H13aOtqG+L +7Xyt7OwRQZNx4Gx60sgU2Zhr9WsMslWJQeS92va6UiGYN4c6qRNyrS9zTZEJ0yib +tflhd07LLcgz+jHqCdUcPK4g8+TH8HCtek0n2QRu3IfbEM+i6EaZjUJq1kp6k9HA +IgKR48r9HVk3zBsWJBo6sxUn8/avFM54vdwD8NAClNn9xobEXsO3jwGljc5mb40C +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRd +qfnvgHGNOog5OOLebmYkmJ/faTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA -ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG -il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC -CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU -n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq -8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/ -pwU12A3BovJKUaR0B7Uy2A== +TgUJbXL83e11Fzo+XGMQ24FfxdUvlex9IcnnNZnjsy4cYaUhofdI1AIkOhdh7R4i +9dtdfbFLLQR3qc2jmL9ubdQP83FiZZQOXX55XV5/Gb4E4g2T2ZU8ahby+ZzQsEcI +jGeot7fRfbxUrcjnIKxZd7JsQSaR45rMrNcUOQpFT212urojUngrEoAeaC5USEiX +sF11P654UejR8DCczwLi4QBvjRTH3bcMC57FjsWt1n/KCB08dS0ojD+T+6lN7/1K +yLreeRNynXzc1GAln5G03Ivwm9STFT1mYjkBMOCY+3ihEOpzlR9pWCWl9p728db3 +mk0VsDm1jdOf3PK1Xd2PJw== -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem index 53e18680b..3a5d7c487 100644 --- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq -azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP -nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk -b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4 -H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm -GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9 -N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r -er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC -kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV -BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+ -Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN -DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp -waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt -1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw -RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm -CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM -eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl -FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO -auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx -rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8 -iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx -qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv -/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA -hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2 -5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw= +MIIEpAIBAAKCAQEAq6m4epRSpK5+wS2NJNkSRMWxMZZdCTBmgtsA82Vng9XQPHWO +7fFG9W2NAc3dOzHoiwHUk7eT90wTHC21t4EDwcqgpjD4IUbz7pdZRT60FPnGXBrm +x1VQcijw6fXHtFvez5EOEnb9i8J/8fXdo62ob4vtfK3s7BFBk3HgbHrSyBTZmGv1 +awyyVYlB5L3a9rpSIZg3hzqpE3KtL3NNkQnTKJu1+WF3TsstyDP6MeoJ1Rw8riDz +5MfwcK16TSfZBG7ch9sQz6LoRpmNQmrWSnqT0cAiApHjyv0dWTfMGxYkGjqzFSfz +9q8Uzni93APw0AKU2f3GhsRew7ePAaWNzmZvjQIDAQABAoIBAEJqa+GhOUhV6ty6 +zv0Ory7EfgX9cwl3HHJMYVXKSf6L3wFFSoNs8lNKi1/DUnDwolQF5UUxpaHsYQhp +9wCEffugdf9WuunFFeOd0wAjfnEPIlvIXLmKnJFOnccnPJjfYplUOemS+A32tqHa +ymHlcmGV9dBjSmMbWg+942KVMrAOHtCnAk0yT2WlE+9efLTuXoZIQCx+Ico6Lwp8 +JCmZYW2pfUk9co9di6UCl50C+A5RcvpsE7CZcXCzEAqz06eFz4imgQuzQSLaedup +F77cyPd13nD2N7+YGfWrWKbdqGMuQnmfrOQWZf94rlOsQjyCzbHIeItJsXT+DBKT +0SwEIQECgYEA1mcoUiCYOcQcA+FtSO8byzSu0uQZO1cS/VES5mbtRIuLo33L0P0y +bVnBIfk3iaBq70GU98XjhCGUwNwQDQm+zbLK+p+j+4L2ayvjtOV5ql0b2gk6eyRZ +oX14evsmxC2OFqGmGD+VePN4pP+Q39QMCFvf26BMtKHyXQnkwA61G30CgYEAzPfH +Lp3iT9xLqpp9zP9j2m9Ts6m6/Uzzuazpzl7rYMlLkd6fBWBquQ46qbO5Wv+SO7yZ +aWU7OuWGe6zng1VWSrLBZlRMfu+ze1uEETNdedRI858nv1bMlHmt9+RiZgOgZe7H +3D4dLphrQrJC8tlsaP0GWYRZkf64n+37KZX2QVECgYEAyKcmbyYeEQHeDius8XMF +mfmmG6xpiMWG+hgkDgkJyPqoJswWMXKk/P3g6ACq31yId33zAqfqs8ARzSSmyOzz +6uKHYGKDP2FjaQ1cP/H7GVumMzorxw9P6vjYBpCByVuw/LEwFsV7CAUkRZcAaNm0 +oSYKrSqqXuqpPjWCJdQd3qkCgYAdIf6ylohLN5GdrxXAZHBp5Lbt62sDg8OEmZol +1gH4oMPX+N97YSfqI6ac5kmrMHY1fWoEu/m+Nk92Fq5VUXTRazTn+YVh6WoGV4ye +8UERBuZTkkSRAqJTXDQo7tI5k7xhoJ3RpRZ6v/lG4pV3dQXeqlATuycMBDtzp9yy +HXmB8QKBgQCut7SsOJ0DtgpzjatYzKBh43WgwjbeRyReyT6OWuPiLUiKQYN8W5od +pZ51zorvFxu6iEMjAzXs0k1zbM4/EaQwwatTEZF0ZQMYMvm46f0ndhN3fY0O0ENY +zZES5DrfCgboPlmrWoVexU3xEDCWO8hO0fLmwqIK8F4EU8ByOVsHcg== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem index 91df37a81..4718e7a16 100644 --- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ +MIIEHDCCAwSgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV -BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL +BAMTCFNhbGVzIENBMB4XDTE1MDQyNjEwMjIyMFoXDTE5MDQwMzEwMjIyMFowVjEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi -0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6 -J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz -VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH -K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/ -5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8 -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV -MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPk +UE6ijIn++yyhaZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER +0/APr9KmXfnmFddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN +5GGh1u34R/9JDCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8 +XOynqCNW9Ii0Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecA +V2HsNtCGecj/OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSBwMHfoTTG9g4LmkL/ +kBl3thRfxzBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v -cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq -OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5 -xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb -E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e -q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+ -JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+ +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC5VfuhrOErCX6nlfnzgXIB +HheWTfcuobNz1cRatdIGRZVBLIktkQjABsX62t0wcCJ4gUMgT0DxgR/bZQDv9tp5 +q6bo5XJM+bFkuf0NiPme+w9Or+VYcuyiljHnHF3rihK2ZFOBXl2kY667tiGFML3B +jhaYQVHA0ZsSfe3Auxccku0U25dJNLq1+ATjeDuye8/NJqS95YBcMZzWiwG/VgMF +mCeiygAobWmIk2LOijFFpNN2ySCiLimueQp/DO3kBdWlhael3Ee9lkA5bqoFchpb +HH8eQKyOLhRnB2Lk/RhC3mGIFjW127sJdjdWkroyULepnULLyQQA6jy+tEu4XZ2C -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem index 86740e86a..ebba49cae 100644 --- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi0umR7a1jysVv -MgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6J7T76/4YhpII -s8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLzVsxxKDkLaivn -J16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMHK6yPTRaOccvF -VrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/5/rOIH+16CGf -anXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABAoIBAQCZSpoP1cN0Zvbk -lykne3NTsdSuEDUvx4VlSj173bnWEBOO9idEQYtUP5Y12GZi5r6ClV+94ZCSA2Bn -PcmMCTGAjOgb31po3DfZHv4z5Mx4g9I7D8fBJsm5dbKsEwpfz7k5lXVAauGbCaph -6jp/qxQBRqnHhlzpiH00n6eDYHhPHDoFHe+vGbnjWzJKsvs6EZiXpfJ/WKd1eQah -sGF7g+9qV5xqwshCBKf25LZ2XjdvZDt78HS4hsSaStnemetK9NVJGJqmLzehQ16m -RXAr8Ybk9g7/MSFhpwGPGjcqm2/szL4Cs9IMtYSxiroY3QL+DZydG9+K9g5NF7lX -lbEX9HXRAoGBAOduCSLaoEJsgZathny9kSsBtDmTAuiVZukqRdMjDN2I0kOsRsIw -CEF1DIvFsX7nfHkKve8+XyTc05y7LTXmX1AEjMgzFel7uy5HjS7AsJZgTippC8g/ -l2jGq+s59zATNZ2el9Q9dbeK2lBdrVy+jqNITdQge9BigFfhWbkAGFRPAoGBAOTQ -if2+Yrh0zDPO53I6kShehaZvNtPmQxmmhvH4HGMY8EyRajFOSMpV1w3VYDuTA47v -yol+90BWMY8ZslrXq+Bmwx2ocSc2feyUYcJoOoRL/b+b1lY2Vnog3Hs5BQLsULzH -dwkEuK8wjjw1g4ksuIMbX/X9nEvJs0xemzh7Ju/pAoGACNI24u82YJHGNroSgDqx -h9QezHsAB2F6dLS5yJxzZxZJ/W5ZnBk8l1Ig0ksMwuuL4Qk5yB62fa81GapAxOct -Bt3Fh/P6h9XBgrgTd468rF6rXA549n8GBGZeMy8Ybuqshn9/BgX5sK9INvv7Gafh -w/ODk+xRC9ZVUgQy6UxJoR0CgYEAybmYjl40xo4iIWK95ZUAuGhsx8iwu6v7aDfK -LLUiwbMQ11A0IPf1cHyxNf7x8lOwBWoeU43eCZhz5Mcw2KnfW9z9E76W041VAyfl -7/DX9h7QvQZ0tlj9cHpcJz6jzmns3CG2Lfs9nyXdn/NF3b/Rg7S0qzhFfQN70U5u -5iKct1ECgYEAmR/0IbYGh1YJ7Z9im44MTSz6H7bTnmIDjM3/+IVydSVgFbzcoVG6 -4sQ5fIViMLtz9PHDRRKbs8TBzpy7C/wC1qRqpq9I17INSQzvm3DpZ2PlR0SeN2dA -fO9XtkE73cEff/gI7JWOouy/vczizfRemnWlNK5Ui29Fe0QlGC9TyX0= +MIIEpAIBAAKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPkUE6ijIn++yyh +aZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER0/APr9KmXfnm +FddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN5GGh1u34R/9J +DCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8XOynqCNW9Ii0 +Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecAV2HsNtCGecj/ +OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABAoIBAAeecxXVqaaMSIlF +qASCFtSdzDShJvE6sEHSNN/YjE5HMvZHMqvj2+1BlvepD0QXxkpIFTCqWnXob3iU +dOyqRRZJYTZXU9lt2Z3a7XEzei6JvRSFhHbVHgHSK4ijeV/2gKfbVXfa+6cx2qGQ +DV3kEdr3zhEqYzrg7hYSEuFn3vOgzFu7PgZYU9b4XQ/nlVaXIH+0Mqrjx9WscLFR ++9Z9WPHx9lzL52ggAoCSHla/NWTe9RZXYX8Px8Ho5rxJ33IXvdQ4A2SiN5s6BhTM +BfC4TVvdcjEUQpCNjW4us9XUEQQ6RSZr7CMDdap4rLENfR51GiMHlDDRWkxqfevI +JYHXpGECgYEA7cZwenYQ/IN2SmBEMCCSh45B6E3pkII+yoLac2phQVRWi0yOwLwp +L2BiWn+HnSdO+d44aiR69MpTF4pEeBbs2bOEU1RO5ywU82kbU0Jzru1nfjYpkzqP +VFEeFshZubqO345cUMsnlECQsmsDmMdllRiXsj14Gp3w8IIVxyZQ420CgYEAy1OC +Plwrr57PEhQWwjRhpqpPO9CD265m7/7Ru6TDjdPw98ANxNn01pRk4X2VcFp0ICgV +b/orF9QZMPyntGRs9m2fzKGYkTAYQX1XyChvK3vSSdY1DgK2KRAQXbHl1w5VqGbd +6QTcIpjF3aNE9jdBj7M+VzUI0AF21ceWUbKDAWsCgYEA1xTTldLK1r/L9sdRpv8v +zLLf51Ti27cVOXZYSGKICuJRTrw3vRv3XUWgciA9+egexmM/QLQzDM8fjoGiIccL +BHogTohKv03evbfr4cqQfkF9hmtT/DvSfwDJaO5eS2T37D0IQIUkDjTBLsMig8aK +mu2d+rsjs1//HG9vZ6+/J5kCgYEAxt/JlwFEYaSt2Xr4v7/Ie+I9Wb4cGvW9DaVq +s2T3OXRCT7H0RcUCLBg9jCjv0FNJHmLWhQ5mtAnrEfUue812npqfIOI2flxSfUwC +Xm7ePeQAzePNRQT187gYqexlaTJGKk9jYpY0U0qmzqDxxPpLECk8IsRm+D1WZMex +iftXFD0CgYB9EZErbxigNj3qlLEMNoEYgPCRfrM0/n/1XgXTnReExrX+gLDwqddD +L9VQMPoNJ6cFWdu1tHerJnD0w7C3NqIgUbOFbA0G9HskfivXsRVwlH7/21NVe2w2 +mAtK0sAKmNmOpx6+lrwWA44Pkdf4aoS0B8ehmvcnVYlj2W51oiSY+w== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/certs/carolCert.pem index 69e5c05e3..698e47cc0 100644 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MIIELDCCAxSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1 -N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE1MDQyNjEwMjUwNFoXDTE5MDQwMzEwMjUw +NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy -dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD -hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9 -HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n -3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz -Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C -AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE -AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKupuHqUUqSufsEtjSTZEkTF +sTGWXQkwZoLbAPNlZ4PV0Dx1ju3xRvVtjQHN3Tsx6IsB1JO3k/dMExwttbeBA8HK +oKYw+CFG8+6XWUU+tBT5xlwa5sdVUHIo8On1x7Rb3s+RDhJ2/YvCf/H13aOtqG+L +7Xyt7OwRQZNx4Gx60sgU2Zhr9WsMslWJQeS92va6UiGYN4c6qRNyrS9zTZEJ0yib +tflhd07LLcgz+jHqCdUcPK4g8+TH8HCtek0n2QRu3IfbEM+i6EaZjUJq1kp6k9HA +IgKR48r9HVk3zBsWJBo6sxUn8/avFM54vdwD8NAClNn9xobEXsO3jwGljc5mb40C +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRd +qfnvgHGNOog5OOLebmYkmJ/faTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA -ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG -il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC -CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU -n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq -8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/ -pwU12A3BovJKUaR0B7Uy2A== +TgUJbXL83e11Fzo+XGMQ24FfxdUvlex9IcnnNZnjsy4cYaUhofdI1AIkOhdh7R4i +9dtdfbFLLQR3qc2jmL9ubdQP83FiZZQOXX55XV5/Gb4E4g2T2ZU8ahby+ZzQsEcI +jGeot7fRfbxUrcjnIKxZd7JsQSaR45rMrNcUOQpFT212urojUngrEoAeaC5USEiX +sF11P654UejR8DCczwLi4QBvjRTH3bcMC57FjsWt1n/KCB08dS0ojD+T+6lN7/1K +yLreeRNynXzc1GAln5G03Ivwm9STFT1mYjkBMOCY+3ihEOpzlR9pWCWl9p728db3 +mk0VsDm1jdOf3PK1Xd2PJw== -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/private/carolKey.pem index 53e18680b..3a5d7c487 100644 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq -azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP -nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk -b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4 -H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm -GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9 -N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r -er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC -kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV -BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+ -Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN -DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp -waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt -1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw -RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm -CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM -eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl -FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO -auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx -rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8 -iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx -qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv -/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA -hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2 -5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw= +MIIEpAIBAAKCAQEAq6m4epRSpK5+wS2NJNkSRMWxMZZdCTBmgtsA82Vng9XQPHWO +7fFG9W2NAc3dOzHoiwHUk7eT90wTHC21t4EDwcqgpjD4IUbz7pdZRT60FPnGXBrm +x1VQcijw6fXHtFvez5EOEnb9i8J/8fXdo62ob4vtfK3s7BFBk3HgbHrSyBTZmGv1 +awyyVYlB5L3a9rpSIZg3hzqpE3KtL3NNkQnTKJu1+WF3TsstyDP6MeoJ1Rw8riDz +5MfwcK16TSfZBG7ch9sQz6LoRpmNQmrWSnqT0cAiApHjyv0dWTfMGxYkGjqzFSfz +9q8Uzni93APw0AKU2f3GhsRew7ePAaWNzmZvjQIDAQABAoIBAEJqa+GhOUhV6ty6 +zv0Ory7EfgX9cwl3HHJMYVXKSf6L3wFFSoNs8lNKi1/DUnDwolQF5UUxpaHsYQhp +9wCEffugdf9WuunFFeOd0wAjfnEPIlvIXLmKnJFOnccnPJjfYplUOemS+A32tqHa +ymHlcmGV9dBjSmMbWg+942KVMrAOHtCnAk0yT2WlE+9efLTuXoZIQCx+Ico6Lwp8 +JCmZYW2pfUk9co9di6UCl50C+A5RcvpsE7CZcXCzEAqz06eFz4imgQuzQSLaedup +F77cyPd13nD2N7+YGfWrWKbdqGMuQnmfrOQWZf94rlOsQjyCzbHIeItJsXT+DBKT +0SwEIQECgYEA1mcoUiCYOcQcA+FtSO8byzSu0uQZO1cS/VES5mbtRIuLo33L0P0y +bVnBIfk3iaBq70GU98XjhCGUwNwQDQm+zbLK+p+j+4L2ayvjtOV5ql0b2gk6eyRZ +oX14evsmxC2OFqGmGD+VePN4pP+Q39QMCFvf26BMtKHyXQnkwA61G30CgYEAzPfH +Lp3iT9xLqpp9zP9j2m9Ts6m6/Uzzuazpzl7rYMlLkd6fBWBquQ46qbO5Wv+SO7yZ +aWU7OuWGe6zng1VWSrLBZlRMfu+ze1uEETNdedRI858nv1bMlHmt9+RiZgOgZe7H +3D4dLphrQrJC8tlsaP0GWYRZkf64n+37KZX2QVECgYEAyKcmbyYeEQHeDius8XMF +mfmmG6xpiMWG+hgkDgkJyPqoJswWMXKk/P3g6ACq31yId33zAqfqs8ARzSSmyOzz +6uKHYGKDP2FjaQ1cP/H7GVumMzorxw9P6vjYBpCByVuw/LEwFsV7CAUkRZcAaNm0 +oSYKrSqqXuqpPjWCJdQd3qkCgYAdIf6ylohLN5GdrxXAZHBp5Lbt62sDg8OEmZol +1gH4oMPX+N97YSfqI6ac5kmrMHY1fWoEu/m+Nk92Fq5VUXTRazTn+YVh6WoGV4ye +8UERBuZTkkSRAqJTXDQo7tI5k7xhoJ3RpRZ6v/lG4pV3dQXeqlATuycMBDtzp9yy +HXmB8QKBgQCut7SsOJ0DtgpzjatYzKBh43WgwjbeRyReyT6OWuPiLUiKQYN8W5od +pZ51zorvFxu6iEMjAzXs0k1zbM4/EaQwwatTEZF0ZQMYMvm46f0ndhN3fY0O0ENY +zZES5DrfCgboPlmrWoVexU3xEDCWO8hO0fLmwqIK8F4EU8ByOVsHcg== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/certs/daveCert.pem index 91df37a81..4718e7a16 100644 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ +MIIEHDCCAwSgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV -BAMTCFNhbGVzIENBMB4XDTEwMDQwNzA5NDI0MVoXDTE1MDQwNjA5NDI0MVowVjEL +BAMTCFNhbGVzIENBMB4XDTE1MDQyNjEwMjIyMFoXDTE5MDQwMzEwMjIyMFowVjEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi -0umR7a1jysVvMgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6 -J7T76/4YhpIIs8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLz -VsxxKDkLaivnJ16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMH -K6yPTRaOccvFVrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/ -5/rOIH+16CGfanXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABo4H/MIH8 -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRnEIHshwPhDDGr3xLV -MnUEbroVIjBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPk +UE6ijIn++yyhaZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER +0/APr9KmXfnmFddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN +5GGh1u34R/9JDCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8 +XOynqCNW9Ii0Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecA +V2HsNtCGecj/OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSBwMHfoTTG9g4LmkL/ +kBl3thRfxzBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT EnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v -cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB5H5jjp9LvEDyJp/3x7Caq -OhIBSl5n3g7Oi1gXT5GHLBh9/l5i6Swk1eey2oMzpHgsdDogLytlvzRKXupJAZt5 -xWab5I7BfichRCV4bOutN/F8DiNChG0SnYEBizRi5K06LAadtDT0NLv7iE/I49Nb -E8OdqnET1zHq82mbtVZCEzmRe+cmlB7EeECED+GxTOnYLRWeKg+AWIE4/fLN7s0e -q94lSUtym71LZ9kmMMAHkIyEbblvVIa7k5j4T6j0XwPPcYVMSjogqeze+qbf3EQ+ -JkRlGdzL/17ToLWYnVwkLqQDn6B+RfwnPk2EXndutPrNz6C3Wy7zNNniciAtXAq+ +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC5VfuhrOErCX6nlfnzgXIB +HheWTfcuobNz1cRatdIGRZVBLIktkQjABsX62t0wcCJ4gUMgT0DxgR/bZQDv9tp5 +q6bo5XJM+bFkuf0NiPme+w9Or+VYcuyiljHnHF3rihK2ZFOBXl2kY667tiGFML3B +jhaYQVHA0ZsSfe3Auxccku0U25dJNLq1+ATjeDuye8/NJqS95YBcMZzWiwG/VgMF +mCeiygAobWmIk2LOijFFpNN2ySCiLimueQp/DO3kBdWlhael3Ee9lkA5bqoFchpb +HH8eQKyOLhRnB2Lk/RhC3mGIFjW127sJdjdWkroyULepnULLyQQA6jy+tEu4XZ2C -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/private/daveKey.pem index 86740e86a..ebba49cae 100644 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAztqGSb3H9Xh6I4xiDkmsN5WRjKnEQfSRZsSi0umR7a1jysVv -MgLKnmk2hAMJkDTjBXndEemnLiXemxNq4Wp3x0ZgpNWC6y1klZY6J7T76/4YhpII -s8HA1+ZiIAEhYCkeqy/ULPk0qa6yK6Ma2FKLEC4wz6OBbjhctqLzVsxxKDkLaivn -J16bX8CCNsCq86Ba64m6K1Mpsev5RKnOz0Ey1WwBhgLmipZRgAMHK6yPTRaOccvF -VrOpi1bfprKXkrCYt6sQoDjbfheZ/tKyW2iJ+WbH0lsA4NbPi1s/5/rOIH+16CGf -anXiZvZ7NbxLyb8ffPIXFxDTqiS8wFreRZR85wIDAQABAoIBAQCZSpoP1cN0Zvbk -lykne3NTsdSuEDUvx4VlSj173bnWEBOO9idEQYtUP5Y12GZi5r6ClV+94ZCSA2Bn -PcmMCTGAjOgb31po3DfZHv4z5Mx4g9I7D8fBJsm5dbKsEwpfz7k5lXVAauGbCaph -6jp/qxQBRqnHhlzpiH00n6eDYHhPHDoFHe+vGbnjWzJKsvs6EZiXpfJ/WKd1eQah -sGF7g+9qV5xqwshCBKf25LZ2XjdvZDt78HS4hsSaStnemetK9NVJGJqmLzehQ16m -RXAr8Ybk9g7/MSFhpwGPGjcqm2/szL4Cs9IMtYSxiroY3QL+DZydG9+K9g5NF7lX -lbEX9HXRAoGBAOduCSLaoEJsgZathny9kSsBtDmTAuiVZukqRdMjDN2I0kOsRsIw -CEF1DIvFsX7nfHkKve8+XyTc05y7LTXmX1AEjMgzFel7uy5HjS7AsJZgTippC8g/ -l2jGq+s59zATNZ2el9Q9dbeK2lBdrVy+jqNITdQge9BigFfhWbkAGFRPAoGBAOTQ -if2+Yrh0zDPO53I6kShehaZvNtPmQxmmhvH4HGMY8EyRajFOSMpV1w3VYDuTA47v -yol+90BWMY8ZslrXq+Bmwx2ocSc2feyUYcJoOoRL/b+b1lY2Vnog3Hs5BQLsULzH -dwkEuK8wjjw1g4ksuIMbX/X9nEvJs0xemzh7Ju/pAoGACNI24u82YJHGNroSgDqx -h9QezHsAB2F6dLS5yJxzZxZJ/W5ZnBk8l1Ig0ksMwuuL4Qk5yB62fa81GapAxOct -Bt3Fh/P6h9XBgrgTd468rF6rXA549n8GBGZeMy8Ybuqshn9/BgX5sK9INvv7Gafh -w/ODk+xRC9ZVUgQy6UxJoR0CgYEAybmYjl40xo4iIWK95ZUAuGhsx8iwu6v7aDfK -LLUiwbMQ11A0IPf1cHyxNf7x8lOwBWoeU43eCZhz5Mcw2KnfW9z9E76W041VAyfl -7/DX9h7QvQZ0tlj9cHpcJz6jzmns3CG2Lfs9nyXdn/NF3b/Rg7S0qzhFfQN70U5u -5iKct1ECgYEAmR/0IbYGh1YJ7Z9im44MTSz6H7bTnmIDjM3/+IVydSVgFbzcoVG6 -4sQ5fIViMLtz9PHDRRKbs8TBzpy7C/wC1qRqpq9I17INSQzvm3DpZ2PlR0SeN2dA -fO9XtkE73cEff/gI7JWOouy/vczizfRemnWlNK5Ui29Fe0QlGC9TyX0= +MIIEpAIBAAKCAQEAvNnrgEQdETpkdY/PaSj9KeNrg8+MCwCH/SPkUE6ijIn++yyh +aZaji5JrA3z9ya+si0R/4PjxsgwjuqrxARV4gG63jKOmOLWMK9ER0/APr9KmXfnm +FddqZwltGdo9hmDiBQimEdvvK4XK4nA2BY+pJ0b5go+5P4gIbHUN5GGh1u34R/9J +DCvX1HHnIYmKv4ERD5TbODnKDjR7KT3q8Qy+DEndji+2Y1NWLot8XOynqCNW9Ii0 +Zs7850wzV1gz1kkm4Qdte0ndlUQu+gSbS7uM+AVPEgd0ZGY23ecAV2HsNtCGecj/ +OnsQ4z8+gSIKJfwEqeumVsSbZimllo5mf3l7jwIDAQABAoIBAAeecxXVqaaMSIlF +qASCFtSdzDShJvE6sEHSNN/YjE5HMvZHMqvj2+1BlvepD0QXxkpIFTCqWnXob3iU +dOyqRRZJYTZXU9lt2Z3a7XEzei6JvRSFhHbVHgHSK4ijeV/2gKfbVXfa+6cx2qGQ +DV3kEdr3zhEqYzrg7hYSEuFn3vOgzFu7PgZYU9b4XQ/nlVaXIH+0Mqrjx9WscLFR ++9Z9WPHx9lzL52ggAoCSHla/NWTe9RZXYX8Px8Ho5rxJ33IXvdQ4A2SiN5s6BhTM +BfC4TVvdcjEUQpCNjW4us9XUEQQ6RSZr7CMDdap4rLENfR51GiMHlDDRWkxqfevI +JYHXpGECgYEA7cZwenYQ/IN2SmBEMCCSh45B6E3pkII+yoLac2phQVRWi0yOwLwp +L2BiWn+HnSdO+d44aiR69MpTF4pEeBbs2bOEU1RO5ywU82kbU0Jzru1nfjYpkzqP +VFEeFshZubqO345cUMsnlECQsmsDmMdllRiXsj14Gp3w8IIVxyZQ420CgYEAy1OC +Plwrr57PEhQWwjRhpqpPO9CD265m7/7Ru6TDjdPw98ANxNn01pRk4X2VcFp0ICgV +b/orF9QZMPyntGRs9m2fzKGYkTAYQX1XyChvK3vSSdY1DgK2KRAQXbHl1w5VqGbd +6QTcIpjF3aNE9jdBj7M+VzUI0AF21ceWUbKDAWsCgYEA1xTTldLK1r/L9sdRpv8v +zLLf51Ti27cVOXZYSGKICuJRTrw3vRv3XUWgciA9+egexmM/QLQzDM8fjoGiIccL +BHogTohKv03evbfr4cqQfkF9hmtT/DvSfwDJaO5eS2T37D0IQIUkDjTBLsMig8aK +mu2d+rsjs1//HG9vZ6+/J5kCgYEAxt/JlwFEYaSt2Xr4v7/Ie+I9Wb4cGvW9DaVq +s2T3OXRCT7H0RcUCLBg9jCjv0FNJHmLWhQ5mtAnrEfUue812npqfIOI2flxSfUwC +Xm7ePeQAzePNRQT187gYqexlaTJGKk9jYpY0U0qmzqDxxPpLECk8IsRm+D1WZMex +iftXFD0CgYB9EZErbxigNj3qlLEMNoEYgPCRfrM0/n/1XgXTnReExrX+gLDwqddD +L9VQMPoNJ6cFWdu1tHerJnD0w7C3NqIgUbOFbA0G9HskfivXsRVwlH7/21NVe2w2 +mAtK0sAKmNmOpx6+lrwWA44Pkdf4aoS0B8ehmvcnVYlj2W51oiSY+w== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/rw-cert/pretest.dat b/testing/tests/ikev2/rw-cert/pretest.dat index 8bbea1412..c582e030d 100644 --- a/testing/tests/ikev2/rw-cert/pretest.dat +++ b/testing/tests/ikev2/rw-cert/pretest.dat @@ -4,6 +4,6 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::sleep 3 carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/rw-cert/pretest.dat b/testing/tests/openssl-ikev2/rw-cert/pretest.dat index 8bbea1412..c582e030d 100644 --- a/testing/tests/openssl-ikev2/rw-cert/pretest.dat +++ b/testing/tests/openssl-ikev2/rw-cert/pretest.dat @@ -4,6 +4,6 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::sleep 3 carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat index fc7173430..b9393944a 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat @@ -4,6 +4,6 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::sleep 3 dave::ipsec up peer carol::ipsec up home diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat index fc7173430..b9393944a 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat @@ -4,6 +4,6 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::sleep 3 dave::ipsec up peer carol::ipsec up home diff --git a/testing/tests/pfkey/rw-cert/pretest.dat b/testing/tests/pfkey/rw-cert/pretest.dat index 8bbea1412..c582e030d 100644 --- a/testing/tests/pfkey/rw-cert/pretest.dat +++ b/testing/tests/pfkey/rw-cert/pretest.dat @@ -4,6 +4,6 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::sleep 3 carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql index 335abe25f..bd2f3b8ed 100644 --- a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql @@ -43,7 +43,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data ) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' */ - 11, X'c400ef96d95d5ebb4b2309071f7a6cf3f65491bd' + 11, X'5da9f9ef80718d3a883938e2de6e6624989fdf69' ); INSERT INTO identities ( @@ -69,8 +69,7 @@ INSERT INTO certificates ( INSERT INTO certificates ( type, keytype, data ) VALUES ( /* C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org */ - 1, 1, X'3082042c30820314a003020102020106300d06092a864886f70d01010b05003051310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311430120603550403130b5265736561726368204341301e170d3130303430373039323035375a170d3135303430363039323035375a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e8a8f6d28e9044a366e993843bedd5a17274f0cf34084dac8a27f1a0af64cc454015ec6a6b352ce2f8ed429011e389703510d6cf743f4e6f0305fe4f0380da70438605417bc73e46c0517c4466c5cb332bb7608f9cab8f06c916b5093de9b4e0a10f9eb47b2e94f9b3bfb3d67fa9658afd1f2253bd825dddcf7af1fae8c105bdf26804246f71b362df6aa4d5dd1112d41f6f21e4065a1eb80d2ac5e97cbf1d8fa7dcc792306677509a174ba619231bc635dee1781ff6c71bf756fd133721a29263fc67989b80de639fb990914f5233d43341bd996359b70e7f7771b279c37017782961261a337ba52f855b387bf012b896fa6fd34b30be1e07404c0990fae98f0203010001a38201043082010030090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414c400ef96d95d5ebb4b2309071f7a6cf3f65491bd306d0603551d23046630648014e775f0a0f2ad20cdcd6023ccc7c80f29f3dd5420a149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820120301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730370603551d1f0430302e302ca02aa0288626687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f72657365617263682e63726c300d06092a864886f70d01010b050003820101006a380523c2b3eb5d62d0886ef3e3350b65b59056cbe04a18ca89f7b6b8d167722acfa92c7fd2922824ba162ca5ab80c68a5d26b4cb653fe1ca717cd181263de8ce023bbdf0dba962c2666c14135a64a23fe6f2913cf2f253dada1ac85fa417820b2c19e2f71bf8456220fb2dcce6222b9cbfd6d486b0c11d9e55f6259b0900a85b2d14e60b4d8edcc6c6181410ab57949f5c6447ca67753593266159eb57d9954312c0b80b17dfd572101aedc21d100d38e0e0ad4dd69b898a322c59aa0eeb6af0662f58eccb7f6a8e29c471907c4f7de243ad638b78f1189da324481914280508908f8b6896d61770124c6807aa1dbfa70535d80dc1a2f24a51a47407b532d8' -); + 1, 1, X'3082042c30820314a00302010202010b300d06092a864886f70d01010b05003051310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311430120603550403130b5265736561726368204341301e170d3135303432363130323530345a170d3139303430333130323530345a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100aba9b87a9452a4ae7ec12d8d24d91244c5b131965d09306682db00f3656783d5d03c758eedf146f56d8d01cddd3b31e88b01d493b793f74c131c2db5b78103c1caa0a630f82146f3ee9759453eb414f9c65c1ae6c755507228f0e9f5c7b45bdecf910e1276fd8bc27ff1f5dda3ada86f8bed7cadecec11419371e06c7ad2c814d9986bf56b0cb2558941e4bddaf6ba52219837873aa91372ad2f734d9109d3289bb5f961774ecb2dc833fa31ea09d51c3cae20f3e4c7f070ad7a4d27d9046edc87db10cfa2e846998d426ad64a7a93d1c0220291e3cafd1d5937cc1b16241a3ab31527f3f6af14ce78bddc03f0d00294d9fdc686c45ec3b78f01a58dce666f8d0203010001a38201043082010030090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145da9f9ef80718d3a883938e2de6e6624989fdf69306d0603551d23046630648014e775f0a0f2ad20cdcd6023ccc7c80f29f3dd5420a149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820120301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730370603551d1f0430302e302ca02aa0288626687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f72657365617263682e63726c300d06092a864886f70d01010b050003820101004e05096d72fcdded75173a3e5c6310db815fc5d52f95ec7d21c9e73599e3b32e1c61a521a1f748d402243a1761ed1e22f5db5d7db14b2d0477a9cda398bf6e6dd40ff3716265940e5d7e795d5e7f19be04e20d93d9953c6a16f2f99cd0b047088c67a8b7b7d17dbc54adc8e720ac5977b26c412691e39accacd714390a454f6d76baba2352782b12801e682e54484897b05d753fae7851e8d1f0309ccf02e2e1006f8d14c7ddb70c0b9ec58ec5add67fca081d3c752d288c3f93fba94deffd4ac8bade7913729d7cdcd460259f91b4dc8bf09bd493153d6662390130e098fb78a110ea73951f695825a5f69ef6f1d6f79a4d15b039b58dd39fdcf2b55ddd8f27'); INSERT INTO certificate_identity ( certificate, identity @@ -125,7 +124,7 @@ INSERT INTO certificate_identity ( INSERT INTO private_keys ( type, data ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' */ - 1, X'308204a50201000282010100e8a8f6d28e9044a366e993843bedd5a17274f0cf34084dac8a27f1a0af64cc454015ec6a6b352ce2f8ed429011e389703510d6cf743f4e6f0305fe4f0380da70438605417bc73e46c0517c4466c5cb332bb7608f9cab8f06c916b5093de9b4e0a10f9eb47b2e94f9b3bfb3d67fa9658afd1f2253bd825dddcf7af1fae8c105bdf26804246f71b362df6aa4d5dd1112d41f6f21e4065a1eb80d2ac5e97cbf1d8fa7dcc792306677509a174ba619231bc635dee1781ff6c71bf756fd133721a29263fc67989b80de639fb990914f5233d43341bd996359b70e7f7771b279c37017782961261a337ba52f855b387bf012b896fa6fd34b30be1e07404c0990fae98f0203010001028201010086869c20e739d7d63b7d3744b07a369a215a289b4654bec4d325817b0daf54c57de6af4a612ee00365379ad33ee4b7e55f699b2b5ce5f5ee0e6b7abe29226a2b9b7f74ae86699042cc94d12ba3d91e433a35cfe97a0760ade5bbf175a48ceb7f2ee19f3c7035610278c291b3a721458b760c7886beff10535ed291f4287ce359f4b860c5176456044775be950ebc8f753f885742b0c74006b2d50672a8cc050e5931de65cfbc09ad0c1560a1ae3f5bd830acd8cd004a0031e6cf42368d5d21bab02666fb38b9709b71be5f1d09ccdede38e65d88548f73236847013aacabebb361ad43d2ea59d92f544b858f222497dedc9e83a44488f96c0bcd0df8df8e678102818100ff6b7443e3a6b55b11e012f9a70b73fea85a51aaa36de73b7d48b945874f5d32c5fd04e45229c1a2c9721a93fa30f9b587a17d9d7e395b5889658a0492179d52be6b8adcfc6211597fc144732d59e7a7bfbc11ef6a6dd46471a7bc9366d8f501e261b977121e99ed028d241ba8070bff85bdbacd832b92627f6c8886be0b946102818100e930460397ee15d8cce4804db29972734574f10261a0438d757f45c83deba360e147315a5def25161fdc0e797a199cd89766092aade82aec47f4712ab963b027bb803fc618492d57b7e49e75c2e417f1de1517438ac04cbc7cc7095a7bec1cf8034c79a6351c1d0a3861861f6913e25e141428609dfa5937ebe97a5fdc1643ef0281810093ea65955f43cee8e38c3150f4a5145298aa5d7b055403421746c34c7994c37340e74b2af24e0e3e388ce4c9676d6f5eea21e27e0f7825e73b025b90540e6ae45d342861dba2eb4b3a49f15b061b77a554cb1453e2fda1af5d867715a1cce8ee636c969c5718f3a926fe17b81071ac4818ea8c40b1c2ccee4fbec9bdc6572c6102818100c2ba953d1afaaf33c4a66c9e75aebe6c946bfb77499f53ca257c8b0194f3da13650cd6a1e81f7490ed3a0ebc52c260c05e6dcee9dd202bf7f47ea4a250fe76743797f9a9ab4e309737f1aa821ca5ed790544079157a50e6fb8a35da43a280a68f21842de112bd0f45ff0d0d81a1f88c19772dde51107a6c9942ffd095ff917f102818004145ff4373203f45d993b33a9e6df3cf366c7b88768d6eb6775dbbf2bf73f92e4cd79452d3bc0843cff52a9d533b0707b53867896245df9a28d18e927e53c76d79bd98cd9ded9e5ccac227f3fb4e75fcb7236af5fd5f6e4fb8407663ae55d0e58898815594b9e9dcc4721386c89af7819625ab4d141456cc50b765880e04e1c' + 1, X'308204a40201000282010100aba9b87a9452a4ae7ec12d8d24d91244c5b131965d09306682db00f3656783d5d03c758eedf146f56d8d01cddd3b31e88b01d493b793f74c131c2db5b78103c1caa0a630f82146f3ee9759453eb414f9c65c1ae6c755507228f0e9f5c7b45bdecf910e1276fd8bc27ff1f5dda3ada86f8bed7cadecec11419371e06c7ad2c814d9986bf56b0cb2558941e4bddaf6ba52219837873aa91372ad2f734d9109d3289bb5f961774ecb2dc833fa31ea09d51c3cae20f3e4c7f070ad7a4d27d9046edc87db10cfa2e846998d426ad64a7a93d1c0220291e3cafd1d5937cc1b16241a3ab31527f3f6af14ce78bddc03f0d00294d9fdc686c45ec3b78f01a58dce666f8d020301000102820100426a6be1a1394855eadcbacefd0eaf2ec47e05fd7309771c724c6155ca49fe8bdf01454a836cf2534a8b5fc35270f0a25405e54531a5a1ec610869f700847dfba075ff56bae9c515e39dd300237e710f225bc85cb98a9c914e9dc7273c98df62995439e992f80df6b6a1daca61e5726195f5d0634a631b5a0fbde3629532b00e1ed0a7024d324f65a513ef5e7cb4ee5e8648402c7e21ca3a2f0a7c242999616da97d493d728f5d8ba502979d02f80e5172fa6c13b0997170b3100ab3d3a785cf88a6810bb34122da79dba917bedcc8f775de70f637bf9819f5ab58a6dda8632e42799face41665ff78ae53ac423c82cdb1c8788b49b174fe0c1293d12c04210102818100d6672852209839c41c03e16d48ef1bcb34aed2e4193b5712fd5112e666ed448b8ba37dcbd0fd326d59c121f93789a06aef4194f7c5e3842194c0dc100d09becdb2cafa9fa3fb82f66b2be3b4e579aa5d1bda093a7b2459a17d787afb26c42d8e16a1a6183f9578f378a4ff90dfd40c085bdfdba04cb4a1f25d09e4c00eb51b7d02818100ccf7c72e9de24fdc4baa9a7dccff63da6f53b3a9bafd4cf3b9ace9ce5eeb60c94b91de9f05606ab90e3aa9b3b95aff923bbc9969653b3ae5867bace78355564ab2c166544c7eefb37b5b8411335d79d448f39f27bf56cc9479adf7e4626603a065eec7dc3e1d2e986b42b242f2d96c68fd0659845991feb89fedfb2995f6415102818100c8a7266f261e1101de0e2bacf1730599f9a61bac6988c586fa18240e0909c8faa826cc163172a4fcfde0e800aadf5c88777df302a7eab3c011cd24a6c8ecf3eae2876062833f6163690d5c3ff1fb195ba6333a2bc70f4feaf8d8069081c95bb0fcb13016c57b08052445970068d9b4a1260aad2aaa5eeaa93e358225d41ddea90281801d21feb296884b37919daf15c0647069e4b6edeb6b0383c384999a25d601f8a0c3d7f8df7b6127ea23a69ce649ab3076357d6a04bbf9be364f7616ae555174d16b34e7f98561e96a06578c9ef1411106e65392449102a2535c3428eed23993bc61a09dd1a5167abff946e295777505deaa5013bb270c043b73a7dcb21d7981f102818100aeb7b4ac389d03b60a738dab58cca061e375a0c236de47245ec93e8e5ae3e22d488a41837c5b9a1da59e75ce8aef171bba8843230335ecd24d736cce3f11a430c1ab5311917465031832f9b8e9fd277613777d8d0ed04358cd9112e43adf0a06e83e59ab5a855ec54df11030963bc84ed1f2e6c2a20af05e0453c072395b0772' ); INSERT INTO private_key_identity ( diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql~ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql~ new file mode 100644 index 000000000..4040b955f --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql~ @@ -0,0 +1,190 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Research, CN=Research CA */ + 9, X'3051310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311430120603550403130b5265736561726368204341' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Research, CN=Research CA' */ + 11, X'e775f0a0f2ad20cdcd6023ccc7c80f29f3dd5420'); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, OU=Research, CN=Research CA' */ + 11, X'c71449851517718914a496532a1ee801b21c6aa5'); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' */ + 11, X'5da9f9ef80718d3a883938e2de6e6624989fdf69' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b8308202a0a003020102020100300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303130303131385a170d3139303930373130303131385a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381b23081af30120603551d130101ff040830060101ff020101300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d01010b0500038201010023929aa101b412d1f5a577532088f209b34798a72ed7bd6945d74beaa2b3a1768764ad7f8b0df8d97a1a3ed1102e92a5f107e3059dc2250be49d02261ca83a342e0e5de7d43c37744e3fcea3197720ca1184d4ef94e6beeb0d241746b0b92b7fb1004c08e88bf9eb4ce60f3e149466f3e9fc3f98bce449f448f9d465e52b59f0101e6203cfad0d89e23509fa043d4c12021e8f32be7db8b2edbada641d64aa1a04af64a2ee5b814a753dd76b30e3de04f3c6b61166e632f8364d51cf3730a9564a4d93b9227c28b09b0f5595d92a632f72fe509a129ca9ee54df2b0edc6c3d38564f10256efcd8be82b2ec64977e3a6f5ef098eaa7f00662a6cded16cb80637c' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Research, CN=Research CA */ + 1, 1, X'308203c1308202a9a003020102020120300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3130303430363039353335305a170d3139303430343039353335305a3051310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311430120603550403130b526573656172636820434130820122300d06092a864886f70d01010105000382010f003082010a0282010100b639b23aa6e0075b58a73f4fb25a856a72f71b5d3db1e780137a95b9e961a1dfaf19c6b2f9831421591c277b7a046a43f02e2471dc12fdc351d7c9596032a559d4bdd95ca79f21063a717d33d73fd203071cd0690c94cec13120658e5546367bbc49e412819d7564a24de1b58e07af519da8d87edcb1266de809067813452471e0f289e7814efdbefc2d4cc1fab331af3c70fe59c8f2312602d2a5ba043b73d6ae31e142cfe3669527e74a85a11cde6a9bed2234acb40bedb922e13c36afa2de3b41888f01c01a87637bb622e7e5521f4d73d77f47abc6b113cc1ecdf45f51dafe6d14838f78fb0c2ac1f1016518f3c4c98c17fd521b82351374c3389decae390203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e04160414e775f0a0f2ad20cdcd6023ccc7c80f29f3dd5420306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d01010b050003820101008d6da16d1b2dcc815c0a3215e2ca1b2e1289b70d059b3fae80a173051abf47e8c8b74260c60528478738bbc8b1322389fa58e0c3f2dd20604395e972ce6f385c16f7b8cce987c1caa8f1e3eeea4c1a8e68b31705b789dcb230432262ae9a8767396c3ac71c8710a370c00c3ce0469968e974ea942e82e5c17f44161040dab11907589a9a06d4279339791344b9b9bcc51e816b0ff4391cffb6dfadc42f63c5c8c7a099ce155d2cb3b5ecddddf63ea86f286801c6354b672ab7cc3feb306db15d5c8a3d4e3acde94c08fd5476c33adad2f5730022e2ca246b4d8642b3ffaf00611eddb66c930de2036ce4d4af8537638e0c156332eeeb7205601bd6f2c1668992' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org */ + 1, 1, X'3082042c30820314a00302010202010b300d06092a864886f70d01010b05003051310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311430120603550403130b5265736561726368204341301e170d3135303432363130323530345a170d3139303430333130323530345a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100aba9b87a9452a4ae7ec12d8d24d91244c5b131965d09306682db00f3656783d5d03c758eedf146f56d8d01cddd3b31e88b01d493b793f74c131c2db5b78103c1caa0a630f82146f3ee9759453eb414f9c65c1ae6c755507228f0e9f5c7b45bdecf910e1276fd8bc27ff1f5dda3ada86f8bed7cadecec11419371e06c7ad2c814d9986bf56b0cb2558941e4bddaf6ba52219837873aa91372ad2f734d9109d3289bb5f961774ecb2dc833fa31ea09d51c3cae20f3e4c7f070ad7a4d27d9046edc87db10cfa2e846998d426ad64a7a93d1c0220291e3cafd1d5937cc1b16241a3ab31527f3f6af14ce78bddc03f0d00294d9fdc686c45ec3b78f01a58dce666f8d0203010001a38201043082010030090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145da9f9ef80718d3a883938e2de6e6624989fdf69306d0603551d23046630648014e775f0a0f2ad20cdcd6023ccc7c80f29f3dd5420a149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820120301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730370603551d1f0430302e302ca02aa0288626687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f72657365617263682e63726c300d06092a864886f70d01010b050003820101004e05096d72fcdded75173a3e5c6310db815fc5d52f95ec7d21c9e73599e3b32e1c61a521a1f748d402243a1761ed1e22f5db5d7db14b2d0477a9cda398bf6e6dd40ff3716265940e5d7e795d5e7f19be04e20d93d9953c6a16f2f99cd0b047088c67a8b7b7d17dbc54adc8e720ac5977b26c412691e39accacd714390a454f6d76baba2352782b12801e682e54484897b05d753fae7851e8d1f0309ccf02e2e1006f8d14c7ddb70c0b9ec58ec5add67fca081d3c752d288c3f93fba94deffd4ac8bade7913729d7cdcd460259f91b4dc8bf09bd493153d6662390130e098fb78a110ea73951f695825a5f69ef6f1d6f79a4d15b039b58dd39fdcf2b55ddd8f27'); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 3, 7 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 3, 8 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' */ + 1, X'308204a40201000282010100aba9b87a9452a4ae7ec12d8d24d91244c5b131965d09306682db00f3656783d5d03c758eedf146f56d8d01cddd3b31e88b01d493b793f74c131c2db5b78103c1caa0a630f82146f3ee9759453eb414f9c65c1ae6c755507228f0e9f5c7b45bdecf910e1276fd8bc27ff1f5dda3ada86f8bed7cadecec11419371e06c7ad2c814d9986bf56b0cb2558941e4bddaf6ba52219837873aa91372ad2f734d9109d3289bb5f961774ecb2dc833fa31ea09d51c3cae20f3e4c7f070ad7a4d27d9046edc87db10cfa2e846998d426ad64a7a93d1c0220291e3cafd1d5937cc1b16241a3ab31527f3f6af14ce78bddc03f0d00294d9fdc686c45ec3b78f01a58dce666f8d020301000102820100426a6be1a1394855eadcbacefd0eaf2ec47e05fd7309771c724c6155ca49fe8bdf01454a836cf2534a8b5fc35270f0a25405e54531a5a1ec610869f700847dfba075ff56bae9c515e39dd300237e710f225bc85cb98a9c914e9dc7273c98df62995439e992f80df6b6a1daca61e5726195f5d0634a631b5a0fbde3629532b00e1ed0a7024d324f65a513ef5e7cb4ee5e8648402c7e21ca3a2f0a7c242999616da97d493d728f5d8ba502979d02f80e5172fa6c13b0997170b3100ab3d3a785cf88a6810bb34122da79dba917bedcc8f775de70f637bf9819f5ab58a6dda8632e42799face41665ff78ae53ac423c82cdb1c8788b49b174fe0c1293d12c04210102818100d6672852209839c41c03e16d48ef1bcb34aed2e4193b5712fd5112e666ed448b8ba37dcbd0fd326d59c121f93789a06aef4194f7c5e3842194c0dc100d09becdb2cafa9fa3fb82f66b2be3b4e579aa5d1bda093a7b2459a17d787afb26c42d8e16a1a6183f9578f378a4ff90dfd40c085bdfdba04cb4a1f25d09e4c00eb51b7d02818100ccf7c72e9de24fdc4baa9a7dccff63da6f53b3a9bafd4cf3b9ace9ce5eeb60c94b91de9f05606ab90e3aa9b3b95aff923bbc9969653b3ae5867bace78355564ab2c166544c7eefb37b5b8411335d79d448f39f27bf56cc9479adf7e4626603a065eec7dc3e1d2e986b42b242f2d96c68fd0659845991feb89fedfb2995f6415102818100c8a7266f261e1101de0e2bacf1730599f9a61bac6988c586fa18240e0909c8faa826cc163172a4fcfde0e800aadf5c88777df302a7eab3c011cd24a6c8ecf3eae2876062833f6163690d5c3ff1fb195ba6333a2bc70f4feaf8d8069081c95bb0fcb13016c57b08052445970068d9b4a1260aad2aaa5eeaa93e358225d41ddea90281801d21feb296884b37919daf15c0647069e4b6edeb6b0383c384999a25d601f8a0c3d7f8df7b6127ea23a69ce649ab3076357d6a04bbf9be364f7616ae555174d16b34e7f98561e96a06578c9ef1411106e65392449102a2535c3428eed23993bc61a09dd1a5167abff946e295777505deaa5013bb270c043b73a7dcb21d7981f102818100aeb7b4ac389d03b60a738dab58cca061e375a0c236de47245ec93e8e5ae3e22d488a41837c5b9a1da59e75ce8aef171bba8843230335ecd24d736cce3f11a430c1ab5311917465031832f9b8e9fd277613777d8d0ed04358cd9112e43adf0a06e83e59ab5a855ec54df11030963bc84ed1f2e6c2a20af05e0453c072395b0772' + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 7 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 8 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'home', 1, 7, 9 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql index 91ddf011b..eae9b598a 100644 --- a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql @@ -45,7 +45,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data ) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Sales, CN=dave@strongswan.org' */ - 11, X'671081ec8703e10c31abdf12d53275046eba1522' + 11, X'81c0c1dfa134c6f60e0b9a42ff901977b6145fc7' ); INSERT INTO identities ( @@ -71,7 +71,7 @@ INSERT INTO certificates ( INSERT INTO certificates ( type, keytype, data ) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales, CN=dave@strongswan.org */ - 1, 1, X'3082041c30820304a003020102020105300d06092a864886f70d01010b0500304b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c65733111300f0603550403130853616c6573204341301e170d3130303430373039343234315a170d3135303430363039343234315a3056310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c6573311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ceda8649bdc7f5787a238c620e49ac3795918ca9c441f49166c4a2d2e991edad63cac56f3202ca9e69368403099034e30579dd11e9a72e25de9b136ae16a77c74660a4d582eb2d6495963a27b4fbebfe18869208b3c1c0d7e66220012160291eab2fd42cf934a9aeb22ba31ad8528b102e30cfa3816e385cb6a2f356cc7128390b6a2be7275e9b5fc08236c0aaf3a05aeb89ba2b5329b1ebf944a9cecf4132d56c018602e68a96518003072bac8f4d168e71cbc556b3a98b56dfa6b29792b098b7ab10a038db7e1799fed2b25b6889f966c7d25b00e0d6cf8b5b3fe7face207fb5e8219f6a75e266f67b35bc4bc9bf1f7cf2171710d3aa24bcc05ade45947ce70203010001a381ff3081fc30090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414671081ec8703e10c31abdf12d53275046eba1522306d0603551d230466306480145f9b1346f92072c800d588b5a74c2e97ea0b9328a149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820121301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f73616c65732e63726c300d06092a864886f70d01010b05000382010100791f98e3a7d2ef103c89a7fdf1ec26aa3a12014a5e67de0ece8b58174f91872c187dfe5e62e92c24d5e7b2da8333a4782c743a202f2b65bf344a5eea49019b79c5669be48ec17e27214425786cebad37f17c0e2342846d129d81018b3462e4ad3a2c069db434f434bbfb884fc8e3d35b13c39daa7113d731eaf3699bb556421339917be726941ec47840840fe1b14ce9d82d159e2a0f80588138fdf2cdeecd1eabde25494b729bbd4b67d92630c007908c846db96f5486bb9398f84fa8f45f03cf71854c4a3a20a9ecdefaa6dfdc443e26446519dccbff5ed3a0b5989d5c242ea4039fa07e45fc273e4d845e776eb4facdcfa0b75b2ef334d9e272202d5c0abe' + 1, 1, X'3082041c30820304a003020102020109300d06092a864886f70d01010b0500304b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c65733111300f0603550403130853616c6573204341301e170d3135303432363130323232305a170d3139303430333130323232305a3056310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c6573311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100bcd9eb80441d113a64758fcf6928fd29e36b83cf8c0b0087fd23e4504ea28c89fefb2ca16996a38b926b037cfdc9afac8b447fe0f8f1b20c23baaaf1011578806eb78ca3a638b58c2bd111d3f00fafd2a65df9e615d76a67096d19da3d8660e20508a611dbef2b85cae27036058fa92746f9828fb93f88086c750de461a1d6edf847ff490c2bd7d471e721898abf81110f94db3839ca0e347b293deaf10cbe0c49dd8e2fb66353562e8b7c5ceca7a82356f488b466cefce74c33575833d64926e1076d7b49dd95442efa049b4bbb8cf8054f120774646636dde7005761ec36d08679c8ff3a7b10e33f3e81220a25fc04a9eba656c49b6629a5968e667f797b8f0203010001a381ff3081fc30090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e0416041481c0c1dfa134c6f60e0b9a42ff901977b6145fc7306d0603551d230466306480145f9b1346f92072c800d588b5a74c2e97ea0b9328a149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820121301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f73616c65732e63726c300d06092a864886f70d01010b05000382010100b955fba1ace12b097ea795f9f38172011e17964df72ea1b373d5c45ab5d2064595412c892d9108c006c5fadadd307022788143204f40f1811fdb6500eff6da79aba6e8e5724cf9b164b9fd0d88f99efb0f4eafe55872eca29631e71c5deb8a12b66453815e5da463aebbb6218530bdc18e16984151c0d19b127dedc0bb171c92ed14db974934bab5f804e3783bb27bcfcd26a4bde5805c319cd68b01bf5603059827a2ca00286d69889362ce8a3145a4d376c920a22e29ae790a7f0cede405d5a585a7a5dc47bd9640396eaa05721a5b1c7f1e40ac8e2e14670762e4fd1842de61881635b5dbbb0976375692ba3250b7a99d42cbc90400ea3cbeb44bb85d9d82' ); INSERT INTO certificate_identity ( @@ -127,7 +127,7 @@ INSERT INTO certificate_identity ( INSERT INTO private_keys ( type, data ) VALUES ( /* key of 'C=CH, O=Linux strongSwan, OU=Sales, CN=dave@strongswan.org' */ - 1, X'308204a50201000282010100ceda8649bdc7f5787a238c620e49ac3795918ca9c441f49166c4a2d2e991edad63cac56f3202ca9e69368403099034e30579dd11e9a72e25de9b136ae16a77c74660a4d582eb2d6495963a27b4fbebfe18869208b3c1c0d7e66220012160291eab2fd42cf934a9aeb22ba31ad8528b102e30cfa3816e385cb6a2f356cc7128390b6a2be7275e9b5fc08236c0aaf3a05aeb89ba2b5329b1ebf944a9cecf4132d56c018602e68a96518003072bac8f4d168e71cbc556b3a98b56dfa6b29792b098b7ab10a038db7e1799fed2b25b6889f966c7d25b00e0d6cf8b5b3fe7face207fb5e8219f6a75e266f67b35bc4bc9bf1f7cf2171710d3aa24bcc05ade45947ce702030100010282010100994a9a0fd5c37466f6e49729277b7353b1d4ae10352fc785654a3d7bddb9d610138ef62744418b543f9635d86662e6be82955fbde190920360673dc98c0931808ce81bdf5a68dc37d91efe33e4cc7883d23b0fc7c126c9b975b2ac130a5fcfb9399575406ae19b09aa61ea3a7fab140146a9c7865ce9887d349fa78360784f1c3a051defaf19b9e35b324ab2fb3a119897a5f27f58a7757906a1b0617b83ef6a579c6ac2c84204a7f6e4b6765e376f643b7bf074b886c49a4ad9de99eb4af4d549189aa62f37a1435ea645702bf186e4f60eff312161a7018f1a372a9b6fecccbe02b3d20cb584b18aba18dd02fe0d9c9d1bdf8af60e4d17b95795b117f475d102818100e76e0922daa0426c8196ad867cbd912b01b4399302e89566e92a45d3230cdd88d243ac46c2300841750c8bc5b17ee77c790abdef3e5f24dcd39cbb2d35e65f50048cc83315e97bbb2e478d2ec0b096604e2a690bc83f9768c6abeb39f73013359d9e97d43d75b78ada505dad5cbe8ea3484dd4207bd0628057e159b90018544f02818100e4d089fdbe62b874cc33cee7723a91285e85a66f36d3e64319a686f1f81c6318f04c916a314e48ca55d70dd5603b93038eefca897ef74056318f19b25ad7abe066c31da87127367dec9461c2683a844bfdbf9bd65636567a20dc7b390502ec50bcc7770904b8af308e3c3583892cb8831b5ff5fd9c4bc9b34c5e9b387b26efe902818008d236e2ef366091c636ba12803ab187d41ecc7b0007617a74b4b9c89c73671649fd6e599c193c975220d24b0cc2eb8be10939c81eb67daf3519aa40c4e72d06ddc587f3fa87d5c182b813778ebcac5eab5c0e78f67f0604665e332f186eeaac867f7f0605f9b0af4836fbfb19a7e1c3f38393ec510bd655520432e94c49a11d02818100c9b9988e5e34c68e222162bde59500b8686cc7c8b0bbabfb6837ca2cb522c1b310d7503420f7f5707cb135fef1f253b0056a1e538dde099873e4c730d8a9df5bdcfd13be96d38d550327e5eff0d7f61ed0bd0674b658fd707a5c273ea3ce69ecdc21b62dfb3d9f25dd9ff345ddbfd183b4b4ab38457d037bd14e6ee6229cb75102818100991ff421b606875609ed9f629b8e0c4d2cfa1fb6d39e62038ccdfff8857275256015bcdca151bae2c4397c856230bb73f4f1c345129bb3c4c1ce9cbb0bfc02d6a46aa6af48d7b20d490cef9b70e96763e547449e3767407cef57b6413bddc11f7ff808ec958ea2ecbfbdcce2cdf45e9a75a534ae548b6f457b4425182f53c97d' + 1, X'308204a40201000282010100bcd9eb80441d113a64758fcf6928fd29e36b83cf8c0b0087fd23e4504ea28c89fefb2ca16996a38b926b037cfdc9afac8b447fe0f8f1b20c23baaaf1011578806eb78ca3a638b58c2bd111d3f00fafd2a65df9e615d76a67096d19da3d8660e20508a611dbef2b85cae27036058fa92746f9828fb93f88086c750de461a1d6edf847ff490c2bd7d471e721898abf81110f94db3839ca0e347b293deaf10cbe0c49dd8e2fb66353562e8b7c5ceca7a82356f488b466cefce74c33575833d64926e1076d7b49dd95442efa049b4bbb8cf8054f120774646636dde7005761ec36d08679c8ff3a7b10e33f3e81220a25fc04a9eba656c49b6629a5968e667f797b8f020301000102820100079e7315d5a9a68c488945a8048216d49dcc34a126f13ab041d234dfd88c4e4732f64732abe3dbed4196f7a90f4417c64a481530aa5a75e86f789474ecaa45164961365753d96dd99ddaed71337a2e89bd14858476d51e01d22b88a3795ff680a7db5577dafba731daa1900d5de411daf7ce112a633ae0ee161212e167def3a0cc5bbb3e065853d6f85d0fe7955697207fb432aae3c7d5ac70b151fbd67d58f1f1f65ccbe768200280921e56bf3564def51657617f0fc7c1e8e6bc49df7217bdd4380364a2379b3a0614cc05f0b84d5bdd72311442908d8d6e2eb3d5d411043a45266bec230375aa78acb10d7d1e751a23079430d15a4c6a7debc82581d7a46102818100edc6707a7610fc83764a6044302092878e41e84de990823eca82da736a614154568b4c8ec0bc292f60625a7f879d274ef9de386a247af4ca53178a447816ecd9b38453544ee72c14f3691b534273aeed677e3629933a8f54511e16c859b9ba8edf8e5c50cb27944090b26b0398c765951897b23d781a9df0f08215c72650e36d02818100cb53823e5c2baf9ecf121416c23461a6aa4f3bd083dbae66effed1bba4c38dd3f0f7c00dc4d9f4d69464e17d95705a742028156ffa2b17d41930fca7b4646cf66d9fcca198913018417d57c8286f2b7bd249d6350e02b62910105db1e5d70e55a866dde904dc2298c5dda344f637418fb33e573508d00176d5c79651b283016b02818100d714d395d2cad6bfcbf6c751a6ff2fccb2dfe754e2dbb7153976584862880ae2514ebc37bd1bf75d45a072203df9e81ec6633f40b4330ccf1f8e81a221c70b047a204e884abf4ddebdb7ebe1ca907e417d866b53fc3bd27f00c968ee5e4b64f7ec3d084085240e34c12ec32283c68a9aed9dfabb23b35fff1c6f6f67afbf279902818100c6dfc997014461a4add97af8bfbfc87be23d59be1c1af5bd0da56ab364f73974424fb1f445c5022c183d8c28efd053491e62d6850e66b409eb11f52e7bcd769e9a9f20e2367e5c527d4c025e6ede3de400cde3cd4504f5f3b818a9ec656932462a4f63629634534aa6cea0f1c4fa4b10293c22c466f83d5664c7b189fb57143d0281807d11912b6f18a0363dea94b10c36811880f0917eb334fe7ff55e05d39d1784c6b5fe80b0f0a9d7432fd55030fa0d27a70559dbb5b477ab2670f4c3b0b736a22051b3856c0d06f47b247e2bd7b11570947effdb53557b6c36980b4ad2c00a98d98ea71ebe96bc16038e0f91d7f86a84b407c7a19af727558963d96e75a22498fb' ); INSERT INTO private_key_identity ( diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql~ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql~ new file mode 100644 index 000000000..656a5adea --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql~ @@ -0,0 +1,193 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA */ + 9, X'304b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c65733111300f0603550403130853616c6573204341' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA' */ + 11, X'5f9b1346f92072c800d588b5a74c2e97ea0b9328' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA' */ + 11, X'c9ca6b980be96d5f210d7fed1529eb6c567ec26c' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Sales, CN=dave@strongswan.org' */ + 11, X'81c0c1dfa134c6f60e0b9a42ff901977b6145fc7' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b8308202a0a003020102020100300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303130303131385a170d3139303930373130303131385a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381b23081af30120603551d130101ff040830060101ff020101300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d01010b0500038201010023929aa101b412d1f5a577532088f209b34798a72ed7bd6945d74beaa2b3a1768764ad7f8b0df8d97a1a3ed1102e92a5f107e3059dc2250be49d02261ca83a342e0e5de7d43c37744e3fcea3197720ca1184d4ef94e6beeb0d241746b0b92b7fb1004c08e88bf9eb4ce60f3e149466f3e9fc3f98bce449f448f9d465e52b59f0101e6203cfad0d89e23509fa043d4c12021e8f32be7db8b2edbada641d64aa1a04af64a2ee5b814a753dd76b30e3de04f3c6b61166e632f8364d51cf3730a9564a4d93b9227c28b09b0f5595d92a632f72fe509a129ca9ee54df2b0edc6c3d38564f10256efcd8be82b2ec64977e3a6f5ef098eaa7f00662a6cded16cb80637c' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales CN=Sales CA */ + 1, 1, X'308203bb308202a3a003020102020121300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3130303430363039353433335a170d3139303430343039353433335a304b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c65733111300f0603550403130853616c657320434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c24e4d26998c37b9511fa125ba1d704e34581c569beaf41620fe14b736734847fd07169b55dfaa773da9a3cf1a8c4ed817f05e01441df39d4331c6bad861b2f74c3e49963f5677b83af0b1caab98bcaae0923cedec527a7d608260951226f9e53e1f371ad320625aa1ee899fdbfd6701b607e52bde7140ff075c91276a27173a5cbf4329c464dd3c59b6ff52b837ed13d1bbf3b3ba3c94b27f2518865773d4465ee4f4ec52801b049d030d7271df9eb6903b5f41dc1ecdab742c0c8eb1569b62aff41bf7c16702cb7abe2a185dbedc2b2f3fb8cd5e785161e4afdbee22da602381b0512350378aaa14dcdab5bcf02aceb7a4388fd157d1eb7bd2f5afc5f574810203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145f9b1346f92072c800d588b5a74c2e97ea0b9328306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d01010b0500038201010024654ea5cc8c7cbbafbad69eaff4f721674dde9dfb2e8a9078fd92f612039abbc587663f7238f983f6aa93e762349ec9f302978648c8c5e77d46f3e4ebee5e9e12092d2021427a98aebee5fd5add449d07809ed0e7789a45084262f32850914aa7615a8573349ae5f814f56b977df9a2d600be52da9a94a103e01bae0c3e0872dd2c946f8a817a9964dc9751ffa3a00392d078db4b888ed8fdd6cc33646f9f6f38448231a764ea3761eea7a04d2c7bfa7cb8b1749a4cfa71bb6631987feedd9ee63a64386f22dd7ccebff69f510b0503e13394a3621190219566373343aca19500ab5ae4b1bc0700468b4b9773d7c15d645c7df237375fc8663fe86f9b775828' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales, CN=dave@strongswan.org */ + 1, 1, X'3082041c30820304a003020102020109300d06092a864886f70d01010b0500304b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c65733111300f0603550403130853616c6573204341301e170d3135303432363130323232305a170d3139303430333130323232305a3056310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c6573311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100bcd9eb80441d113a64758fcf6928fd29e36b83cf8c0b0087fd23e4504ea28c89fefb2ca16996a38b926b037cfdc9afac8b447fe0f8f1b20c23baaaf1011578806eb78ca3a638b58c2bd111d3f00fafd2a65df9e615d76a67096d19da3d8660e20508a611dbef2b85cae27036058fa92746f9828fb93f88086c750de461a1d6edf847ff490c2bd7d471e721898abf81110f94db3839ca0e347b293deaf10cbe0c49dd8e2fb66353562e8b7c5ceca7a82356f488b466cefce74c33575833d64926e1076d7b49dd95442efa049b4bbb8cf8054f120774646636dde7005761ec36d08679c8ff3a7b10e33f3e81220a25fc04a9eba656c49b6629a5968e667f797b8f0203010001a381ff3081fc30090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e0416041481c0c1dfa134c6f60e0b9a42ff901977b6145fc7306d0603551d230466306480145f9b1346f92072c800d588b5a74c2e97ea0b9328a149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820121301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f73616c65732e63726c300d06092a864886f70d01010b05000382010100b955fba1ace12b097ea795f9f38172011e17964df72ea1b373d5c45ab5d2064595412c892d9108c006c5fadadd307022788143204f40f1811fdb6500eff6da79aba6e8e5724cf9b164b9fd0d88f99efb0f4eafe55872eca29631e71c5deb8a12b66453815e5da463aebbb6218530bdc18e16984151c0d19b127dedc0bb171c92ed14db974934bab5f804e3783bb27bcfcd26a4bde5805c319cd68b01bf5603059827a2ca00286d69889362ce8a3145a4d376c920a22e29ae790a7f0cede405d5a585a7a5dc47bd9640396eaa05721a5b1c7f1e40ac8e2e14670762e4fd1842de61881635b5dbbb0976375692ba3250b7a99d42cbc90400ea3cbeb44bb85d9d82' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 3, 7 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 3, 8 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, OU=Sales, CN=dave@strongswan.org' */ + 1, X'308204a40201000282010100bcd9eb80441d113a64758fcf6928fd29e36b83cf8c0b0087fd23e4504ea28c89fefb2ca16996a38b926b037cfdc9afac8b447fe0f8f1b20c23baaaf1011578806eb78ca3a638b58c2bd111d3f00fafd2a65df9e615d76a67096d19da3d8660e20508a611dbef2b85cae27036058fa92746f9828fb93f88086c750de461a1d6edf847ff490c2bd7d471e721898abf81110f94db3839ca0e347b293deaf10cbe0c49dd8e2fb66353562e8b7c5ceca7a82356f488b466cefce74c33575833d64926e1076d7b49dd95442efa049b4bbb8cf8054f120774646636dde7005761ec36d08679c8ff3a7b10e33f3e81220a25fc04a9eba656c49b6629a5968e667f797b8f020301000102820100079e7315d5a9a68c488945a8048216d49dcc34a126f13ab041d234dfd88c4e4732f64732abe3dbed4196f7a90f4417c64a481530aa5a75e86f789474ecaa45164961365753d96dd99ddaed71337a2e89bd14858476d51e01d22b88a3795ff680a7db5577dafba731daa1900d5de411daf7ce112a633ae0ee161212e167def3a0cc5bbb3e065853d6f85d0fe7955697207fb432aae3c7d5ac70b151fbd67d58f1f1f65ccbe768200280921e56bf3564def51657617f0fc7c1e8e6bc49df7217bdd4380364a2379b3a0614cc05f0b84d5bdd72311442908d8d6e2eb3d5d411043a45266bec230375aa78acb10d7d1e751a23079430d15a4c6a7debc82581d7a46102818100edc6707a7610fc83764a6044302092878e41e84de990823eca82da736a614154568b4c8ec0bc292f60625a7f879d274ef9de386a247af4ca53178a447816ecd9b38453544ee72c14f3691b534273aeed677e3629933a8f54511e16c859b9ba8edf8e5c50cb27944090b26b0398c765951897b23d781a9df0f08215c72650e36d02818100cb53823e5c2baf9ecf121416c23461a6aa4f3bd083dbae66effed1bba4c38dd3f0f7c00dc4d9f4d69464e17d95705a742028156ffa2b17d41930fca7b4646cf66d9fcca198913018417d57c8286f2b7bd249d6350e02b62910105db1e5d70e55a866dde904dc2298c5dda344f637418fb33e573508d00176d5c79651b283016b02818100d714d395d2cad6bfcbf6c751a6ff2fccb2dfe754e2dbb7153976584862880ae2514ebc37bd1bf75d45a072203df9e81ec6633f40b4330ccf1f8e81a221c70b047a204e884abf4ddebdb7ebe1ca907e417d866b53fc3bd27f00c968ee5e4b64f7ec3d084085240e34c12ec32283c68a9aed9dfabb23b35fff1c6f6f67afbf279902818100c6dfc997014461a4add97af8bfbfc87be23d59be1c1af5bd0da56ab364f73974424fb1f445c5022c183d8c28efd053491e62d6850e66b409eb11f52e7bcd769e9a9f20e2367e5c527d4c025e6ede3de400cde3cd4504f5f3b818a9ec656932462a4f63629634534aa6cea0f1c4fa4b10293c22c466f83d5664c7b189fb57143d0281807d11912b6f18a0363dea94b10c36811880f0917eb334fe7ff55e05d39d1784c6b5fe80b0f0a9d7432fd55030fa0d27a70559dbb5b477ab2670f4c3b0b736a22051b3856c0d06f47b247e2bd7b11570947effdb53557b6c36980b4ad2c00a98d98ea71ebe96bc16038e0f91d7f86a84b407c7a19af727558963d96e75a22498fb' + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 7 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 8 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'home', 1, 7, 9 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/rw-cert/pretest.dat b/testing/tests/sql/rw-cert/pretest.dat index 6d56ede09..7958f0928 100644 --- a/testing/tests/sql/rw-cert/pretest.dat +++ b/testing/tests/sql/rw-cert/pretest.dat @@ -13,6 +13,6 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::sleep 3 carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/tkm/host2host-initiator/evaltest.dat b/testing/tests/tkm/host2host-initiator/evaltest.dat index de50ab32b..cf34e411c 100644 --- a/testing/tests/tkm/host2host-initiator/evaltest.dat +++ b/testing/tests/tkm/host2host-initiator/evaltest.dat @@ -9,8 +9,8 @@ moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES -moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES +moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES moon::DAEMON_NAME=charon-tkm ipsec down conn1 && sleep 1::no output expected::NO moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES moon::cat /tmp/tkm.log::Resetting ESA context 1::YES -moon::cat /tmp/tkm.log::Deleting SA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES +moon::cat /tmp/tkm.log::Deleting ESA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES diff --git a/testing/tests/tkm/host2host-responder/evaltest.dat b/testing/tests/tkm/host2host-responder/evaltest.dat index d8d44dff6..bc04360a4 100644 --- a/testing/tests/tkm/host2host-responder/evaltest.dat +++ b/testing/tests/tkm/host2host-responder/evaltest.dat @@ -9,4 +9,4 @@ moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES -moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES +moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES diff --git a/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat index f5143f19a..6b9050a84 100644 --- a/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat +++ b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat @@ -10,5 +10,5 @@ moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES -moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES +moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES diff --git a/testing/tests/tkm/multiple-clients/evaltest.dat b/testing/tests/tkm/multiple-clients/evaltest.dat index 1f0c88b53..89da7646d 100644 --- a/testing/tests/tkm/multiple-clients/evaltest.dat +++ b/testing/tests/tkm/multiple-clients/evaltest.dat @@ -18,5 +18,5 @@ sun::cat /tmp/tkm.log::Adding policy \[ 2, 192.168.0.2 <-> 192.168.0.200 \]::YES sun::cat /tmp/tkm.log | grep "Checked CA certificate of CC context 1" | wc -l::2::YES sun::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES sun::cat /tmp/tkm.log::Authentication of ISA context 2 successful::YES -sun::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.2 <-> 192.168.0.100, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES -sun::cat /tmp/tkm.log::Adding SA \[ 2, 192.168.0.2 <-> 192.168.0.200, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES +sun::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.2 <-> 192.168.0.100, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES +sun::cat /tmp/tkm.log::Adding ESA \[ 2, 192.168.0.2 <-> 192.168.0.200, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES diff --git a/testing/tests/tkm/net2net-initiator/evaltest.dat b/testing/tests/tkm/net2net-initiator/evaltest.dat index 8d4794f0d..80492a93c 100644 --- a/testing/tests/tkm/net2net-initiator/evaltest.dat +++ b/testing/tests/tkm/net2net-initiator/evaltest.dat @@ -9,4 +9,4 @@ moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES moon::cat /tmp/tkm.log::Adding policy \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16 \]::YES moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES -moon::cat /tmp/tkm.log::Adding SA \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES +moon::cat /tmp/tkm.log::Adding ESA \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES diff --git a/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat index 98eff247f..6c5d8b3cb 100644 --- a/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat +++ b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat @@ -10,5 +10,5 @@ moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES moon::cat /tmp/tkm.log::Adding policy \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16 \]::YES moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES -moon::cat /tmp/tkm.log::Adding SA \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES +moon::cat /tmp/tkm.log::Adding ESA \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES diff --git a/testing/tests/tkm/xfrmproxy-expire/evaltest.dat b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat index 96b486a07..21d198cd5 100644 --- a/testing/tests/tkm/xfrmproxy-expire/evaltest.dat +++ b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat @@ -15,8 +15,8 @@ moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES moon::cat /tmp/tkm.log::Creating first new ESA context with ID 1 (Isa 1, Sp 1, Ea 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES moon::cat /tmp/tkm.log::Creating ESA context with ID 2 (Isa 1, Sp 1, Ea 1, Dh_Id 1, Nc_Loc_Id 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES -moon::cat /tmp/tkm.log | grep 'Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 2, hard 60 \]' | wc -l::2::YES +moon::cat /tmp/tkm.log | grep 'Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 2, hard 60 \]' | wc -l::2::YES moon::cat /tmp/tkm.log::Resetting ESA context 1::YES -moon::cat /tmp/tkm.log::Deleting SA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES +moon::cat /tmp/tkm.log::Deleting ESA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES moon::cat /tmp/xfrm_proxy.log::Initiating ESA expire (reqid 1, proto 50, SPI.*, hard FALSE)::YES diff --git a/testing/tests/tnc/tnccs-11-fhh/description.txt b/testing/tests/tnc/tnccs-11-fhh/description.txt index 406b163e1..8ce1157e9 100644 --- a/testing/tests/tnc/tnccs-11-fhh/description.txt +++ b/testing/tests/tnc/tnccs-11-fhh/description.txt @@ -4,7 +4,7 @@ the clients doing EAP-MD5 password-based authentication. In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the health of carol and dave via the IF-TNCCS 1.1 client-server interface. The Dummy IMC and IMV from the - + TNC@FHH project are used which communicate over a proprietary protocol.

    carol passes the health test and dave fails. Based on these measurements the diff --git a/testing/tests/tnc/tnccs-11-radius-block/description.txt b/testing/tests/tnc/tnccs-11-radius-block/description.txt index 55b63ed47..67b1a2a34 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/description.txt +++ b/testing/tests/tnc/tnccs-11-radius-block/description.txt @@ -2,7 +2,7 @@ The roadwarriors carol and dave set up a connection each to gatewa At the outset the gateway authenticates itself to the clients by sending an IKEv2 RSA signature accompanied by a certificate. carol and dave then set up an EAP-TTLS tunnel each via moon to the - + TNC@FHH-enhanced FreeRADIUS server alice authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the @@ -10,5 +10,5 @@ health of carol and dave via the IF-TNCCS 1.1 client-server The IMC and IMV communicate are using the IF-M protocol defined by RFC 5792 PA-TNC.

    carol passes the health test and dave fails. Based on these measurements carol -is authenticated successfully and is granted access to the subnet behind moon whereas +is authenticated successfully and is granted access to the subnet behind moon whereas dave fails the layered EAP authentication and is rejected. diff --git a/testing/tests/tnc/tnccs-11-radius-pts/description.txt b/testing/tests/tnc/tnccs-11-radius-pts/description.txt index f71837b6d..d5729dd7b 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/description.txt +++ b/testing/tests/tnc/tnccs-11-radius-pts/description.txt @@ -2,7 +2,7 @@ The roadwarriors carol and dave set up a connection each to gatewa At the outset the gateway authenticates itself to the clients by sending an IKEv2 RSA signature accompanied by a certificate. carol and dave then set up an EAP-TTLS tunnel each via moon to the - + TNC@FHH-enhanced FreeRADIUS server alice authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the diff --git a/testing/tests/tnc/tnccs-11-radius/description.txt b/testing/tests/tnc/tnccs-11-radius/description.txt index 83e5b96f3..4017c6eda 100644 --- a/testing/tests/tnc/tnccs-11-radius/description.txt +++ b/testing/tests/tnc/tnccs-11-radius/description.txt @@ -2,7 +2,7 @@ The roadwarriors carol and dave set up a connection each to gatewa At the outset the gateway authenticates itself to the clients by sending an IKEv2 RSA signature accompanied by a certificate. carol and dave then set up an EAP-TTLS tunnel each via moon to the - + TNC@FHH-enhanced FreeRADIUS server alice authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the diff --git a/testing/tests/tnc/tnccs-11-supplicant/description.txt b/testing/tests/tnc/tnccs-11-supplicant/description.txt index 6505750b2..5d0155382 100644 --- a/testing/tests/tnc/tnccs-11-supplicant/description.txt +++ b/testing/tests/tnc/tnccs-11-supplicant/description.txt @@ -1,7 +1,7 @@ The layer 2 supplicants carol and dave want to connect to a network via switch moon which delegates the IEEE 802.1X authentication to the RADIUS server alice. carol and dave set up an EAP-TTLS tunnel -each via moon to the TNC@FHH-enhanced FreeRADIUS server alice authenticated +each via moon to the TNC@FHH-enhanced FreeRADIUS server alice authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the diff --git a/testing/tests/tnc/tnccs-20-fhh/description.txt b/testing/tests/tnc/tnccs-20-fhh/description.txt index e68f363bb..8bf1543d2 100644 --- a/testing/tests/tnc/tnccs-20-fhh/description.txt +++ b/testing/tests/tnc/tnccs-20-fhh/description.txt @@ -3,8 +3,8 @@ using EAP-TTLS authentication only with the gateway presenting a server certific the clients doing EAP-MD5 password-based authentication. In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the health of carol and dave via the TNCCS 2.0 client-server interface -compliant with RFC 5793 PB-TNC. The Dummy IMC and IMV from the - +compliant with RFC 5793 PB-TNC. The Dummy IMC and IMV from the + TNC@FHH project are used which communicate over a proprietary protocol.

    carol passes the health test and dave fails. Based on these measurements the diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat index 3b48073e6..c3409fd66 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat @@ -9,6 +9,8 @@ alice::cat /var/log/daemon.log::certificate status is good::YES alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES alice::cat /var/log/daemon.log::received SWID tag inventory with ... items for request 3 at eid 1 of epoch::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES +moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES @@ -17,3 +19,5 @@ alice::cat /var/log/daemon.log::received SWID tag ID inventory with ... items fo alice::cat /var/log/daemon.log::1 SWID tag target::YES alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES alice::cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES +moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules index 1586214d8..48b1cf5a6 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules @@ -13,10 +13,14 @@ -A INPUT -i eth0 -p tcp --dport 271 -j ACCEPT -A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT -# allow ssh +# allow inbound ssh -A INPUT -p tcp --dport 22 -j ACCEPT -A OUTPUT -p tcp --sport 22 -j ACCEPT +# allow outbound ssh +-A OUTPU -p tcp --dport 22 -j ACCEPT +-A INPUT -p tcp --sport 22 -j ACCEPT + # allow crl fetch from winnetou -A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT -A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf index 935973c36..857e6d6d6 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf @@ -27,3 +27,8 @@ libimcv { } } } + +imv_policy_manager { + command_allow = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is allowed\""' + command_block = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is blocked\""' +} diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf~ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf~ new file mode 100644 index 000000000..87dd585b6 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf~ @@ -0,0 +1,34 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = pem pkcs1 nonce x509 openssl curl revocation constraints socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite + + plugins { + tnc-pdp { + server = aaa.strongswan.org + radius { + secret = gv6URkSs + } + } + } +} + +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +} + +libimcv { + database = sqlite:///etc/pts/config.db + policy_script = ipsec imv_policy_manager + + plugins { + imv-swid { + rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/ + } + } +} + +imv_policy_manager { + command_allow = host with IP address %s is allowed + command_block = host with IP address %s is blocked +} diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..ecd9d47aa --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf @@ -0,0 +1,3 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +# this file is not used in this scenario diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..41cf8f84b --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# this file is not used in this scenario diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..d99a4b78a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/strongswan.conf @@ -0,0 +1,3 @@ +# /etc/strongswan.conf - strongSwan configuration file + +# this file is not used in this scenario diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf index 0887e4d09..5f4f8e725 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf @@ -18,7 +18,7 @@ TCPDUMPHOSTS="moon" # Guest instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="carol dave alice" +IPSECHOSTS="carol moon dave alice" # Guest instances on which FreeRadius is started # -- cgit v1.2.3